warzonerat | ef400bc00e436f75cbfb38a725dbcce1b0855c16ce2af51344bf16e50138672f

Analysis

max time kernel
95s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 03:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
Size

2.9MB
MD5

281cd7c376e335d46505718540cd5f31
SHA1

0d9ae5b459062c76b72094175a7366609a2c685b
SHA256

ef400bc00e436f75cbfb38a725dbcce1b0855c16ce2af51344bf16e50138672f
SHA512

c51b864bb920abdfed910a8f2604397657779c1a31dff4fbc4a3ac963210cce1da9457a0765ee7f90fe799a9f6dc4e8f4b8fbfacc41ecf4d6f4e0b34b5a87b54
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHV:3Ty7A3mw4gxeOw46fUbNecCCFbNecc

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/files/0x000a0000000155e2-93.dat	warzonerat
behavioral1/files/0x0009000000015d88-387.dat	warzonerat
behavioral1/files/0x0009000000015d88-448.dat	warzonerat
behavioral1/files/0x0009000000015d88-447.dat	warzonerat
behavioral1/files/0x0009000000015d88-497.dat	warzonerat
behavioral1/files/0x0009000000015d88-495.dat	warzonerat
behavioral1/files/0x0009000000015d88-540.dat	warzonerat
behavioral1/files/0x0009000000015d88-655.dat	warzonerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2168	explorer.exe
2200	explorer.exe
1216	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
1916	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
1916	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2784 set thread context of 1916	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	33
PID 2784 set thread context of 2712	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	34
PID 2168 set thread context of 2200	2168	explorer.exe	38
PID 2200 set thread context of 1216	2200	explorer.exe	39

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
1916	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
2168	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
1916	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
1916	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
2168	explorer.exe
2168	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1688	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	28
PID 2888 wrote to memory of 1688	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	28
PID 2888 wrote to memory of 1688	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	28
PID 2888 wrote to memory of 1688	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	28
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2784	2888	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	30
PID 2784 wrote to memory of 1916	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	33
PID 2784 wrote to memory of 1916	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	33
PID 2784 wrote to memory of 1916	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	33
PID 2784 wrote to memory of 1916	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	33
PID 2784 wrote to memory of 1916	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	33
PID 2784 wrote to memory of 1916	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	33
PID 2784 wrote to memory of 1916	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	33
PID 2784 wrote to memory of 1916	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	33
PID 2784 wrote to memory of 1916	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	33
PID 2784 wrote to memory of 2712	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	34
PID 2784 wrote to memory of 2712	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	34
PID 2784 wrote to memory of 2712	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	34
PID 2784 wrote to memory of 2712	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	34
PID 2784 wrote to memory of 2712	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	34
PID 2784 wrote to memory of 2712	2784	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	34
PID 1916 wrote to memory of 2168	1916	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	35
PID 1916 wrote to memory of 2168	1916	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	35
PID 1916 wrote to memory of 2168	1916	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	35
PID 1916 wrote to memory of 2168	1916	281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe	35
PID 2168 wrote to memory of 1436	2168	explorer.exe	36
PID 2168 wrote to memory of 1436	2168	explorer.exe	36
PID 2168 wrote to memory of 1436	2168	explorer.exe	36
PID 2168 wrote to memory of 1436	2168	explorer.exe	36
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38
PID 2168 wrote to memory of 2200	2168	explorer.exe	38

C:\Users\Admin\AppData\Local\Temp\281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\281cd7c376e335d46505718540cd5f31_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        
        PID:1436
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2200
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        
        PID:1216
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:364
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:564
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:1708
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        
        PID:1840
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1452
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1848
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1704
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2776
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        
        PID:696
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1468
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1144
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1188
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:948
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2576
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2312
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1720
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2708
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2832
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1368
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2232
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1576
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:692
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1116
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:804
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1060
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2628
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2828
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1388
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1436
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1564
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2388
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2424
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2444
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2592
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:644
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:984
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
128KB

MD5
de0ea8a848cb26ca8293c26b9a88ce51

SHA1
fedb10fc5325de55f8b7014d8cbf257198373b49

SHA256
97b98d4f204fce7567ba3e9fe944409f588b8aac586bf675a332f4f2424379db

SHA512
a01c1d46fbb5fad86464f482871182a402e2c67cd6812a941d42a1751cbf436c8a9d570427acf7504e5cc8aaa590cfe1f915b9fd5d239dc484b6d2abba7dd54b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.0MB

MD5
6a1ee1c9656e984c01882e78ca960575

SHA1
8dc5a8660e058d2d2eff91314481ffae10481b6f

SHA256
4176389aa0160094b7361c090570319677221a0a64a1e9b4cf3cec53ab10c3dd

SHA512
aeddfae4156b23901aa17ee065a6ae01417befdefb47da93e90a9c210c1cf1ba0e66a1d2d27cc420f1f5afbaa7adb7364428f34f0d62e87e917d1a28a6e5cebe

