warzonerat | 232fa0ccf0d7101b181f4b5d8d3ff8922add3201a9ec0775bd7a3dc92c83593d

Analysis

max time kernel
138s
max time network
51s
platform
windows7_x64
resource
win7v20210408
submitted
07-06-2021 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8fc47b239020267d15dbe3341300556e49045fa.exe
Size

2.9MB
MD5

c5e28bfedb16297faa7457ceb5227cee
SHA1

f8fc47b239020267d15dbe3341300556e49045fa
SHA256

8733e10a589c028f8a2ccffc49d38b1293664e097401bee7053c4ec84f0565fa
SHA512

41c5b2c253f9901ff734aa3fa184ded36e11c3652a3f0eaa87e40c509be61bf320de06c62e26f017533c64f82abbca48e6ca51576544135341da7832be4d6506

Score

10^/10

warzonerat xmrig evasion infostealer miner persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Warzone RAT Payload 52 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 20 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
832	explorer.exe
1648	explorer.exe
1636	explorer.exe
1908	spoolsv.exe
1084	spoolsv.exe
2032	spoolsv.exe
1596	spoolsv.exe
1780	spoolsv.exe
892	spoolsv.exe
1640	spoolsv.exe
1016	spoolsv.exe
1496	spoolsv.exe
724	spoolsv.exe
1588	spoolsv.exe
296	spoolsv.exe
1688	spoolsv.exe
1976	spoolsv.exe
1700	spoolsv.exe
1516	spoolsv.exe
1104	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 8 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Loads dropped DLL 28 IoCs

Processes:

f8fc47b239020267d15dbe3341300556e49045fa.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
568	f8fc47b239020267d15dbe3341300556e49045fa.exe
568	f8fc47b239020267d15dbe3341300556e49045fa.exe
1636	explorer.exe
1636	explorer.exe
1908	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2032	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1780	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1640	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1496	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1588	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1688	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1700	spoolsv.exe
1636	explorer.exe
1636	explorer.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exef8fc47b239020267d15dbe3341300556e49045fa.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	f8fc47b239020267d15dbe3341300556e49045fa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

f8fc47b239020267d15dbe3341300556e49045fa.exef8fc47b239020267d15dbe3341300556e49045fa.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1936 set thread context of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1136 set thread context of 568	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1136 set thread context of 1488	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	diskperf.exe
PID 832 set thread context of 1648	832	explorer.exe	explorer.exe
PID 1648 set thread context of 1636	1648	explorer.exe	explorer.exe
PID 1648 set thread context of 1052	1648	explorer.exe	diskperf.exe
PID 1908 set thread context of 1084	1908	spoolsv.exe	spoolsv.exe
PID 2032 set thread context of 1596	2032	spoolsv.exe	spoolsv.exe
PID 1780 set thread context of 892	1780	spoolsv.exe	spoolsv.exe
PID 1640 set thread context of 1016	1640	spoolsv.exe	spoolsv.exe
PID 1496 set thread context of 724	1496	spoolsv.exe	spoolsv.exe
PID 1588 set thread context of 296	1588	spoolsv.exe	spoolsv.exe
PID 1688 set thread context of 1976	1688	spoolsv.exe	spoolsv.exe
PID 1700 set thread context of 1516	1700	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 13 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exef8fc47b239020267d15dbe3341300556e49045fa.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

f8fc47b239020267d15dbe3341300556e49045fa.exef8fc47b239020267d15dbe3341300556e49045fa.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1936	f8fc47b239020267d15dbe3341300556e49045fa.exe
568	f8fc47b239020267d15dbe3341300556e49045fa.exe
832	explorer.exe
1908	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2032	spoolsv.exe
1636	explorer.exe
1780	spoolsv.exe
1636	explorer.exe
1640	spoolsv.exe
1636	explorer.exe
1496	spoolsv.exe
1636	explorer.exe
1588	spoolsv.exe
1636	explorer.exe
1688	spoolsv.exe
1636	explorer.exe
1700	spoolsv.exe
1636	explorer.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

pid	process
1936	f8fc47b239020267d15dbe3341300556e49045fa.exe
1936	f8fc47b239020267d15dbe3341300556e49045fa.exe
568	f8fc47b239020267d15dbe3341300556e49045fa.exe
568	f8fc47b239020267d15dbe3341300556e49045fa.exe
832	explorer.exe
832	explorer.exe
1636	explorer.exe
1636	explorer.exe
1908	spoolsv.exe
1908	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2032	spoolsv.exe
2032	spoolsv.exe
1780	spoolsv.exe
1780	spoolsv.exe
1640	spoolsv.exe
1640	spoolsv.exe
1496	spoolsv.exe
1496	spoolsv.exe
1588	spoolsv.exe
1588	spoolsv.exe
1688	spoolsv.exe
1688	spoolsv.exe
1700	spoolsv.exe
1700	spoolsv.exe
1104	spoolsv.exe
1104	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8fc47b239020267d15dbe3341300556e49045fa.exef8fc47b239020267d15dbe3341300556e49045fa.exef8fc47b239020267d15dbe3341300556e49045fa.exeexplorer.exe

