0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
Size

1.1MB
MD5

72ea84f57ec7914cd5e8beb478531a82
SHA1

22323c68baeb3ca22749b128db512544ad6225b2
SHA256

0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859
SHA512

85c0fe92f917fc4cba6a3b54a7086c3a7e91dd404f7a72c8c99914d1168b8726fee1328cf3d3338e61a9ac3456a26f0b377704a791d3cb300b4b31cef2d99cda
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qw:acallSllG4ZM7QzMH

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2744	svchcst.exe
1396	svchcst.exe
1988	svchcst.exe
2220	svchcst.exe
2952	svchcst.exe
664	svchcst.exe
1568	svchcst.exe
1732	svchcst.exe
1548	svchcst.exe
2708	svchcst.exe
1616	svchcst.exe
2212	svchcst.exe
924	svchcst.exe
2136	svchcst.exe
536	svchcst.exe
2608	svchcst.exe
2656	svchcst.exe
1404	svchcst.exe
872	svchcst.exe
2216	svchcst.exe
3004	svchcst.exe
2996	svchcst.exe
876	svchcst.exe

Loads dropped DLL 37 IoCs

pid	Process
2404	WScript.exe
2404	WScript.exe
2576	WScript.exe
1040	WScript.exe
1040	WScript.exe
2164	WScript.exe
1744	WScript.exe
1744	WScript.exe
1916	WScript.exe
1916	WScript.exe
2304	WScript.exe
2772	WScript.exe
2772	WScript.exe
2772	WScript.exe
2884	WScript.exe
3008	WScript.exe
1220	WScript.exe
1220	WScript.exe
1672	WScript.exe
2288	WScript.exe
2288	WScript.exe
2064	WScript.exe
2064	WScript.exe
2628	WScript.exe
2628	WScript.exe
1996	WScript.exe
1996	WScript.exe
1712	WScript.exe
1712	WScript.exe
3000	WScript.exe
3000	WScript.exe
2680	WScript.exe
2680	WScript.exe
1896	WScript.exe
1896	WScript.exe
1744	WScript.exe
1744	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2152	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2152	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2152	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
2152	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
2744	svchcst.exe
2744	svchcst.exe
1396	svchcst.exe
1396	svchcst.exe
1988	svchcst.exe
1988	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
664	svchcst.exe
664	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
1548	svchcst.exe
1548	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
1616	svchcst.exe
1616	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
924	svchcst.exe
924	svchcst.exe
2136	svchcst.exe
2136	svchcst.exe
536	svchcst.exe
536	svchcst.exe
2608	svchcst.exe
2608	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
1404	svchcst.exe
1404	svchcst.exe
872	svchcst.exe
872	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
876	svchcst.exe
876	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2404	2152	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe	30
PID 2152 wrote to memory of 2404	2152	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe	30
PID 2152 wrote to memory of 2404	2152	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe	30
PID 2152 wrote to memory of 2404	2152	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe	30
PID 2404 wrote to memory of 2744	2404	WScript.exe	33
PID 2404 wrote to memory of 2744	2404	WScript.exe	33
PID 2404 wrote to memory of 2744	2404	WScript.exe	33
PID 2404 wrote to memory of 2744	2404	WScript.exe	33
PID 2744 wrote to memory of 2576	2744	svchcst.exe	34
PID 2744 wrote to memory of 2576	2744	svchcst.exe	34
PID 2744 wrote to memory of 2576	2744	svchcst.exe	34
PID 2744 wrote to memory of 2576	2744	svchcst.exe	34
PID 2576 wrote to memory of 1396	2576	WScript.exe	35
PID 2576 wrote to memory of 1396	2576	WScript.exe	35
PID 2576 wrote to memory of 1396	2576	WScript.exe	35
PID 2576 wrote to memory of 1396	2576	WScript.exe	35
PID 1396 wrote to memory of 1040	1396	svchcst.exe	36
PID 1396 wrote to memory of 1040	1396	svchcst.exe	36
PID 1396 wrote to memory of 1040	1396	svchcst.exe	36
PID 1396 wrote to memory of 1040	1396	svchcst.exe	36
PID 1040 wrote to memory of 1988	1040	WScript.exe	37
PID 1040 wrote to memory of 1988	1040	WScript.exe	37
PID 1040 wrote to memory of 1988	1040	WScript.exe	37
PID 1040 wrote to memory of 1988	1040	WScript.exe	37
PID 1988 wrote to memory of 1688	1988	svchcst.exe	38
PID 1988 wrote to memory of 1688	1988	svchcst.exe	38
PID 1988 wrote to memory of 1688	1988	svchcst.exe	38
PID 1988 wrote to memory of 1688	1988	svchcst.exe	38
PID 1040 wrote to memory of 2220	1040	WScript.exe	39
PID 1040 wrote to memory of 2220	1040	WScript.exe	39
PID 1040 wrote to memory of 2220	1040	WScript.exe	39
PID 1040 wrote to memory of 2220	1040	WScript.exe	39
PID 2220 wrote to memory of 2164	2220	svchcst.exe	40
PID 2220 wrote to memory of 2164	2220	svchcst.exe	40
PID 2220 wrote to memory of 2164	2220	svchcst.exe	40
PID 2220 wrote to memory of 2164	2220	svchcst.exe	40
PID 2164 wrote to memory of 2952	2164	WScript.exe	41
PID 2164 wrote to memory of 2952	2164	WScript.exe	41
PID 2164 wrote to memory of 2952	2164	WScript.exe	41
PID 2164 wrote to memory of 2952	2164	WScript.exe	41
PID 2952 wrote to memory of 1744	2952	svchcst.exe	42
PID 2952 wrote to memory of 1744	2952	svchcst.exe	42
PID 2952 wrote to memory of 1744	2952	svchcst.exe	42
PID 2952 wrote to memory of 1744	2952	svchcst.exe	42
PID 1744 wrote to memory of 664	1744	WScript.exe	43
PID 1744 wrote to memory of 664	1744	WScript.exe	43
PID 1744 wrote to memory of 664	1744	WScript.exe	43
PID 1744 wrote to memory of 664	1744	WScript.exe	43
PID 664 wrote to memory of 1916	664	svchcst.exe	44
PID 664 wrote to memory of 1916	664	svchcst.exe	44
PID 664 wrote to memory of 1916	664	svchcst.exe	44
PID 664 wrote to memory of 1916	664	svchcst.exe	44
PID 1916 wrote to memory of 1568	1916	WScript.exe	45
PID 1916 wrote to memory of 1568	1916	WScript.exe	45
PID 1916 wrote to memory of 1568	1916	WScript.exe	45
PID 1916 wrote to memory of 1568	1916	WScript.exe	45
PID 1568 wrote to memory of 2304	1568	svchcst.exe	46
PID 1568 wrote to memory of 2304	1568	svchcst.exe	46
PID 1568 wrote to memory of 2304	1568	svchcst.exe	46
PID 1568 wrote to memory of 2304	1568	svchcst.exe	46
PID 2304 wrote to memory of 1732	2304	WScript.exe	47
PID 2304 wrote to memory of 1732	2304	WScript.exe	47
PID 2304 wrote to memory of 1732	2304	WScript.exe	47
PID 2304 wrote to memory of 1732	2304	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
"C:\Users\Admin\AppData\Local\Temp\0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
11da80ce401464eb39587febdb3d3d78

