warzonerat | ab0d602717ad9c3085c21ea4cb3bbf53c47c22d74112d7f69fba26efe5cedaf6

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
Size

1.2MB
MD5

16ab99e0ac1897405a4d16b44b29c0af
SHA1

e0e474c2748c474810774622dee6a77e31e58f1a
SHA256

ab0d602717ad9c3085c21ea4cb3bbf53c47c22d74112d7f69fba26efe5cedaf6
SHA512

7dc4494c23b3d9245a1340bd46020172fa5a62c2220e63af63fecf21e6b96503982c89fc2b9d468dce583911b6212243f0fcdfb02f1eeb9fe11f06cc3bc1ca33
SSDEEP

12288:OIbsBDU0I6+Tu0TJ0N1oYgNOFDA7W2FeDSIGVH/KIDgDgUeHbY11kj:OIbGD2JTu0GoZQDbGV6eH81kj

Score

10^/10

warzonerat aspackv2 evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1420	explorer.exe
2532	explorer.exe
2964	spoolsv.exe
4060	spoolsv.exe
1108	spoolsv.exe
4268	spoolsv.exe
4240	spoolsv.exe
3200	spoolsv.exe
4116	spoolsv.exe
1092	spoolsv.exe
3140	spoolsv.exe
3532	spoolsv.exe
4748	spoolsv.exe
2636	spoolsv.exe
4776	spoolsv.exe
4740	spoolsv.exe
4168	spoolsv.exe
1132	spoolsv.exe
1408	spoolsv.exe
2148	spoolsv.exe
3848	spoolsv.exe
4348	spoolsv.exe
1236	spoolsv.exe
452	spoolsv.exe
4620	spoolsv.exe
3640	spoolsv.exe
3676	spoolsv.exe
2856	spoolsv.exe
908	spoolsv.exe
4032	spoolsv.exe
1100	spoolsv.exe
3992	spoolsv.exe
2844	spoolsv.exe
396	spoolsv.exe
4484	spoolsv.exe
1420	spoolsv.exe
4424	spoolsv.exe
4912	spoolsv.exe
4500	spoolsv.exe
2468	spoolsv.exe
4672	spoolsv.exe
3104	spoolsv.exe
1708	spoolsv.exe
4048	spoolsv.exe
4940	spoolsv.exe
4788	spoolsv.exe
1696	spoolsv.exe
4736	spoolsv.exe
4856	spoolsv.exe
4988	spoolsv.exe
2592	spoolsv.exe
4220	spoolsv.exe
3060	spoolsv.exe
1284	spoolsv.exe
3152	spoolsv.exe
1436	spoolsv.exe
1900	spoolsv.exe
4336	spoolsv.exe
4768	spoolsv.exe
3504	spoolsv.exe
4792	spoolsv.exe
1744	spoolsv.exe
4152	spoolsv.exe
5080	spoolsv.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exe16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 16 IoCs

Processes:

16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 4664 set thread context of 4360	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
PID 4664 set thread context of 4224	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	diskperf.exe
PID 1420 set thread context of 2532	1420	explorer.exe	explorer.exe
PID 1420 set thread context of 4528	1420	explorer.exe	diskperf.exe
PID 2964 set thread context of 5468	2964	spoolsv.exe	spoolsv.exe
PID 2964 set thread context of 5492	2964	spoolsv.exe	diskperf.exe
PID 4060 set thread context of 5600	4060	spoolsv.exe	spoolsv.exe
PID 4060 set thread context of 5612	4060	spoolsv.exe	diskperf.exe
PID 1108 set thread context of 5732	1108	spoolsv.exe	spoolsv.exe
PID 1108 set thread context of 5744	1108	spoolsv.exe	diskperf.exe
PID 4268 set thread context of 5816	4268	spoolsv.exe	spoolsv.exe
PID 4268 set thread context of 5840	4268	spoolsv.exe	diskperf.exe
PID 4240 set thread context of 5916	4240	spoolsv.exe	spoolsv.exe
PID 4240 set thread context of 5932	4240	spoolsv.exe	diskperf.exe
PID 3200 set thread context of 6028	3200	spoolsv.exe	spoolsv.exe
PID 3200 set thread context of 6040	3200	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exeexplorer.exe

pid	process
4360	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
4360	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2532 explorer.exe