description	pid	process	target process
PID 1936 wrote to memory of 1972	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	cmd.exe
PID 1936 wrote to memory of 1972	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	cmd.exe
PID 1936 wrote to memory of 1972	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	cmd.exe
PID 1936 wrote to memory of 1972	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	cmd.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1936 wrote to memory of 1136	1936	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1136 wrote to memory of 568	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1136 wrote to memory of 568	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1136 wrote to memory of 568	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1136 wrote to memory of 568	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1136 wrote to memory of 568	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1136 wrote to memory of 568	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1136 wrote to memory of 568	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1136 wrote to memory of 568	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1136 wrote to memory of 568	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1136 wrote to memory of 1488	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	diskperf.exe
PID 1136 wrote to memory of 1488	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	diskperf.exe
PID 1136 wrote to memory of 1488	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	diskperf.exe
PID 1136 wrote to memory of 1488	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	diskperf.exe
PID 1136 wrote to memory of 1488	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	diskperf.exe
PID 1136 wrote to memory of 1488	1136	f8fc47b239020267d15dbe3341300556e49045fa.exe	diskperf.exe
PID 568 wrote to memory of 832	568	f8fc47b239020267d15dbe3341300556e49045fa.exe	explorer.exe
PID 568 wrote to memory of 832	568	f8fc47b239020267d15dbe3341300556e49045fa.exe	explorer.exe
PID 568 wrote to memory of 832	568	f8fc47b239020267d15dbe3341300556e49045fa.exe	explorer.exe
PID 568 wrote to memory of 832	568	f8fc47b239020267d15dbe3341300556e49045fa.exe	explorer.exe
PID 832 wrote to memory of 1840	832	explorer.exe	cmd.exe
PID 832 wrote to memory of 1840	832	explorer.exe	cmd.exe
PID 832 wrote to memory of 1840	832	explorer.exe	cmd.exe
PID 832 wrote to memory of 1840	832	explorer.exe	cmd.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe
PID 832 wrote to memory of 1648	832	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe
"C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe
  C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe
    C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:568
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        
        PID:1840
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1648
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1408
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1084
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1980
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1596
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:828
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:892
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1016
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1716
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:920
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:296
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1408
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1976
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1328
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1628
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1052
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
c5e28bfedb16297faa7457ceb5227cee

SHA1
f8fc47b239020267d15dbe3341300556e49045fa

SHA256
8733e10a589c028f8a2ccffc49d38b1293664e097401bee7053c4ec84f0565fa

SHA512
41c5b2c253f9901ff734aa3fa184ded36e11c3652a3f0eaa87e40c509be61bf320de06c62e26f017533c64f82abbca48e6ca51576544135341da7832be4d6506

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
105e5d2b8d75945e344e4a4054a9ba75

SHA1
1b0674d2f6d6887fd5a46fe7d7af8d70a390b3a8

SHA256
610ab1ce2fd28a4d71c72f8939abb052818e4d8c28655f8d8e9788bae900d55c

SHA512
eab71794540c47c67a91a5ba3925c3bbd3bcf6fb979e54b3ceea2df990f7a611140bc30979d07904874af517ec53d60988cf7c7c27f8af79163a5148dc3efe14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe

MD5
105e5d2b8d75945e344e4a4054a9ba75

SHA1
1b0674d2f6d6887fd5a46fe7d7af8d70a390b3a8

SHA256
610ab1ce2fd28a4d71c72f8939abb052818e4d8c28655f8d8e9788bae900d55c

SHA512
eab71794540c47c67a91a5ba3925c3bbd3bcf6fb979e54b3ceea2df990f7a611140bc30979d07904874af517ec53d60988cf7c7c27f8af79163a5148dc3efe14

Download Submit
C:\Windows\system\explorer.exe

MD5
105e5d2b8d75945e344e4a4054a9ba75

SHA1
1b0674d2f6d6887fd5a46fe7d7af8d70a390b3a8

SHA256
610ab1ce2fd28a4d71c72f8939abb052818e4d8c28655f8d8e9788bae900d55c

SHA512
eab71794540c47c67a91a5ba3925c3bbd3bcf6fb979e54b3ceea2df990f7a611140bc30979d07904874af517ec53d60988cf7c7c27f8af79163a5148dc3efe14

Download Submit
C:\Windows\system\explorer.exe

MD5
105e5d2b8d75945e344e4a4054a9ba75

SHA1
1b0674d2f6d6887fd5a46fe7d7af8d70a390b3a8

SHA256
610ab1ce2fd28a4d71c72f8939abb052818e4d8c28655f8d8e9788bae900d55c

SHA512
eab71794540c47c67a91a5ba3925c3bbd3bcf6fb979e54b3ceea2df990f7a611140bc30979d07904874af517ec53d60988cf7c7c27f8af79163a5148dc3efe14

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\??\c:\windows\system\explorer.exe