SHA1
3b685ab909ee1dce90e7500321033e1e0d947622

SHA256
b47590ea64dd8477d4788522b0384e1eb8ca20e83bc5d6cb4c891e4ea36f1120

SHA512
f433c2bf11be1c6bdc47547c00d3bc018c235eed23426adc77aef18e59e67617d117f3d273accda89bf88a90b1dce7dbe18c2b847ee9d068785c86fdbc22c727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
840853c0aa5a4d702a8110a0cb763b4b

SHA1
58d028e09818c3fd2a9d521c26772cf4d1a9072a

SHA256
4438df44bf53668a332407b1c60d745bd1293a3f1acab9953b1d77e5131d2728

SHA512
f2b044e4710dadb03164bc78519207bd8d39d2cf9d4568fc11c38271eabc3e57410083b1cf29e40b1f6119ffa33ed4784ef652f112e50b554c2983755a606b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d04e4fa1d3c8ba67f98c8e40c157ed97

SHA1
c0d95df53f8a804370ce7230fd02b9e58f75ec22

SHA256
b0544b1226f7cfd08fbffa33537e742cae314ef9ebc6a146d9aae7ead895ae1f

SHA512
7436211ec14314df3689406a0b828f28a337929922fe1d381569b3eedc40dd9639764a73adfb033ede68ff760c5c0429de44a865e96f105cd0a2b6ec80269890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ac4421f71447c6f92ce3ac17a3d9d38

SHA1
97f4ebc5875af7ee54f93ba70089361ca88da8af

SHA256
615df52b00308d2a7f8aed927fd28d1e40b5ac6cf5e6da78ec69acd149618d59

SHA512
3d7d6a0124324731462a5e71d797c77e9942371fbdda8b870cb9d035db293ef1765e1890737fd89fd1b9d56941bd04745f93c95c844057830605365367ea410e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bb73f45ba0ab8d0e25bc6dcd5900a0f1

