3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
Size

1.1MB
MD5

e14da869722a5fc49575747207f3121a
SHA1

f82965621ae92a04860f86d01dc02b5ed95bf18a
SHA256

3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae
SHA512

9ba57544ac5f709e2d49e2ad21f7bba4daffc7c8f9d2ae66561c8061b467f737ee56c343bb306ef465f5153d903101b869ea6d6324e2b58d81d4b8add5817da3
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QV:acallSllG4ZM7QzMO

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2568	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2568	svchcst.exe
2900	svchcst.exe
276	svchcst.exe
2936	svchcst.exe
1656	svchcst.exe
2480	svchcst.exe
1668	svchcst.exe
2704	svchcst.exe
1400	svchcst.exe
2896	svchcst.exe
348	svchcst.exe
2016	svchcst.exe
828	svchcst.exe
2332	svchcst.exe
2552	svchcst.exe
3000	svchcst.exe
756	svchcst.exe
1732	svchcst.exe
856	svchcst.exe
1916	svchcst.exe
2508	svchcst.exe
3024	svchcst.exe
2604	svchcst.exe

Loads dropped DLL 39 IoCs

pid	Process
2820	WScript.exe
2820	WScript.exe
2464	WScript.exe
2464	WScript.exe
2064	WScript.exe
2064	WScript.exe
2132	WScript.exe
1984	WScript.exe
2952	WScript.exe
2504	WScript.exe
2504	WScript.exe
2068	WScript.exe
2764	WScript.exe
2764	WScript.exe
2764	WScript.exe
1560	WScript.exe
2932	WScript.exe
1648	WScript.exe
1648	WScript.exe
1044	WScript.exe
1044	WScript.exe
1428	WScript.exe
1428	WScript.exe
1032	WScript.exe
1032	WScript.exe
1516	WScript.exe
1516	WScript.exe
1400	WScript.exe
1400	WScript.exe
764	WScript.exe
764	WScript.exe
2008	WScript.exe
2008	WScript.exe
1432	WScript.exe
1432	WScript.exe
2456	WScript.exe
2456	WScript.exe
2964	WScript.exe
2964	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2380	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2380	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
2380	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
2568	svchcst.exe
2568	svchcst.exe
2900	svchcst.exe
2900	svchcst.exe
276	svchcst.exe
276	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
2480	svchcst.exe
2480	svchcst.exe
1668	svchcst.exe
1668	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe
1400	svchcst.exe
1400	svchcst.exe
2896	svchcst.exe
2896	svchcst.exe
348	svchcst.exe
348	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
828	svchcst.exe
828	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
756	svchcst.exe
756	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
856	svchcst.exe
856	svchcst.exe
1916	svchcst.exe
1916	svchcst.exe
2508	svchcst.exe
2508	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2820	2380	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe	31
PID 2380 wrote to memory of 2820	2380	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe	31
PID 2380 wrote to memory of 2820	2380	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe	31
PID 2380 wrote to memory of 2820	2380	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe	31
PID 2820 wrote to memory of 2568	2820	WScript.exe	33
PID 2820 wrote to memory of 2568	2820	WScript.exe	33
PID 2820 wrote to memory of 2568	2820	WScript.exe	33
PID 2820 wrote to memory of 2568	2820	WScript.exe	33
PID 2568 wrote to memory of 2464	2568	svchcst.exe	34
PID 2568 wrote to memory of 2464	2568	svchcst.exe	34
PID 2568 wrote to memory of 2464	2568	svchcst.exe	34
PID 2568 wrote to memory of 2464	2568	svchcst.exe	34
PID 2464 wrote to memory of 2900	2464	WScript.exe	35
PID 2464 wrote to memory of 2900	2464	WScript.exe	35
PID 2464 wrote to memory of 2900	2464	WScript.exe	35
