Overview

overview

10

Static

static

7

2025-03-29...er.exe

windows7-x64

7

2025-03-29...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2025, 11:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-29_e4315017ccc1f9d1a181f2d2f501b96c_agent-tesla_amadey_hawkeye_smoke-loader.exe

  • Size

    7.6MB

  • MD5

    e4315017ccc1f9d1a181f2d2f501b96c

  • SHA1

    6a92fdbeb08ad05dbf80ce9571caced3097603dd

  • SHA256

    10d1b5f7b7a33187e51dc0fecb01aca2da1f978b809ae8f54e1c772775c3dbda

  • SHA512

    0191ce9ec60f3a21fbbec51806f0a05647c625c999571617d11edb21ed50bcf7c6105a2d60589338be4944436a5faeebba631779e23307ba3542b02d0e332fb0

  • SSDEEP

    196608:G4d0xUyYDOh8x40Me/14QlhewofSN2Hi/Xl:z71DGcySXoaD1

Score
10/10
nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojanvmprotect

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 36 IoCs
  • VMProtect packed file 9 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 36 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs
  • Suspicious use of SetThreadContext 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 36 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-29_e4315017ccc1f9d1a181f2d2f501b96c_agent-tesla_amadey_hawkeye_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-29_e4315017ccc1f9d1a181f2d2f501b96c_agent-tesla_amadey_hawkeye_smoke-loader.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "DNS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3576
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3488
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2536
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5940
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4520
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3280
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5760
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5568
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5296
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2984
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3572
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1900
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1908
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5304
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5620
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2588
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:6112
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5760
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:6028
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:536
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4448
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5660
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4936
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:608
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4884
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5876
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1716
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      PID:1624
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2032
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1916
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    PID:4580
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      PID:5904
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3796
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2824
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Modifies registry class
    PID:628
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
        PID:4908
        • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
          "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3192
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1540
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
      1⤵
      • Checks computer location settings
      • Modifies registry class
      PID:5176
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
        2⤵
          PID:3100
          • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
            "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1132
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4492
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
        1⤵
        • Modifies registry class
        PID:5516
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
          2⤵
          • Checks computer location settings
          PID:3772
          • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
            "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:5948
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
        1⤵
        • Checks computer location settings
        • Modifies registry class
        PID:5800
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
          2⤵
          • Checks computer location settings
          PID:2776
          • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
            "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2352
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
        1⤵
        • Checks computer location settings
        • Modifies registry class
        PID:2432
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
          2⤵
          • Checks computer location settings
          PID:4484
          • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
            "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:5408
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
        1⤵
        • Checks computer location settings
        • Modifies registry class
        PID:1772
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
          2⤵
          • Checks computer location settings
          PID:4444
          • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
            "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:3180
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
        1⤵
        • Checks computer location settings
        • Modifies registry class
        PID:2220
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
          2⤵
            PID:4676
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:4048
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
          1⤵
          • Checks computer location settings
          • Modifies registry class
          PID:5632
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
            2⤵
            • Checks computer location settings
            PID:2628
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:5012
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
          1⤵
          • Checks computer location settings
          • Modifies registry class
          PID:4664
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
            2⤵
            • Checks computer location settings
            PID:5568
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:4628
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
          1⤵
          • Checks computer location settings
          • Modifies registry class
          PID:1828
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
            2⤵
            • Checks computer location settings
            PID:3784
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:5896
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
          1⤵
          • Checks computer location settings
          • Modifies registry class
          PID:5616
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
            2⤵
            • Checks computer location settings
            PID:5864
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:5528
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
          1⤵
          • Checks computer location settings
          • Modifies registry class
          PID:6116
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
            2⤵
            • Checks computer location settings
            PID:2824
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:5208
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
          1⤵
          • Checks computer location settings
          • Modifies registry class
          PID:1340
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
            2⤵
            • Checks computer location settings
            PID:4340
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:2268
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
          1⤵
          • Checks computer location settings
          • Modifies registry class
          PID:5440
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
            2⤵
            • Checks computer location settings
            PID:1520
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:4680
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
          1⤵
          • Checks computer location settings
          • Modifies registry class
          PID:3920
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
            2⤵
              PID:5056
              • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                3⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:1748
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
            1⤵
            • Checks computer location settings
            • Modifies registry class
            PID:4784
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
              2⤵
              • Checks computer location settings
              PID:3436
              • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                3⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:4188
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
            1⤵
            • Checks computer location settings
            • Modifies registry class
            PID:5892
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
              2⤵
              • Checks computer location settings
              PID:1976
              • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                3⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:5264
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
            1⤵
            • Checks computer location settings
            • Modifies registry class
            PID:4308
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
              2⤵
              • Checks computer location settings
              PID:5488
              • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                3⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:4656
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
            1⤵
            • Checks computer location settings
            • Modifies registry class
            PID:4092
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
              2⤵
                PID:3288
                • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                  "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  PID:1764
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
              1⤵
              • Checks computer location settings
              • Modifies registry class
              PID:5680
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
                2⤵
                • Checks computer location settings
                PID:2312
                • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                  "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  PID:4560
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
              1⤵
              • Checks computer location settings
              • Modifies registry class
              PID:2068
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
                2⤵
                • Checks computer location settings
                PID:3976
                • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                  "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  PID:6068
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
              1⤵
              • Checks computer location settings
              • Modifies registry class
              PID:4864
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
                2⤵
                • Checks computer location settings
                PID:3312
                • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                  "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  PID:3496
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
              1⤵
              • Checks computer location settings
              • Modifies registry class
              PID:1072
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
                2⤵
                • Checks computer location settings
                PID:1904
                • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                  "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  PID:2100

