warzonerat | 151657667bf2f8f325780bfbbb969f2ffe337b3c16784215e6e37f4635d27237

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
Size

2.9MB
MD5

00ae31425c0682cba9e9991f1ccc0ba9
SHA1

20b8fbc10b367c19de532389ab9389678ab266f7
SHA256

151657667bf2f8f325780bfbbb969f2ffe337b3c16784215e6e37f4635d27237
SHA512

ba02a139e4098c2c7c583c2fdc2d85c2d046fc17556922c90a8c8a1c091d2fd03c69058f0483b731f3e89884a93ac3ea4aea4b7d4fce2dc9eeff9383bb1e29bc
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH7:3Ty7A3mw4gxeOw46fUbNecCCFbNecA

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Drops startup file 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid process

1112 explorer.exe
2152 explorer.exe
3616 explorer.exe

pid	process
1112	explorer.exe
2152	explorer.exe
3616	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 4076 set thread context of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 2072 set thread context of 4180	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 2072 set thread context of 392	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	diskperf.exe
PID 1112 set thread context of 2152	1112	explorer.exe	explorer.exe
PID 2152 set thread context of 3616	2152	explorer.exe	explorer.exe
PID 2152 set thread context of 2964	2152	explorer.exe	diskperf.exe

Drops file in Windows directory 2 IoCs

Processes:

00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3052 1172 WerFault.exe spoolsv.exe

pid	pid_target	process	target process
3052	1172	WerFault.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exeexplorer.exe

pid	process
4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
4180	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
4180	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
1112	explorer.exe
1112	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exeexplorer.exeexplorer.exe

pid	process
4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
4180	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
4180	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
1112	explorer.exe
1112	explorer.exe
3616	explorer.exe
3616	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 4076 wrote to memory of 5060	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	cmd.exe
PID 4076 wrote to memory of 5060	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	cmd.exe
PID 4076 wrote to memory of 5060	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	cmd.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 4076 wrote to memory of 2072	4076	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 2072 wrote to memory of 4180	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 2072 wrote to memory of 4180	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 2072 wrote to memory of 4180	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 2072 wrote to memory of 4180	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 2072 wrote to memory of 4180	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 2072 wrote to memory of 4180	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 2072 wrote to memory of 4180	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 2072 wrote to memory of 4180	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
PID 2072 wrote to memory of 392	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	diskperf.exe
PID 2072 wrote to memory of 392	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	diskperf.exe
PID 2072 wrote to memory of 392	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	diskperf.exe
PID 2072 wrote to memory of 392	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	diskperf.exe
PID 2072 wrote to memory of 392	2072	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	diskperf.exe
PID 4180 wrote to memory of 1112	4180	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	explorer.exe
PID 4180 wrote to memory of 1112	4180	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	explorer.exe
PID 4180 wrote to memory of 1112	4180	00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe	explorer.exe
PID 1112 wrote to memory of 2604	1112	explorer.exe	cmd.exe
PID 1112 wrote to memory of 2604	1112	explorer.exe	cmd.exe
PID 1112 wrote to memory of 2604	1112	explorer.exe	cmd.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe
PID 1112 wrote to memory of 2152	1112	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:5060

C:\Users\Admin\AppData\Local\Temp\00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\Temp\00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\00ae31425c0682cba9e9991f1ccc0ba9_JaffaCakes118.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:2604

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2152

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1772

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:4536

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3300

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2016

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2988

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:5104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:60

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:32

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 192
9⤵
- Program crash
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4732

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2964

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1172 -ip 1172
1⤵
PID:4408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
Filesize
2.9MB

MD5
00ae31425c0682cba9e9991f1ccc0ba9

SHA1
20b8fbc10b367c19de532389ab9389678ab266f7

SHA256
151657667bf2f8f325780bfbbb969f2ffe337b3c16784215e6e37f4635d27237

SHA512
ba02a139e4098c2c7c583c2fdc2d85c2d046fc17556922c90a8c8a1c091d2fd03c69058f0483b731f3e89884a93ac3ea4aea4b7d4fce2dc9eeff9383bb1e29bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.9MB

MD5
23ae39341c956f3e83d0757cdc644f3b

SHA1
eced696ed19ffad30df157700cfe257cc0d58570

SHA256
1dd14b967e547183387fc95bc582c99701ecbb45675ab120fa7b8f2498fd5a49

SHA512
389e8be079414c0c640679f0d970f32c15a4416e1fb48457ef877c11b919d5004dffdc49470631a097d44df2b9445bddb895440927f75165aaad6e20c083967f

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.9MB

MD5
6cc4bc39beee736ca46d38802bd1c70f

SHA1
da9c4a25b7b830276077cf9f1caf73d18884aa23

SHA256
a9506ad9b6199dbf36f8f1fe1932eeecbc3265403667e8e839911ae0b86dc194

SHA512
63e26e1eef6cdf3cb517d0bd5340254267e1009b17b64d84ac67df2f454061bcb44e22953a72c1896d496ec112af6b380d0dd34298c1c9b31a98739a7c1d0c27

Download Submit
memory/60-241-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/392-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/392-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/392-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/936-112-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/936-114-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/936-122-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/936-149-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/1408-440-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1632-100-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1632-413-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1632-101-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1632-102-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1632-98-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1632-104-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1632-103-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1632-106-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1632-109-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1632-117-0x0000000008D90000-0x0000000008D91000-memory.dmp

Filesize
4KB

Download
memory/2004-240-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/2072-11-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/2072-5-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2072-9-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2072-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2072-31-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2072-12-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2072-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2072-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2072-15-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/2072-2-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2072-29-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2072-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2072-4-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2072-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2072-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2108-256-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/2108-178-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2152-52-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2152-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2152-68-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2152-46-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2152-72-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2152-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2152-54-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2152-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2152-51-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/2152-50-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2244-304-0x00000000072A0000-0x00000000072A1000-memory.dmp

Filesize
4KB

Download
memory/2676-192-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2676-255-0x0000000007090000-0x0000000007091000-memory.dmp

Filesize
4KB

Download
memory/2676-200-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2964-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3076-276-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3076-314-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3616-139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3616-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-138-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4312-156-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4312-172-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/4416-89-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4416-96-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/4416-91-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4416-92-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4416-90-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4416-93-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4416-436-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4416-94-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4600-242-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/4600-126-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/4600-146-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5028-272-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/5112-235-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/5112-251-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download