344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
Size

1.1MB
MD5

9c7195e38abdb5efe077dda4a0282362
SHA1

1827ad89046b9634f7453da8cd86602c52209f7a
SHA256

344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd
SHA512

95197a42866be0922edcfd9f84a150f65aa8a87811d72d65a882c14c7633285df44b1dfb596bd26127d5216a7f610d1be5a4c9feea5ed37970db27193f647cf1
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q7:acallSllG4ZM7QzM8

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2868	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2868	svchcst.exe
2932	svchcst.exe
1424	svchcst.exe
3056	svchcst.exe
1236	svchcst.exe
692	svchcst.exe
1064	svchcst.exe
2308	svchcst.exe
2740	svchcst.exe
2944	svchcst.exe
2564	svchcst.exe
1952	svchcst.exe
1456	svchcst.exe
1592	svchcst.exe
2400	svchcst.exe
2192	svchcst.exe
2816	svchcst.exe
1996	svchcst.exe
2944	svchcst.exe
2380	svchcst.exe
1096	svchcst.exe
1060	svchcst.exe
2736	svchcst.exe

Loads dropped DLL 39 IoCs

pid	Process
2492	WScript.exe
2492	WScript.exe
2624	WScript.exe
3016	WScript.exe
2520	WScript.exe
2520	WScript.exe
2176	WScript.exe
2096	WScript.exe
2096	WScript.exe
2444	WScript.exe
2444	WScript.exe
1820	WScript.exe
2820	WScript.exe
2820	WScript.exe
2820	WScript.exe
2588	WScript.exe
2588	WScript.exe
2588	WScript.exe
3028	WScript.exe
1236	WScript.exe
1236	WScript.exe
1236	WScript.exe
1236	WScript.exe
588	WScript.exe
588	WScript.exe
2808	WScript.exe
2808	WScript.exe
2992	WScript.exe
2992	WScript.exe
2036	WScript.exe
2036	WScript.exe
2696	WScript.exe
2696	WScript.exe
808	WScript.exe
808	WScript.exe
544	WScript.exe
544	WScript.exe
892	WScript.exe
892	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2136	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2136	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2136	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
2136	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
2868	svchcst.exe
2868	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
1424	svchcst.exe
1424	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
1236	svchcst.exe
1236	svchcst.exe
692	svchcst.exe
692	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
2308	svchcst.exe
2308	svchcst.exe
2740	svchcst.exe
2740	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
1952	svchcst.exe
1952	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1592	svchcst.exe
1592	svchcst.exe
2400	svchcst.exe
2400	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
1096	svchcst.exe
1096	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2492	2136	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe	30
PID 2136 wrote to memory of 2492	2136	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe	30
PID 2136 wrote to memory of 2492	2136	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe	30
PID 2136 wrote to memory of 2492	2136	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe	30
PID 2492 wrote to memory of 2868	2492	WScript.exe	33
PID 2492 wrote to memory of 2868	2492	WScript.exe	33
PID 2492 wrote to memory of 2868	2492	WScript.exe	33
PID 2492 wrote to memory of 2868	2492	WScript.exe	33
PID 2868 wrote to memory of 2624	2868	svchcst.exe	34
PID 2868 wrote to memory of 2624	2868	svchcst.exe	34
PID 2868 wrote to memory of 2624	2868	svchcst.exe	34
PID 2868 wrote to memory of 2624	2868	svchcst.exe	34
PID 2624 wrote to memory of 2932	2624	WScript.exe	35
PID 2624 wrote to memory of 2932	2624	WScript.exe	35
PID 2624 wrote to memory of 2932	2624	WScript.exe	35
PID 2624 wrote to memory of 2932	2624	WScript.exe	35
PID 2932 wrote to memory of 3016	2932	svchcst.exe	36
PID 2932 wrote to memory of 3016	2932	svchcst.exe	36
PID 2932 wrote to memory of 3016	2932	svchcst.exe	36
PID 2932 wrote to memory of 3016	2932	svchcst.exe	36
PID 3016 wrote to memory of 1424	3016	WScript.exe	37
PID 3016 wrote to memory of 1424	3016	WScript.exe	37
PID 3016 wrote to memory of 1424	3016	WScript.exe	37
PID 3016 wrote to memory of 1424	3016	WScript.exe	37
PID 1424 wrote to memory of 2520	1424	svchcst.exe	38
PID 1424 wrote to memory of 2520	1424	svchcst.exe	38
PID 1424 wrote to memory of 2520	1424	svchcst.exe	38
PID 1424 wrote to memory of 2520	1424	svchcst.exe	38
PID 2520 wrote to memory of 3056	2520	WScript.exe	39
PID 2520 wrote to memory of 3056	2520	WScript.exe	39
PID 2520 wrote to memory of 3056	2520	WScript.exe	39
PID 2520 wrote to memory of 3056	2520	WScript.exe	39
PID 3056 wrote to memory of 2176	3056	svchcst.exe	40
PID 3056 wrote to memory of 2176	3056	svchcst.exe	40
PID 3056 wrote to memory of 2176	3056	svchcst.exe	40
PID 3056 wrote to memory of 2176	3056	svchcst.exe	40
PID 2176 wrote to memory of 1236	2176	WScript.exe	41
PID 2176 wrote to memory of 1236	2176	WScript.exe	41
PID 2176 wrote to memory of 1236	2176	WScript.exe	41
PID 2176 wrote to memory of 1236	2176	WScript.exe	41
PID 1236 wrote to memory of 2096	1236	svchcst.exe	42
PID 1236 wrote to memory of 2096	1236	svchcst.exe	42
PID 1236 wrote to memory of 2096	1236	svchcst.exe	42
PID 1236 wrote to memory of 2096	1236	svchcst.exe	42
PID 2096 wrote to memory of 692	2096	WScript.exe	43
PID 2096 wrote to memory of 692	2096	WScript.exe	43
PID 2096 wrote to memory of 692	2096	WScript.exe	43
PID 2096 wrote to memory of 692	2096	WScript.exe	43
PID 692 wrote to memory of 2444	692	svchcst.exe	44
PID 692 wrote to memory of 2444	692	svchcst.exe	44
PID 692 wrote to memory of 2444	692	svchcst.exe	44
PID 692 wrote to memory of 2444	692	svchcst.exe	44
PID 2444 wrote to memory of 1064	2444	WScript.exe	45
PID 2444 wrote to memory of 1064	2444	WScript.exe	45
PID 2444 wrote to memory of 1064	2444	WScript.exe	45
PID 2444 wrote to memory of 1064	2444	WScript.exe	45
PID 1064 wrote to memory of 1820	1064	svchcst.exe	46
PID 1064 wrote to memory of 1820	1064	svchcst.exe	46
PID 1064 wrote to memory of 1820	1064	svchcst.exe	46
PID 1064 wrote to memory of 1820	1064	svchcst.exe	46
PID 1820 wrote to memory of 2308	1820	WScript.exe	47
PID 1820 wrote to memory of 2308	1820	WScript.exe	47
PID 1820 wrote to memory of 2308	1820	WScript.exe	47
PID 1820 wrote to memory of 2308	1820	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
"C:\Users\Admin\AppData\Local\Temp\344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
faa8ef2e758448ccba58a486794e0699