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
448KB

MD5
5944d82e9ff80003dc37920f866e0450

SHA1
6db32fc84a0a2b7e7bdbd760f81e7950c4da9fed

SHA256
43a859ffe0111629a55037890778eeff377f858073c0b6a55f6f70b378bcf363

SHA512
d16e07591f7f7474b59f5ff2627eefdf2d2000e8be7d4446db654815e1f185883d70d2680035772db340d2a762c79b6c3d15be5642bbc94460afdddb96b8b8ab

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.3MB

MD5
b973fc90921746b34b48e5a902c48247

SHA1
3bbf14dcf2d6f79435630751c8e23b17763eab95

SHA256
c6f1ed2803fe4a9ded49e5d31fe1288e2ab4ada5c7ff4b55aaaa39e42a351794

SHA512
009cc4d052553376d3f8b70dd0beb062469e6d839de742ddb49903818902f54ade7a481a765899e8afe63de970f35e45a9e83c8804dd7cf1faaab9eb51c78a83

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.2MB

MD5
a0948657e30c862ac16558579fb1ba80

SHA1
0d6ad389b9381d2b74a504c4c12b68a13a77bae6

SHA256
14275ee1a019e40b2287bf7d4ae1f4fdd23ffc138ce8d743607105b282f0fee3

SHA512
c7327358dfd350b69399f11510b592ebf9ed5ff58d509316ab0102708230beebdf376c2c23b1ad69189e06f5f7ca8c50cdad4c7e98807bd7a55a7a2d82f0da32

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
0db5540e828988311d26e62d4546afb8

SHA1
57efaec09cb721a5c079f3df115d5841b46935bf

SHA256
772070d008c313e63c95b301d8b09c4505ef969737cc8d636a1a261650e7933c

SHA512
74fa213776328846f8be827fa39e7ca6bea8cbc670e9ca090d5f965baa1fefcb62ac862bb3b385686c7cfa568e8384ee2700334196eeff11bd1fa916197b23a2

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
02dc87b9b2ac8b8d865a91dcb3d6e9e5

SHA1
bd3668051dd56cc81cf108fdbbec2bbc5a38fc86

SHA256
645c6cca050152cd607408214fe9092b808a321e8f463e055721fd2ce4e33d51

SHA512
2b3aa30b9ad45a466f60097bbb18173bbc55df52c4162ea63e218d699474a2671fb3921619194cd2a4a3da399b40704a4e95bf68e9b91291b6ceb382af0c6772

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
f7cb416244a6896725ecc7173c024833

SHA1
9cbb68cf8dfe3f84b8b9d9ba6ad7a917558bf039

SHA256
1691067721e2707b3cc5cbda825fa85c55651184585f5f876fafc7606135d6de

SHA512
101a01195a2d69bf0b1b57dc685e4c8a44d8e7a44c903f092673cc6e53e6e6b427de0cbb3e9e081f6836a4f4f0fed5a17e75bc9b1d0417a574d76d0a535430c7

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
988KB

MD5
0999e72fdf63539adaf2b2812c779572

SHA1
1a714238a1c837f202c15e27a221d70c333b9a77

SHA256
3680dd17a0dd5873306841b00e3092bfcea2aa8b4c610989da829f9396e3dc0c

SHA512
10af72ad1bb87658dde60a06eea1c532e7821f70a24d879c8c8a6f115ebd01ed082ae046e5880eb6c6715fe2b95444333a46838776d4e99ffeaf2ea97a2bb2bf

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
875KB

MD5
4cf3f2a46057903e41133cb69c9c3e1e

SHA1
33ed11f0ec6f91534c78656055e99c30a0d7b906

SHA256
2f108171aa6c730803e1aac722990f1bf39df3a8eb9d836fae75ac4c8ac7bf7c

SHA512
0a3e26459d4b644fcd0e9b269eba956f2045b68649e4b8eae79d5d756a40f316e406d7d3d7aa2eac10ffdcc4fb99e9818c9d71350848b78fb90aa5493193fd5b

Download Submit
\Windows\system\explorer.exe

Filesize
2.9MB

MD5
03c37759f01fd7ecd36eacec35599012

SHA1
e5716661e64c722dde48e5c8c06270f5f36d0323

SHA256
8b9ebb803b8cd121b450e8d2f802c1b6d6004d366966f6f4da4e791f46d1a821

SHA512
20438d0e24ca2523dfb971d0b04ea8165ae3c2b1a571d4e54e562a4e9b983c513ad6e08188b1bc12b0bec64a4d95c23602c2af84516f2db163afc2a401ab4811

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
e32778b00a37db6342bb258d8f7929f3

