warzonerat | 3f80d223c08d312d3fce6a521115a0c28d82104b64084cdc5986f16b6651b10b

Analysis

max time kernel
154s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
Size

2.9MB
MD5

7b2b777d5e5f12e2b633821389b71a00
SHA1

24237d027fcf9803c189fb45a8bc95900eab1e02
SHA256

3f80d223c08d312d3fce6a521115a0c28d82104b64084cdc5986f16b6651b10b
SHA512

28e5970d8855482883e6f795075aa4da29a25018254605a2e08ccbdd7bb2e8d8633d8889ad41d0864a234fb2058c6903b25e47180de6b8ebad88ee1d60809365
SSDEEP

24576:eTy7ASmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHg:eTy7ASmw4gxeOw46fUbNecCCFbNecF

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023285-33.dat	warzonerat
behavioral2/files/0x0008000000023283-58.dat	warzonerat
behavioral2/files/0x0004000000000733-72.dat	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
4036	explorer.exe
996	explorer.exe
3604	explorer.exe
408	spoolsv.exe
4492	spoolsv.exe
4292	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4616 set thread context of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 2756 set thread context of 3632	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	103
PID 2756 set thread context of 4596	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	104
PID 4036 set thread context of 996	4036	explorer.exe	108
PID 996 set thread context of 3604	996	explorer.exe	109
PID 996 set thread context of 2628	996	explorer.exe	110
PID 408 set thread context of 4492	408	spoolsv.exe	114

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
3632	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
3632	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
4036	explorer.exe
4036	explorer.exe
408	spoolsv.exe
408	spoolsv.exe
3604	explorer.exe
3604	explorer.exe
3604	explorer.exe
3604	explorer.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
3632	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
3632	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
4036	explorer.exe
4036	explorer.exe
3604	explorer.exe
3604	explorer.exe
408	spoolsv.exe
408	spoolsv.exe
3604	explorer.exe
3604	explorer.exe
4292	spoolsv.exe
4292	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4896	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	91
PID 4616 wrote to memory of 4896	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	91
PID 4616 wrote to memory of 4896	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	91
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 4616 wrote to memory of 2756	4616	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	93
PID 2756 wrote to memory of 3632	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	103
PID 2756 wrote to memory of 3632	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	103
PID 2756 wrote to memory of 3632	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	103
PID 2756 wrote to memory of 3632	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	103
PID 2756 wrote to memory of 3632	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	103
PID 2756 wrote to memory of 3632	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	103
PID 2756 wrote to memory of 3632	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	103
PID 2756 wrote to memory of 3632	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	103
PID 2756 wrote to memory of 4596	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	104
PID 2756 wrote to memory of 4596	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	104
PID 2756 wrote to memory of 4596	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	104
PID 2756 wrote to memory of 4596	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	104
PID 2756 wrote to memory of 4596	2756	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	104
PID 3632 wrote to memory of 4036	3632	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	105
PID 3632 wrote to memory of 4036	3632	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	105
PID 3632 wrote to memory of 4036	3632	7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe	105
PID 4036 wrote to memory of 5100	4036	explorer.exe	106
PID 4036 wrote to memory of 5100	4036	explorer.exe	106
PID 4036 wrote to memory of 5100	4036	explorer.exe	106
PID 4036 wrote to memory of 996	4036	explorer.exe	108
PID 4036 wrote to memory of 996	4036	explorer.exe	108
PID 4036 wrote to memory of 996	4036	explorer.exe	108
PID 4036 wrote to memory of 996	4036	explorer.exe	108
PID 4036 wrote to memory of 996	4036	explorer.exe	108
PID 4036 wrote to memory of 996	4036	explorer.exe	108
PID 4036 wrote to memory of 996	4036	explorer.exe	108
PID 4036 wrote to memory of 996	4036	explorer.exe	108
PID 4036 wrote to memory of 996	4036	explorer.exe	108
PID 4036 wrote to memory of 996	4036	explorer.exe	108
PID 4036 wrote to memory of 996	4036	explorer.exe	108
PID 4036 wrote to memory of 996	4036	explorer.exe	108
PID 4036 wrote to memory of 996	4036	explorer.exe	108

C:\Users\Admin\AppData\Local\Temp\7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
    C:\Users\Admin\AppData\Local\Temp\7b2b777d5e5f12e2b633821389b71a00_NeikiAnalytics.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        
        PID:5100
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:996
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3604
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3784
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4492
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:4328
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3980
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2340
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2612
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3876
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4012
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:392
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2148
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1952
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2992
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1792
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3100
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1464
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3956
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3576
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1284
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1820
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3184
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3660
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3196
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2340
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:4632
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2116
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3308
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3684
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3804
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1376
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4372
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:4972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1328
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1360
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3660
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3304
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3968
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4976
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:4016
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:540
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1652
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1376
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2052
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4756
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1820
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1900
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:4424
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4748
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2736
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1916
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1940
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4888
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3316
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4828
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3340
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2636
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1772
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1504
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1752
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3864
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1640
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1360
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3784
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1368
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1372
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4252
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3416
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:624
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4272
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1816
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3868
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:5012
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:748
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4480
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1060
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4672
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4932
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4028
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4824
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1640
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1360
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3784
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1568
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2628
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
7b2b777d5e5f12e2b633821389b71a00

SHA1
24237d027fcf9803c189fb45a8bc95900eab1e02

SHA256
3f80d223c08d312d3fce6a521115a0c28d82104b64084cdc5986f16b6651b10b

SHA512
28e5970d8855482883e6f795075aa4da29a25018254605a2e08ccbdd7bb2e8d8633d8889ad41d0864a234fb2058c6903b25e47180de6b8ebad88ee1d60809365

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.9MB

MD5
2cbd8eecd0f85a48874b7b2abbf829dc

SHA1
bce81a3ee559ae36f776b916d25a7acf1edcff6c

SHA256
aa0b24d33d9250628e57cbd38803e649f9023c2c59b0bd0ab4b600840ce4cc10

SHA512
01770e8f6cf38d2c3074742f29bf989833f9c874dfef2c915026d7260e1f3aaf5bbeb82f83e88369ce464d3523a0d46ac9ef6e9a818404b9ac4d63615b87d6e0

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.9MB

MD5
336ed3d57672b7210625ef34b9b28754

SHA1
503169ff6e28ee41bb9ea85fc2674e70f45b8033

SHA256
673b38058da9e87588c3c12376267452ddda84aa43a2b59977041eed34cae140

SHA512
6588b3f9e7e90bc5f483259a74df8547758b882773bbe427ed42e167b7852d86500314cf0b2ee8307ebe576eaeaf02bb94a9b6b3cb0dfa70d5d4440d6771d08e

Download Submit
memory/540-339-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/996-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/996-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/996-63-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/996-68-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/996-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/996-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/996-45-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/996-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1284-180-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1328-286-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1376-362-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1900-386-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2148-131-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2340-219-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2612-110-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2612-106-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2612-107-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2612-108-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2612-109-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2756-10-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2756-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2756-29-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2756-13-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2756-4-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2756-11-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2756-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2756-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2756-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2756-8-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2756-5-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2756-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2756-2-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2756-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2992-144-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3100-156-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3184-193-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3196-206-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3264-350-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3304-316-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3604-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3632-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3632-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3632-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3724-301-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/3732-245-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3804-259-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3980-92-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4012-114-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4372-273-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4492-81-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4492-83-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4492-82-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4492-80-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4492-84-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4492-79-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4596-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4596-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4596-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4748-398-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4756-374-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4976-328-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download