SHA1
18dd20b311cabf033725cb71f00e22449f559963

SHA256
c5b311f8ce95c93ed51768b74c6765874352e5fc61641ab54034281a5206c3b5

SHA512
f2adbb4978b02ce150fc2f4a8f6d7734ca465351c502e5a425a9dc0f751be9a048df54dfff086b4b049a80cdc8127863ea704a3b6e1855f9d4406e5778b82e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81da78e4c29b5abf222c1425d1b8da16

SHA1
c68fae858982c6217d14f0a94f1e424dc47e5abb

SHA256
e1c0bac8ec1a6de7acf76dbaae7862a630d01697c06843f75330f8be29261f38

SHA512
859ff4f8d8119e4a12c83c8aa7a7c392b9bde66358d189f67f0d44ae6777f75dd7f994536d812cb00f0612a9c4444a3775ff729512d50c1a6173f23b5866fdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
53586000e76ee6942df430b8716b4616

SHA1
97afd48071b6043c0a04b823875956b98a8d33bd

SHA256
486e66f5aafdb179f41e1d1f39c8fb5662bfad43d5d53dfa89405a04b0d42d69

SHA512
3a9a94289a667899d5ba7db41486854b9234929ecaa9d9aaff3188740cc084c0a633702be218f4b1a8afbfbd8a4e1a892eebbdfde1a7d3fb9c27c3482aa03bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
edbcc808c7bdb0d98aae03054694caa0

SHA1
78d17fc87b472fa797c32d46980c583e82b0e1a1

SHA256
a161f506cddd631c900cd03587c5fded7f261ddeeb3695bfb83c8e0d5e520d3d

SHA512
c543300ad017542dcd7f539cf038520ca33b90d33cbc6c47e54734b8576d0a0e6a25bc4db1b4698ab52b4d71e0f97f85d398f12fa8ee92318c1570b21be56015

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b5b646ae6062e213ec3ebdb48710c315

SHA1
742ea57d82ae4326297f04d920b8bd7309cd3d44

SHA256
f3118edb5947b0ac74c6db5e413e933ac267c1e445fb39fca0a8de398d057411

SHA512
98371f331410e5b4abc5e8c8ff647324717cf970388b879a421bb8a8dbbd6e7840560d101a8bc609579279ed8f401e08a0c6485ba97dc9ab87fddcc329188d3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4845a280a8a35578698606df9e100df3

SHA1
fd968a9157e11f3476615640c40ee24e6da64072

SHA256
9c1449c6f9701eb522a9f67db82239fd22032a75859c146bff755688fa8000b4

SHA512
e22bc73134dcce56d721df24cbad15c32e04df7d0a13f2ad4a2339b09f1736d4a0ddbc2c24d5d74f4e3485bfcbb4fd485d11357e795f8f8a009f25a25a7d1a0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
43c7813ac3141ca4cbde5556bfcda12c

SHA1
0f51d099f7ff95bf86ac1829a39640d866d36a7d

SHA256
fd9567f7bc658b434deb9acbfd07f2846e3dd5e701ba6f386dd9fc71d8c4a35f

SHA512
f58131e571dfe5d97ecd882c3a379f82e168083a957725fb1ba127ad7ea724b9d7cda66f00d4908723e628cfcae1c160d07bb89b1e0000d2b74f2ac699bc89f7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
208ab8f66a98cb769835bb6c368c9d94

SHA1
7ce9f41e4f16d0fd8e513f0081691fba05970f79

SHA256
8b37499c4c1202acb84409410e13e2c11fc53fbd2addc68d3a164ce72f86500a

SHA512
72d9cb574c39487b2b8086de082d8777bbca1f052766215f8b9c0ea94fdd9c6befbf832ad158e4008c41ccd55fd22ff3e463109c8465cc368855062718fb1186

Download Submit
memory/536-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/664-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/664-84-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/872-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/872-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/876-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/924-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/924-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1396-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1396-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1404-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1404-208-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1548-121-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1548-113-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1568-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1568-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-137-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1672-167-0x0000000004850000-0x00000000049AF000-memory.dmp

Filesize
1.4MB

Download
memory/1712-225-0x0000000005F70000-0x00000000060CF000-memory.dmp

Filesize
1.4MB

Download
memory/1732-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1732-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1988-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1988-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-216-0x0000000005A70000-0x0000000005BCF000-memory.dmp

Filesize
1.4MB

Download
memory/2136-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2136-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2152-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2152-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2212-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2212-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2288-176-0x0000000004780000-0x00000000048DF000-memory.dmp

Filesize
1.4MB

Download
memory/2404-14-0x00000000058D0000-0x0000000005A2F000-memory.dmp

Filesize
1.4MB

Download
memory/2608-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2628-207-0x00000000059F0000-0x0000000005B4F000-memory.dmp

Filesize
1.4MB

Download
memory/2656-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2656-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-130-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2744-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2744-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-218-0x0000000004720000-0x000000000487F000-memory.dmp

Filesize
1.4MB

Download
memory/3004-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download