SHA1
85bd05023b75335ca0ff084efcd02e7e9e447e88

SHA256
f4c0222febb3104b66ec8578be36697e28bc8956d3606e711c39b3ad7fcf6b8b

SHA512
8a1074670bbf7942ba1cef24d474aa26b9a66c378cc790a5577bc3d487f7174dad7890d2fdd43eccad42c4da28e282e5909a8f9de120a3ba81ee2847b44a328e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
654066544a2c34427ae141be0604637d

SHA1
3c3ef9929496bbf38e560c72fad417e313b38ca1

SHA256
145a85e9460e14fde10b4e57e58a2f98158e84d00426eff36739135107d44a2e

SHA512
ed74a59b388587f302e6893e29220dfe71f0aa8be1b3dc0c562e8374483eef612284ed6244170837c564e14e6b2b25fc950dd92cee5d765d85552ef4390c259f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c4a20bad462e2ead31b207cd4b0dd1b

SHA1
e6037559a47f711d0e930c907b6c33269cb8ecb9

SHA256
7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e

SHA512
78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c0ff223574a58a062d6e26c4b0bb7cd

SHA1
b61341ae86f6fd2a2e76592a2fc693479b62f37c

SHA256
b9baaa35fb2544dd650a875b31c12ae5393b345528009fc8c438296ac71da48b

SHA512
b89b388955e99d95ea0a6be87df42a49823ca71ab65505e19689b8ecc56484246bc36abaac9b7b76874b8c287a33645932573b90786886e0289dff05a6874cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e0e0a1f6d22e3905753a9c1ed053cbff

SHA1
52c11b8049f4015d7825fc1fcbd0d5eadb29a6e4

SHA256
2eca9ba67f160c00268003e7239f9cfc5da0f10b6a0b3c82538ef2a0874b871d

SHA512
3eb98287cc8115cb648626272eaa6cc77cb57fcd614f0e969d3af3977a8e09e0f7f6f3ee6ef9322e096bf0cec546f681a6983030a10e972b538d42e2bd17740c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03f68343f5906993640e0b9e3f9c7964

