Overview

overview

10

Static

static

7

2025-03-29...er.exe

windows7-x64

7

2025-03-29...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2025, 11:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-29_e4315017ccc1f9d1a181f2d2f501b96c_agent-tesla_amadey_hawkeye_smoke-loader.exe

  • Size

    7.6MB

  • MD5

    e4315017ccc1f9d1a181f2d2f501b96c

  • SHA1

    6a92fdbeb08ad05dbf80ce9571caced3097603dd

  • SHA256

    10d1b5f7b7a33187e51dc0fecb01aca2da1f978b809ae8f54e1c772775c3dbda

  • SHA512

    0191ce9ec60f3a21fbbec51806f0a05647c625c999571617d11edb21ed50bcf7c6105a2d60589338be4944436a5faeebba631779e23307ba3542b02d0e332fb0

  • SSDEEP

    196608:G4d0xUyYDOh8x40Me/14QlhewofSN2Hi/Xl:z71DGcySXoaD1

Score
10/10
nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojanvmprotect

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 36 IoCs
  • VMProtect packed file 9 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 36 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs
  • Suspicious use of SetThreadContext 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 36 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-29_e4315017ccc1f9d1a181f2d2f501b96c_agent-tesla_amadey_hawkeye_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-29_e4315017ccc1f9d1a181f2d2f501b96c_agent-tesla_amadey_hawkeye_smoke-loader.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1472
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:3404
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "WAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3D62.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4580
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4644
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1396
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4632
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1212
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2912
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4320
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2060
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5480
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1496
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1668
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5820
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4584
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3380
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5104
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:6056
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3408
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3108
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • Suspicious use of UnmapMainImage
          PID:5324
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 12
            5⤵
            • Program crash
            PID:3468
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5172
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1340
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4456
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5196
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1152
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3524
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5368
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5716
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2684
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5556
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5904
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2780
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1060
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1672
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3816
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    PID:5184
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      PID:1932
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3668
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2756
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    PID:3792
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      PID:5696
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:720
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1512
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    PID:5348
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      PID:876
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2304
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    PID:4404
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      PID:2092
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:428
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Modifies registry class
    PID:5172
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      PID:4340
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5584
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    PID:2860
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
      • Checks computer location settings
      PID:5568
      • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
        "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4144
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    PID:5544
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
      2⤵
        PID:2756
        • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
          "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          PID:5632
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
      1⤵
      • Checks computer location settings
      • Modifies registry class
      PID:628
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
        2⤵
        • Checks computer location settings
        PID:4600
        • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
          "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          PID:4888
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
      1⤵
      • Checks computer location settings
      • Modifies registry class
      PID:212
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
        2⤵
          PID:1904
          • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
            "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            PID:1524
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
        1⤵
        • Checks computer location settings
        • Modifies registry class
        PID:3916
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
          2⤵
            PID:1768
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:208
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
          1⤵
          • Checks computer location settings
          • Modifies registry class
          PID:944
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
            2⤵
            • Checks computer location settings
            PID:5900
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:2800
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
          1⤵
          • Checks computer location settings
          • Modifies registry class
          PID:4288
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
            2⤵
            • Checks computer location settings
            PID:2820
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:4820
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
          1⤵
          • Checks computer location settings
          • Modifies registry class
          PID:5624
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
            2⤵
            • Checks computer location settings
            PID:1636
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:888
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
          1⤵
          • Checks computer location settings
          • Modifies registry class
          PID:4892
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
            2⤵
            • Checks computer location settings
            PID:2232
            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:6124
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5324 -ip 5324
          1⤵
            PID:1316
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
            1⤵
            • Checks computer location settings
            • Modifies registry class
            PID:4932
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
              2⤵
              • Checks computer location settings
              PID:4416
              • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                3⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:3244
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
            1⤵
            • Checks computer location settings
            • Modifies registry class
            PID:4596
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
              2⤵
              • Checks computer location settings
              PID:3144
              • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                3⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:2320
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
            1⤵
            • Checks computer location settings
            • Modifies registry class
            PID:1960
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
              2⤵
              • Checks computer location settings
              PID:1464
              • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                3⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:3448
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
            1⤵
            • Checks computer location settings
            • Modifies registry class
            PID:5884
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
              2⤵
              • Checks computer location settings
              PID:4736
              • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                3⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:2252
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
            1⤵
            • Checks computer location settings
            • Modifies registry class
            PID:3616
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
              2⤵
                PID:5704
                • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                  "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  PID:5308
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
              1⤵
              • Checks computer location settings
              • Modifies registry class
              PID:960
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
                2⤵
                • Checks computer location settings
                PID:4224
                • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                  "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  PID:1792
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
              1⤵
              • Modifies registry class
              PID:1036
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
                2⤵
                • Checks computer location settings
                PID:3412
                • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                  "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  PID:2028
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
              1⤵
              • Modifies registry class
              PID:5924
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
                2⤵
                • Checks computer location settings
                PID:5304
                • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                  "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  PID:5768
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Public\grhgrwndeq.vbs
              1⤵
              • Checks computer location settings
              • Modifies registry class
              PID:1264
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Public\grhgrwndeq.vbs"
                2⤵
                • Checks computer location settings
                PID:752
                • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
                  "C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  PID:3752