MD5
105e5d2b8d75945e344e4a4054a9ba75

SHA1
1b0674d2f6d6887fd5a46fe7d7af8d70a390b3a8

SHA256
610ab1ce2fd28a4d71c72f8939abb052818e4d8c28655f8d8e9788bae900d55c

SHA512
eab71794540c47c67a91a5ba3925c3bbd3bcf6fb979e54b3ceea2df990f7a611140bc30979d07904874af517ec53d60988cf7c7c27f8af79163a5148dc3efe14

Download Submit
\??\c:\windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\explorer.exe

MD5
105e5d2b8d75945e344e4a4054a9ba75

SHA1
1b0674d2f6d6887fd5a46fe7d7af8d70a390b3a8

SHA256
610ab1ce2fd28a4d71c72f8939abb052818e4d8c28655f8d8e9788bae900d55c

SHA512
eab71794540c47c67a91a5ba3925c3bbd3bcf6fb979e54b3ceea2df990f7a611140bc30979d07904874af517ec53d60988cf7c7c27f8af79163a5148dc3efe14

Download Submit
\Windows\system\explorer.exe

MD5
105e5d2b8d75945e344e4a4054a9ba75

SHA1
1b0674d2f6d6887fd5a46fe7d7af8d70a390b3a8

SHA256
610ab1ce2fd28a4d71c72f8939abb052818e4d8c28655f8d8e9788bae900d55c

SHA512
eab71794540c47c67a91a5ba3925c3bbd3bcf6fb979e54b3ceea2df990f7a611140bc30979d07904874af517ec53d60988cf7c7c27f8af79163a5148dc3efe14

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
\Windows\system\spoolsv.exe

MD5
2baae469a87cbd29eb0b11974eca0993

SHA1
f98a46c19df539fd0dbb124ca80f075e0fadb09a

SHA256
923978a6e62748d194fa1b29a280af6281f444da8848d3f546ec4ec717bb7ea9

SHA512
40e3a1e2e404d78b052e8288bb9c87871ed679024a8fc29e480fee3cab70d1149935a134009d451dd09fbc04da1fe509c99943d5ca9bfa01675e887d9e8f4fbe

Download Submit
memory/296-209-0x00000000004E7001-mapping.dmp

Download
memory/296-218-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/568-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/568-71-0x0000000000403670-mapping.dmp

Download
memory/568-100-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/724-191-0x00000000004E7001-mapping.dmp

Download
memory/724-200-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/724-217-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/724-207-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/724-195-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/828-152-0x0000000000000000-mapping.dmp

Download
memory/832-81-0x0000000000000000-mapping.dmp

Download
memory/892-160-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/892-178-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/892-164-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/892-189-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/892-199-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/892-157-0x00000000004E7001-mapping.dmp

Download
memory/920-204-0x0000000000000000-mapping.dmp

Download
memory/1016-173-0x00000000004E7001-mapping.dmp

Download
memory/1016-208-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1052-103-0x0000000000411000-mapping.dmp

Download
memory/1084-127-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1084-136-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1084-123-0x00000000004E7001-mapping.dmp

Download
memory/1084-149-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1084-126-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1084-139-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1104-237-0x0000000000000000-mapping.dmp

Download
memory/1136-62-0x00000000004E7001-mapping.dmp

Download
memory/1136-65-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1136-61-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1136-64-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1136-66-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1136-67-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1136-68-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1136-69-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1328-229-0x0000000000000000-mapping.dmp

Download
memory/1408-119-0x0000000000000000-mapping.dmp

Download
memory/1408-216-0x0000000000000000-mapping.dmp

Download
memory/1488-102-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1488-74-0x0000000000411000-mapping.dmp

Download
memory/1488-73-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1496-181-0x0000000000000000-mapping.dmp

Download
memory/1516-232-0x00000000004E7001-mapping.dmp

Download
memory/1588-198-0x0000000000000000-mapping.dmp

Download
memory/1596-185-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1596-140-0x00000000004E7001-mapping.dmp

Download
memory/1636-96-0x0000000000403670-mapping.dmp

Download
memory/1640-163-0x0000000000000000-mapping.dmp

Download
memory/1648-104-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1648-107-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1648-93-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1648-94-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1648-92-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1648-88-0x00000000004E7001-mapping.dmp

Download
memory/1648-91-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1688-213-0x0000000000000000-mapping.dmp

Download
memory/1700-226-0x0000000000000000-mapping.dmp

Download
memory/1716-186-0x0000000000000000-mapping.dmp

Download
memory/1780-146-0x0000000000000000-mapping.dmp

Download
memory/1840-85-0x0000000000000000-mapping.dmp

Download
memory/1908-115-0x0000000000000000-mapping.dmp

Download
memory/1936-59-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1964-168-0x0000000000000000-mapping.dmp

Download
memory/1972-60-0x0000000000000000-mapping.dmp

Download
memory/1976-227-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1976-221-0x00000000004E7001-mapping.dmp

Download
memory/1980-134-0x0000000000000000-mapping.dmp

Download
memory/2032-130-0x0000000000000000-mapping.dmp

Download