PID 2464 wrote to memory of 2900	2464	WScript.exe	35
PID 2900 wrote to memory of 2064	2900	svchcst.exe	36
PID 2900 wrote to memory of 2064	2900	svchcst.exe	36
PID 2900 wrote to memory of 2064	2900	svchcst.exe	36
PID 2900 wrote to memory of 2064	2900	svchcst.exe	36
PID 2900 wrote to memory of 1904	2900	svchcst.exe	37
PID 2900 wrote to memory of 1904	2900	svchcst.exe	37
PID 2900 wrote to memory of 1904	2900	svchcst.exe	37
PID 2900 wrote to memory of 1904	2900	svchcst.exe	37
PID 2064 wrote to memory of 276	2064	WScript.exe	38
PID 2064 wrote to memory of 276	2064	WScript.exe	38
PID 2064 wrote to memory of 276	2064	WScript.exe	38
PID 2064 wrote to memory of 276	2064	WScript.exe	38
PID 276 wrote to memory of 2132	276	svchcst.exe	39
PID 276 wrote to memory of 2132	276	svchcst.exe	39
PID 276 wrote to memory of 2132	276	svchcst.exe	39
PID 276 wrote to memory of 2132	276	svchcst.exe	39
PID 2132 wrote to memory of 2936	2132	WScript.exe	40
PID 2132 wrote to memory of 2936	2132	WScript.exe	40
PID 2132 wrote to memory of 2936	2132	WScript.exe	40
PID 2132 wrote to memory of 2936	2132	WScript.exe	40
PID 2936 wrote to memory of 1984	2936	svchcst.exe	41
PID 2936 wrote to memory of 1984	2936	svchcst.exe	41
PID 2936 wrote to memory of 1984	2936	svchcst.exe	41
PID 2936 wrote to memory of 1984	2936	svchcst.exe	41
PID 1984 wrote to memory of 1656	1984	WScript.exe	42
PID 1984 wrote to memory of 1656	1984	WScript.exe	42
PID 1984 wrote to memory of 1656	1984	WScript.exe	42
PID 1984 wrote to memory of 1656	1984	WScript.exe	42
PID 1656 wrote to memory of 2952	1656	svchcst.exe	43
PID 1656 wrote to memory of 2952	1656	svchcst.exe	43
PID 1656 wrote to memory of 2952	1656	svchcst.exe	43
PID 1656 wrote to memory of 2952	1656	svchcst.exe	43
PID 2952 wrote to memory of 2480	2952	WScript.exe	44
PID 2952 wrote to memory of 2480	2952	WScript.exe	44
PID 2952 wrote to memory of 2480	2952	WScript.exe	44
PID 2952 wrote to memory of 2480	2952	WScript.exe	44
PID 2480 wrote to memory of 2504	2480	svchcst.exe	45
PID 2480 wrote to memory of 2504	2480	svchcst.exe	45
PID 2480 wrote to memory of 2504	2480	svchcst.exe	45
PID 2480 wrote to memory of 2504	2480	svchcst.exe	45
PID 2504 wrote to memory of 1668	2504	WScript.exe	46
PID 2504 wrote to memory of 1668	2504	WScript.exe	46
PID 2504 wrote to memory of 1668	2504	WScript.exe	46
PID 2504 wrote to memory of 1668	2504	WScript.exe	46
PID 1668 wrote to memory of 2068	1668	svchcst.exe	47
PID 1668 wrote to memory of 2068	1668	svchcst.exe	47
PID 1668 wrote to memory of 2068	1668	svchcst.exe	47
PID 1668 wrote to memory of 2068	1668	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
"C:\Users\Admin\AppData\Local\Temp\3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
56cbfd10245384fed5bb82c50babdbb4

SHA1
f84b04e77f84f932be9e3b72fe459ae3f2bd15d2

SHA256
db66cb2a1a461412b10bfb9746360b03e3223fb4938bc3082fb68bda744893d6

SHA512
f31f55f592d9f72e53b917c890927234e02fab2d24ae5807cb5fe2af681dab3f4e4af7a86b954cad32173c65d55e55e74a367a8599b5a2f05a61df766202d7f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
321085c6e57a8455a3e915906a6c160b

SHA1
9cd284183cd00b8ed9766cf5ba4433bd041c381e

SHA256
0d5abb9f989e8b184b17b159987cacb4be04d476a85a3c684e797cdbded810cb

SHA512
030c762c6548c28805fb3f9d97ed98ff958a379fb5142b7ba6c4cb2a8dd7a59051135e649abd6c16320361b10c374e4a1003c802560fcc244849089255fb7722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dcda7be7bee467e770890045f8b7ae2a