pid	process
2532	explorer.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4360	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
4360	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
5468	spoolsv.exe
5468	spoolsv.exe
5600	spoolsv.exe
5600	spoolsv.exe
5732	spoolsv.exe
5732	spoolsv.exe
5816	spoolsv.exe
5816	spoolsv.exe
5916	spoolsv.exe
5916	spoolsv.exe
6028	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 4664 wrote to memory of 4360	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
PID 4664 wrote to memory of 4360	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
PID 4664 wrote to memory of 4360	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
PID 4664 wrote to memory of 4360	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
PID 4664 wrote to memory of 4360	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
PID 4664 wrote to memory of 4360	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
PID 4664 wrote to memory of 4360	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
PID 4664 wrote to memory of 4360	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
PID 4664 wrote to memory of 4224	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	diskperf.exe
PID 4664 wrote to memory of 4224	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	diskperf.exe
PID 4664 wrote to memory of 4224	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	diskperf.exe
PID 4664 wrote to memory of 4224	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	diskperf.exe
PID 4664 wrote to memory of 4224	4664	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	diskperf.exe
PID 4360 wrote to memory of 1420	4360	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	explorer.exe
PID 4360 wrote to memory of 1420	4360	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	explorer.exe
PID 4360 wrote to memory of 1420	4360	16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe	explorer.exe
PID 1420 wrote to memory of 2532	1420	explorer.exe	explorer.exe
PID 1420 wrote to memory of 2532	1420	explorer.exe	explorer.exe
PID 1420 wrote to memory of 2532	1420	explorer.exe	explorer.exe
PID 1420 wrote to memory of 2532	1420	explorer.exe	explorer.exe
PID 1420 wrote to memory of 2532	1420	explorer.exe	explorer.exe
PID 1420 wrote to memory of 2532	1420	explorer.exe	explorer.exe
PID 1420 wrote to memory of 2532	1420	explorer.exe	explorer.exe
PID 1420 wrote to memory of 2532	1420	explorer.exe	explorer.exe
PID 1420 wrote to memory of 4528	1420	explorer.exe	diskperf.exe
PID 1420 wrote to memory of 4528	1420	explorer.exe	diskperf.exe
PID 1420 wrote to memory of 4528	1420	explorer.exe	diskperf.exe
PID 1420 wrote to memory of 4528	1420	explorer.exe	diskperf.exe
PID 1420 wrote to memory of 4528	1420	explorer.exe	diskperf.exe
PID 2532 wrote to memory of 2964	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 2964	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 2964	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4060	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4060	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4060	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 1108	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 1108	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 1108	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4268	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4268	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4268	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4240	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4240	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4240	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 3200	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 3200	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 3200	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4116	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4116	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4116	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 1092	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 1092	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 1092	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 3140	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 3140	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 3140	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 3532	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 3532	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 3532	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4748	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4748	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 4748	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 2636	2532	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 2636	2532	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Temp\16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1420

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5468

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5660

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:5600

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:5732

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:5816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:5916

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6028

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:6140

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5204

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5404

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5452

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5584

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5720

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5904

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5348

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5416

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5684

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5588

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:4528

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
1.2MB

MD5
16ab99e0ac1897405a4d16b44b29c0af

SHA1
e0e474c2748c474810774622dee6a77e31e58f1a

SHA256
ab0d602717ad9c3085c21ea4cb3bbf53c47c22d74112d7f69fba26efe5cedaf6

SHA512
7dc4494c23b3d9245a1340bd46020172fa5a62c2220e63af63fecf21e6b96503982c89fc2b9d468dce583911b6212243f0fcdfb02f1eeb9fe11f06cc3bc1ca33

Download Submit
C:\Windows\System\explorer.exe

Filesize
1.2MB

MD5
cf2a00b7367635ae697233b00e7471c4

SHA1
de7520783ae56cbc59d9c542beb11d77d98be3d2

SHA256
0d26cc68424c8255f317edee72d791bb71867e519658d8c6c14efb76c674c3c0

SHA512
3b8f6e07855a966238f940252c7b27d03a22a9fe8a5b3fc029187b169ab996822f6d0576b17161dce42d8226a65315c06aff8add5f8aebf58b75c196a51e57ed

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.2MB

MD5
568ad7dc502e4e5200ff771d3bb0186e

SHA1
065d76668ac32960294a3de21652e0c6fa03fcbd

SHA256
3fd73b881a1fb467e64dbb2b7f093bdd013718cab3b7e1143a2989f43c21930e

SHA512
7fe0ecfe9960687031c36f9e2ae7951ed5822198491a7362bf3ade122b51eef5c27042d32a67b5da57047c576550a044ee376eea39e0005ad6b75dd3b37aacae

Download Submit
memory/376-432-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/416-383-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/452-143-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/536-379-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/612-387-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/668-375-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/756-366-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/876-415-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/908-165-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1092-88-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1092-454-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1092-576-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1092-90-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1092-89-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1108-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1108-73-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1108-427-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1108-513-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1132-118-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1284-291-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1420-36-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1420-56-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1420-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1420-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1420-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1420-29-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1436-302-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1696-256-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1708-231-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1744-335-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1900-306-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2024-393-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2148-126-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2248-371-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2468-216-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2532-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-279-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2636-104-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2856-160-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2916-362-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2964-418-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2964-484-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2964-64-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2964-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3080-354-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3084-408-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3140-588-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3140-92-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3140-459-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3148-397-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3152-296-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3200-552-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3200-444-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3448-426-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3504-326-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3532-599-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3532-97-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3532-98-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3532-466-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3828-411-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3964-348-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4032-172-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4048-241-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4060-69-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4060-425-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4060-70-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4060-498-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4116-563-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4116-450-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4116-86-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4116-85-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4152-340-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4220-282-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4224-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4224-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4224-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4240-438-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4240-539-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4264-400-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4268-75-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4268-526-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4268-433-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4336-315-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4348-134-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4360-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-33-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4424-202-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4484-190-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4500-210-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4528-52-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4620-148-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4664-6-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4664-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4664-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4664-9-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4664-3-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4664-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4664-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4664-21-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4716-404-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4736-262-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4740-111-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4748-100-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4748-474-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4768-319-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4856-268-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4912-205-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4988-273-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5060-358-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5080-344-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5084-421-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5212-442-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5260-447-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5336-458-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5376-464-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5424-470-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5468-506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5468-482-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download