SHA1
6bf3b2be983652c242f782ba69b8e0d200a12bed

SHA256
5343d0c7f15f080c33bbd3493b367b003429c91dd2fa83aa04c6495f9dfe2201

SHA512
3cf7b4b4087f15a467cf946864b66d218f4087ba6b618cb828109f9386fa70cc0f89c6181e8923cab7cadfce79d40b39828c96510dad51014992bfb735ff1f58

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.2MB

MD5
08400aafe1712155f8ce5353ce069d6c

SHA1
3dfbb9223652503388420e79ccd255810c1688a6

SHA256
2b844c90a8488052d8a39399ead6fac02d80bce06d1f6bd565d44f076816fb04

SHA512
060e0ebb4dbe0c458f42adf6aad71b5052aa3f76e5c1e7fc2acd74188754d13441b60c526ca923e1560c6ca9c94546bc16266ab687369f5bdf541516b63bbdd1

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
4ac3cd2263ef145d1451e5754d0abbdc

SHA1
01bd5dddcb8b35033c26b5a786fd82317474359a

SHA256
40964e53df0d93e7e6ba1d40d67920429cf642a763b303dbfb8dce247df84ae3

SHA512
0ea03aa86fe7aaad4c5b74a3166493d6a4d22e5fffdfe7884af9f7e83d64aac89191056787bef528d76efe09dc16d5dae16b16c35cce9ea20c20be3272670127

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.0MB

MD5
45516d8a556b73928dc4398858f4b860

SHA1
ef74381b606cc609425e3f5db8ffdbfe59aea215

SHA256
28dac7a537ed744add76f5b4e35f420eeebcc80fa8873d08cca763a2869ba8fa

SHA512
0a46d37f1d6b23d90f592693b61085510b76cd828097f86ed791f6969dca579866e25822fb037be59fd3260d0abb3a17e642d3fff6ef531e8ae437c71c4df1bb

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
ac6ded7a8f3947af726a11aa4bcfec4b

SHA1
a66600cd1ff5bd071e5af0c786d123d070e38b47

SHA256
532d91b1106ad87549b696ddcc5a7edb791b04f04676d07c5a7c8d16d5440812

SHA512
65ee0b94648c2db47ead2be19f2f867487785b6aa024f67aa214c8da8e615993dd55df88a0189acc66798d61ec17d57330c8954527a1129d9541627a587a279a

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
6c3345f7834390daea7263b8a0da19e6

SHA1
ed15e3a6db01c0cc493f5d30f35b0ab5aeaa4262

SHA256
fea0518e176cb956c05ef0584527dbc19992313b78dcde8b349ad890b26bc7aa

SHA512
442fbdd0833f4280ed3105926b70337e9842ed10634199c3fb032d46fda1fae3e00a42001619f4e31eaf50d545968035f8f72020d4b5028dab03b8876ca97a35

Download Submit
\Windows\system\spoolsv.exe

Filesize
870KB

MD5
174c010bc87bea3ce854bf7c51f92cc4

SHA1
d0e061e68254e208a9b1e730d3b56f1cfdf3e463

SHA256
84cfde8deb55b43d801e74c2b883257fefc2a5f14bbad6c1233b26932151c93f

SHA512
237b89f04f8f617d479118fd35e02ec51f523ae04919f021c6a59e713c9a286ad97e3703a378f0dc70c9e3d1bd6e681d1d8f1a0161891468f46c4a590404d1ec

Download Submit
\Windows\system\spoolsv.exe

Filesize
753KB

MD5
ec378035c28a63be0642856fcf11f2a5

SHA1
3b85b8d06b3a874241c8932d2cd072eb55012c1a

SHA256
76798512a9a81e5104294d95ac4b2e5fd89a258a055b51b4449a75949a57f300

SHA512
c71609318b896c11682244a0316c76c6e927d90ea6e4baa20f849e365a3c83e77e79f659f53a7ee2baf6b4e4c9b9d1a2bfda6082454c4cd4a42dacd89846720f

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
0d2827ee0621d61659ead3a67aece786

SHA1
1a2791ea4731e14acdaff751a8937e3c7480878a

SHA256
438c7ebe2df76bee6915bd679686398d1e98e8faa26a5dcbae58125c8c7079ab

SHA512
d1c6f750e6bcd74784fdd99431c442b64d6a21f8db7e029d774199513ce8d639a3433b6b7457ccbc503bd9e9544b71dfd088743629b6132d298f35693440f987

Download Submit
memory/564-1036-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/564-251-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/692-704-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1368-598-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1388-949-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1476-392-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1564-1001-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1576-646-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1704-295-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1708-1018-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-1117-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1720-512-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1724-853-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1916-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2200-141-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2200-183-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2292-342-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2388-1105-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2628-854-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2712-84-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-39-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2784-40-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2784-52-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2784-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-88-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2784-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-41-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2784-42-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2784-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-19-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-22-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-44-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2784-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-50-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-54-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2784-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2784-51-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2784-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2784-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-13-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2784-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2904-917-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download