SHA1
c2d1c9669b5115473dd2fcb27bb76aed83afdcd1

SHA256
5818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33

SHA512
5a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
072a46f071251f08c67b3aba4c983435

SHA1
371837f885eac20c802901026d2e7aa1d4f6cd5c

SHA256
0d0a8daeceed64600e817a5a0437a39048c52e857868a35d9130d42fdfa896ed

SHA512
e3d35d428a29eec047b0cc43c87aa701eed81e9efe921b4ef13fa2e8e24ef11ce602bd67868b7ad1bdbd9f39eb681a8c95c715479238a2f17c17105ea4653c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
be2f9274c908085e192e3d5240bc1c37

SHA1
70736f0782e4109d0e864fe1bc8b0a81894c7fbd

SHA256
da6f0400d560cfcc99566664f4fa495b00d3cd4b0153819c4a7c43474c7b8830

SHA512
7621bb46b00a6bac698980a551acf4c9ebbd0d7f7d6eba505e423ccb2673c52cecc502f8d9c4e2659b8355cfafbfc0b18765efa9bdd67665f684cc72d844a8d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b18e36eafa3f88d61777238f095fce44

SHA1
0cd0b3bcea86146fc0d27ba20954aaa50f3a2334

SHA256
0153568e7dc8b411733630699639af03315e0f40b44a2875b1205c89bbd92ea9

SHA512
956844866d2175e9700221ce0d2f7c0747ae025367c5e5ba9b7f2ba1b57b7bddda1c0db9ceecedda7a3a5ddc50e4153b83a3380937e4398141d4363e0cfe455c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ef49f6ca8f449193414b75b0dd64789d

SHA1
0267f528bf33f574704156730d32179782a1db30

SHA256
30f84fb2cc9eba7e70d954e2e3b26b58343d4b96aa1c7589779f02226304a871

SHA512
688cb64b304cf3261042f85667b2aea1a1627a7938abb9586646a4e17cb39f2b95d0640b624419fb6b6f703f0b90d3f16d670ffb925ba26d397a2a75c694a832

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
09fabfe6b94eb90856aee08fc2aab1e3

SHA1
e459ee6cb2f0080e69f069f4cf1c13be5dd46afe

SHA256
78073af966c2cbdaa62363713ef7546dafd3749e7dfb5b7cc1ea4589ebf4b304

SHA512
e16f944804c7723bf85b2a35fe6298e51c896e460378c804f9fd60eacdc1c9aace66219a5f85207177b516bd9bee81e8ad3bf3c07480d3fd2af44d04c6a6823f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7de849b603f999d107ce723cb857512d

SHA1
1e4964f08c68c02f68c42e395fb1405f7453c50d

SHA256
f095633732ee029c210aceca083e37e3aa7afde8061e242014846c014054521b

SHA512
52c36ddcb3f383fdae187433862413f3361968ab7f2c1300b28b9d2efbba59f55053684568f182b76f4d661d87ecdc7f43b7c7413b9c35a64f5e68d78deebdfc

Download Submit
memory/276-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/276-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/348-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/756-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/828-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/828-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/856-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/856-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1044-168-0x00000000048B0000-0x0000000004A0F000-memory.dmp

Filesize
1.4MB

Download
memory/1400-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1400-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-71-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1668-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1668-100-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1732-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1916-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1916-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1984-70-0x0000000004820000-0x000000000497F000-memory.dmp

Filesize
1.4MB

Download
memory/2016-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2016-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-42-0x00000000048F0000-0x0000000004A4F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-62-0x00000000048F0000-0x0000000004A4F000-memory.dmp

Filesize
1.4MB

Download
memory/2332-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2464-26-0x0000000005A60000-0x0000000005BBF000-memory.dmp

Filesize
1.4MB

Download
memory/2480-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2504-95-0x00000000048A0000-0x00000000049FF000-memory.dmp

Filesize
1.4MB

Download
memory/2508-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2552-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2704-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2896-139-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2896-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-160-0x0000000005EB0000-0x000000000600F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-78-0x0000000004640000-0x000000000479F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-236-0x00000000059B0000-0x0000000005B0F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3024-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3024-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download