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
              Filesize

              496B

              MD5

              5b4789d01bb4d7483b71e1a35bce6a8b

              SHA1

              de083f2131c9a763c0d1810c97a38732146cffbf

              SHA256

              e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

              SHA512

              357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp3D62.tmp
              Filesize

              1KB

              MD5

              c6f0625bf4c1cdfb699980c9243d3b22

              SHA1

              43de1fe580576935516327f17b5da0c656c72851

              SHA256

              8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

              SHA512

              9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

              Download Submit

            • C:\Users\Admin\AppData\Roaming\microsofts\cmdl32.bat
              Filesize

              7.6MB

              MD5

              2ddb7b4df222ac79e4ecdb2ef97541e5

              SHA1

              c7a4e649fb93a2018c4a62858ba717d404388971

              SHA256

              55be15d7406e341e46699235aea5b77fa9d0294fb01faec61baac20b35db4751

              SHA512

              f66b27015c0b9e4184777c8a35cc4f8d2e585b5b44686cf64af4bf7a86e3b79706fefceba8d4a73940871d977978c2f8aac2144af33c4fae45b8604e7c004470

              Download Submit

            • C:\Users\Public\grhgrwndeq.vbs
              Filesize

              2KB

              MD5

              570ae4fedcecd3697f25d1b1f7ca57e1

              SHA1

              1bc271e9df18a58cfc96403c3ea839f3a3fd0c87

              SHA256

              1ca24d20461ad1e35911202c91f616ab827abe51ababe073491cfd1e50b588ec

              SHA512

              49294cb27e05766f2e22cd7ad44b5d196fed10b6be9a3ae54fbee4bf34dea04b52a54616993467f1af1b56168def815a6253e819a5536516bd19af8a9f4e25c4

              Download Submit

            • memory/1212-31-0x0000000001B10000-0x0000000001B11000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1212-29-0x0000000001AF0000-0x0000000001AF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1212-28-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1212-34-0x0000000000A90000-0x0000000001234000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/1212-33-0x0000000001B30000-0x0000000001B31000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1212-26-0x0000000001A80000-0x0000000001A81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1212-27-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1212-32-0x0000000001B20000-0x0000000001B21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1212-30-0x0000000001B00000-0x0000000001B01000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1472-2-0x0000000001B70000-0x0000000001B71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1472-6-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1472-56-0x0000000000B10000-0x00000000012B4000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/1472-0-0x0000000000BD8000-0x0000000001004000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/1472-8-0x0000000001C00000-0x0000000001C01000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1472-1-0x0000000001B50000-0x0000000001B51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1472-7-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1472-45-0x0000000000BD8000-0x0000000001004000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/1472-9-0x0000000000B10000-0x00000000012B4000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/1472-3-0x0000000001B80000-0x0000000001B81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1472-4-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1472-5-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1496-51-0x00000000034E0000-0x00000000034E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1496-47-0x00000000012E0000-0x00000000012E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1496-52-0x00000000034F0000-0x00000000034F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1496-53-0x0000000003500000-0x0000000003501000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1496-55-0x0000000000A90000-0x0000000001234000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/1496-50-0x00000000034D0000-0x00000000034D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1496-49-0x0000000003390000-0x0000000003391000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1496-48-0x0000000001310000-0x0000000001311000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1496-54-0x0000000003510000-0x0000000003511000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3108-78-0x0000000001A40000-0x0000000001A41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3380-74-0x0000000000950000-0x0000000000951000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3380-73-0x0000000000940000-0x0000000000941000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3380-72-0x0000000000930000-0x0000000000931000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3380-71-0x00000000008F0000-0x00000000008F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3380-70-0x00000000008E0000-0x00000000008E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3380-75-0x0000000000960000-0x0000000000961000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3380-69-0x00000000008D0000-0x00000000008D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3380-68-0x00000000008C0000-0x00000000008C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3380-76-0x0000000000A90000-0x0000000001234000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/4320-37-0x00000000013F0000-0x00000000013F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4320-41-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4320-43-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4320-44-0x0000000000A90000-0x0000000001234000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/4320-36-0x00000000013D0000-0x00000000013D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4320-38-0x0000000001AD0000-0x0000000001AD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4320-42-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4320-39-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4320-40-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4644-24-0x0000000000A90000-0x0000000001234000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/4644-22-0x0000000000A10000-0x0000000000A11000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4644-23-0x0000000000A20000-0x0000000000A21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4644-21-0x0000000000A00000-0x0000000000A01000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4644-19-0x00000000009E0000-0x00000000009E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4644-20-0x00000000009F0000-0x00000000009F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4644-17-0x00000000009A0000-0x00000000009A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4644-18-0x00000000009B0000-0x00000000009B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4644-16-0x0000000000970000-0x0000000000971000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5820-66-0x0000000000A90000-0x0000000001234000-memory.dmp

              Filesize

              7.6MB

              Download