SHA1
699e9c3fda1aa89e7a47ac8b77b41178c99cc8e2

SHA256
dd2d5bf380874e81adc5e05b667047dcf1b6c8a8953068fb177053e20c35f727

SHA512
76de9e035c0ad6ee3237006749fd28ee93a6fcd09700e265aaea432f7d2292aac87f0799221559caacd6dd58ff72af17d67627aace77bd2a36a802bbdc88b99c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f55cbb899dc1fc483b7168ab371904b3

SHA1
e5b35e5aeeb3399c01172fd0c03f2b0909431b26

SHA256
af00d02825278b99dc1d0c1b6db3e6af53b537eceb4b752e40488de92aabbf43

SHA512
d771fbf1a894ee824ce58b49da9bb419e78fd6076ffde1fb10e2a0a86bc00c7d1a060bf4a2e46725ef1462ce0494fb93e395d88f7324e19a1d1f68a8d2c1ed25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b8ff80dd5804cf66932ff78a10fcb5fc

SHA1
e13f17564b8bf8d6358f7be20cd81e9e15a3e5a8

SHA256
925a34cea4f1a4610d81015e87c95e0b07e01958afe4749284b8409f21b7c3f3

SHA512
19ecf1efab4e47a47f8b6689a5b33d14d15baa12b8817bd54f7acc80c2bd7b6abfea5b567aa3f733f6a7a438bbdf806270784c70195e7eb9d94d4be87f746c53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a5fb025d60dca1a15c21564833ae022f

SHA1
83d672f37a071260d57fed2304a41326c0618a65

SHA256
077d41882e98760b6b69675f3ec8bd62a0bf0a39f25a6c552f97674166498516

SHA512
b96945ba509c07ac824bd12dd8f61836a1d9ae453c588ee38972c2b08cc28e2a6e7a33db558397cb94bddd2a78b5ff6d235728838edb0c043e6a80791b2788c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2783f8b7460871aeab42611d8d1cfb30

SHA1
9d69016555772f6fde9c33baf9b4120cca24a63f

SHA256
196cdc57e16af6ed21d8911ca01ec901e8306f344ab7c9666e718cc61aba2233

SHA512
987e83dae4f6539d32534441e681f40a016f4a1b9eec4575c7b8a9a169da3a1011572ce0bddd7445c59eec7e7fa41ce6129fde5c7b74a9896877c6c18945337d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
935f472f696bf3b90d1bb34c4546ffe5

SHA1
3310105c2b9a5b063fda68972212683dc2c71fcf

SHA256
08d2bc8f84885275bf8986638065b88c1e915dd9669b852a53061482f06cacbe

SHA512
6be4cca2aca8e55d6450bf7f06276816b5741f7e4157136b632121d6e35434a771fd1efb93c1aded8ef80c33fe916b48634bdadf8de27a1ce96652784418f14f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c288fc3c7cf3402639f0b90a3c5c7b18

SHA1
c5842e41d2d743eba707ca7f467117a5fb10991a

SHA256
e0735581c1f4ca859689107095e0299837a1fcc0db0077a6b8959e1457cd1861

SHA512
dac51ed5686c79e30014ae26e5513dc8daefa3810671cd760d5eda9eeff41da129e9960fd57b99ee2f2a98ae55b1518d9d0b252ab015b4e0f0e02adcb95a2537

Download Submit
memory/692-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1060-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1060-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1064-110-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1064-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1096-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1236-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1236-185-0x0000000004810000-0x000000000496F000-memory.dmp

Filesize
1.4MB

Download
memory/1236-80-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1236-184-0x00000000046D0000-0x000000000482F000-memory.dmp

Filesize
1.4MB

Download
memory/1424-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1456-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1456-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1592-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1592-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1952-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-218-0x0000000004660000-0x00000000047BF000-memory.dmp

Filesize
1.4MB

Download
memory/2096-84-0x00000000042C0000-0x000000000441F000-memory.dmp

Filesize
1.4MB

Download
memory/2136-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2136-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2176-69-0x00000000048A0000-0x00000000049FF000-memory.dmp

Filesize
1.4MB

Download
memory/2192-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-99-0x00000000049B0000-0x0000000004B0F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-100-0x00000000049B0000-0x0000000004B0F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-14-0x00000000047D0000-0x000000000492F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-19-0x00000000047D0000-0x000000000492F000-memory.dmp

Filesize
1.4MB

Download
memory/2520-60-0x00000000048F0000-0x0000000004A4F000-memory.dmp

Filesize
1.4MB

Download
memory/2520-55-0x00000000048F0000-0x0000000004A4F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-154-0x00000000048B0000-0x0000000004A0F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-149-0x00000000048B0000-0x0000000004A0F000-memory.dmp

Filesize
1.4MB

Download
memory/2624-49-0x0000000004750000-0x00000000048AF000-memory.dmp

Filesize
1.4MB

Download
memory/2736-254-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2740-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2816-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2816-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-20-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-144-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-39-0x00000000048D0000-0x0000000004A2F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download