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
              Filesize

              496B

              MD5

              5b4789d01bb4d7483b71e1a35bce6a8b

              SHA1

              de083f2131c9a763c0d1810c97a38732146cffbf

              SHA256

              e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

              SHA512

              357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp
              Filesize

              1KB

              MD5

              c6f0625bf4c1cdfb699980c9243d3b22

              SHA1

              43de1fe580576935516327f17b5da0c656c72851

              SHA256

              8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

              SHA512

              9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

              Download Submit

            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              Filesize

              7.6MB

              MD5

              2ddb7b4df222ac79e4ecdb2ef97541e5

              SHA1

              c7a4e649fb93a2018c4a62858ba717d404388971

              SHA256

              55be15d7406e341e46699235aea5b77fa9d0294fb01faec61baac20b35db4751

              SHA512

              f66b27015c0b9e4184777c8a35cc4f8d2e585b5b44686cf64af4bf7a86e3b79706fefceba8d4a73940871d977978c2f8aac2144af33c4fae45b8604e7c004470

              Download Submit

            • C:\Users\Public\grhgrwndeq.vbs
              Filesize

              2KB

              MD5

              1b8a24525ba407c574d27542e03951e7

              SHA1

              92830b05bed432bb30d50672d86cfc7f53296c92

              SHA256

              9b65dea002e85ad700ccd1b74918fa51bd16eec2553bc3926701b73bbe4ef952

              SHA512

              4b0003b5d840446dacc2e898195d7625d743ef2e57e0dd6bba901f431b0887b26d65024913aa6dd4cf92aa0a91bf9b775201164cd7b74bf243b817470a394459

              Download Submit

            • memory/1908-73-0x0000000001D70000-0x0000000001D71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1908-71-0x0000000001D50000-0x0000000001D51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1908-75-0x0000000001D90000-0x0000000001D91000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1908-76-0x0000000000CF0000-0x0000000001494000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/1908-74-0x0000000001D80000-0x0000000001D81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1908-72-0x0000000001D60000-0x0000000001D61000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1908-70-0x0000000001D20000-0x0000000001D21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1908-69-0x0000000001D10000-0x0000000001D11000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2316-7-0x00000000012D0000-0x00000000012D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2316-2-0x0000000001250000-0x0000000001251000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2316-35-0x0000000000B48000-0x0000000000F74000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/2316-8-0x00000000012E0000-0x00000000012E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2316-6-0x00000000012C0000-0x00000000012C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2316-0-0x0000000000B48000-0x0000000000F74000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/2316-5-0x00000000012B0000-0x00000000012B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2316-4-0x0000000001290000-0x0000000001291000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2316-3-0x0000000001260000-0x0000000001261000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2316-9-0x0000000000A80000-0x0000000001224000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/2316-1-0x0000000001230000-0x0000000001231000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2316-46-0x0000000000A80000-0x0000000001224000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/3280-45-0x0000000000CF0000-0x0000000001494000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/3280-37-0x0000000000A00000-0x0000000000A01000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3280-38-0x0000000000A20000-0x0000000000A21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3280-39-0x0000000000C40000-0x0000000000C41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3280-40-0x0000000000C70000-0x0000000000C71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3280-41-0x0000000000C80000-0x0000000000C81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3280-42-0x0000000000C90000-0x0000000000C91000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3280-44-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3488-16-0x00000000003F0000-0x00000000003F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3488-24-0x0000000000CF0000-0x0000000001494000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/3488-21-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3488-20-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3488-19-0x0000000000A90000-0x0000000000A91000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3488-18-0x0000000000A60000-0x0000000000A61000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3488-17-0x0000000000A50000-0x0000000000A51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3488-23-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3488-22-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3572-63-0x0000000002970000-0x0000000002971000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3572-66-0x0000000000CF0000-0x0000000001494000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/3572-64-0x0000000002980000-0x0000000002981000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3572-65-0x0000000002990000-0x0000000002991000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3572-58-0x00000000015E0000-0x00000000015E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3572-59-0x0000000001C40000-0x0000000001C41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3572-61-0x0000000001C80000-0x0000000001C81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3572-60-0x0000000001C50000-0x0000000001C51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3572-62-0x0000000002960000-0x0000000002961000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5296-51-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5296-52-0x0000000001D40000-0x0000000001D41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5296-56-0x0000000000CF0000-0x0000000001494000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/5296-55-0x0000000002590000-0x0000000002591000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5296-48-0x00000000015D0000-0x00000000015D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5296-49-0x00000000015F0000-0x00000000015F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5296-50-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5296-53-0x0000000002570000-0x0000000002571000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5296-54-0x0000000002580000-0x0000000002581000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5620-78-0x0000000000C70000-0x0000000000C71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5940-34-0x0000000000CF0000-0x0000000001494000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/5940-31-0x0000000000B80000-0x0000000000B81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5940-29-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5940-28-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5940-27-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5940-30-0x0000000000B70000-0x0000000000B71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5940-33-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5940-32-0x0000000000B90000-0x0000000000B91000-memory.dmp

              Filesize

              4KB

              Download