warzonerat | 684f1249ded24468d83ecd163e94fce5d14ec10c478211894d4e5f5c54b047a3

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6ec3fabd45307dae7c308d992b2dd20N.exe
Size

2.9MB
MD5

d6ec3fabd45307dae7c308d992b2dd20
SHA1

72b86e54b784f9fde943f83278677dfe2221399c
SHA256

684f1249ded24468d83ecd163e94fce5d14ec10c478211894d4e5f5c54b047a3
SHA512

b67894ab3cf9f878f2e7769b75eb0b27e2a4d0fa7108482bff934b9c596317832259141b08fa642608a5a86653817e834f37f51623839660e4c78710e77b1484
SSDEEP

24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHo:7v97AXmw4gxeOw46fUbNecCCFbNecx

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023621-28.dat	warzonerat
behavioral2/files/0x000800000002361f-54.dat	warzonerat
behavioral2/files/0x000400000000070b-68.dat	warzonerat
behavioral2/files/0x000400000000070b-233.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 14 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 30 IoCs

pid	Process
2012	explorer.exe
3548	explorer.exe
4324	explorer.exe
1612	spoolsv.exe
1668	spoolsv.exe
1244	spoolsv.exe
672	spoolsv.exe
4468	spoolsv.exe
4072	spoolsv.exe
2916	spoolsv.exe
2340	spoolsv.exe
2876	spoolsv.exe
4532	spoolsv.exe
3976	spoolsv.exe
1116	spoolsv.exe
5032	spoolsv.exe
4148	spoolsv.exe
2044	spoolsv.exe
2420	spoolsv.exe
4804	spoolsv.exe
1780	spoolsv.exe
3912	spoolsv.exe
4280	spoolsv.exe
1176	spoolsv.exe
1764	spoolsv.exe
4328	spoolsv.exe
4540	spoolsv.exe
216	spoolsv.exe
4992	spoolsv.exe
4760	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	d6ec3fabd45307dae7c308d992b2dd20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 4576 set thread context of 4932	4576	d6ec3fabd45307dae7c308d992b2dd20N.exe	107
PID 2012 set thread context of 3548	2012	explorer.exe	112
PID 3548 set thread context of 4324	3548	explorer.exe	113
PID 1612 set thread context of 1668	1612	spoolsv.exe	118
PID 1244 set thread context of 672	1244	spoolsv.exe	122
PID 4468 set thread context of 4072	4468	spoolsv.exe	126
PID 2916 set thread context of 2340	2916	spoolsv.exe	130
PID 2876 set thread context of 4532	2876	spoolsv.exe	134
PID 3976 set thread context of 1116	3976	spoolsv.exe	138
PID 5032 set thread context of 4148	5032	spoolsv.exe	142
PID 2044 set thread context of 2420	2044	spoolsv.exe	146
PID 4804 set thread context of 1780	4804	spoolsv.exe	150
PID 3912 set thread context of 4280	3912	spoolsv.exe	154
PID 1176 set thread context of 1764	1176	spoolsv.exe	158
PID 4328 set thread context of 4540	4328	spoolsv.exe	162
PID 216 set thread context of 4992	216	spoolsv.exe	166

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	d6ec3fabd45307dae7c308d992b2dd20N.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6ec3fabd45307dae7c308d992b2dd20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6ec3fabd45307dae7c308d992b2dd20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6ec3fabd45307dae7c308d992b2dd20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2888	d6ec3fabd45307dae7c308d992b2dd20N.exe
2888	d6ec3fabd45307dae7c308d992b2dd20N.exe
4932	d6ec3fabd45307dae7c308d992b2dd20N.exe
4932	d6ec3fabd45307dae7c308d992b2dd20N.exe
2012	explorer.exe
2012	explorer.exe
1612	spoolsv.exe
1612	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
4324	explorer.exe
4324	explorer.exe
1244	spoolsv.exe
1244	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
4468	spoolsv.exe
4468	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
2916	spoolsv.exe
2916	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
2876	spoolsv.exe
2876	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
3976	spoolsv.exe
3976	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
5032	spoolsv.exe
5032	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
2044	spoolsv.exe
2044	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
4804	spoolsv.exe
4804	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
3912	spoolsv.exe
3912	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
1176	spoolsv.exe
1176	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
4328	spoolsv.exe
4328	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
216	spoolsv.exe
216	spoolsv.exe
4324	explorer.exe
4324	explorer.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2888	d6ec3fabd45307dae7c308d992b2dd20N.exe
2888	d6ec3fabd45307dae7c308d992b2dd20N.exe
4932	d6ec3fabd45307dae7c308d992b2dd20N.exe
4932	d6ec3fabd45307dae7c308d992b2dd20N.exe
2012	explorer.exe
2012	explorer.exe
4324	explorer.exe
4324	explorer.exe
1612	spoolsv.exe
1612	spoolsv.exe
4324	explorer.exe
4324	explorer.exe
1244	spoolsv.exe
1244	spoolsv.exe
4468	spoolsv.exe
4468	spoolsv.exe
2916	spoolsv.exe
2916	spoolsv.exe
2876	spoolsv.exe
2876	spoolsv.exe
3976	spoolsv.exe
3976	spoolsv.exe
5032	spoolsv.exe
5032	spoolsv.exe
2044	spoolsv.exe
2044	spoolsv.exe
4804	spoolsv.exe
4804	spoolsv.exe
3912	spoolsv.exe
3912	spoolsv.exe
1176	spoolsv.exe
1176	spoolsv.exe
4328	spoolsv.exe
4328	spoolsv.exe
216	spoolsv.exe
216	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 932	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	90
PID 2888 wrote to memory of 932	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	90
PID 2888 wrote to memory of 932	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	90
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 2888 wrote to memory of 4576	2888	d6ec3fabd45307dae7c308d992b2dd20N.exe	95
PID 4576 wrote to memory of 4932	4576	d6ec3fabd45307dae7c308d992b2dd20N.exe	107
PID 4576 wrote to memory of 4932	4576	d6ec3fabd45307dae7c308d992b2dd20N.exe	107
PID 4576 wrote to memory of 4932	4576	d6ec3fabd45307dae7c308d992b2dd20N.exe	107
PID 4576 wrote to memory of 4932	4576	d6ec3fabd45307dae7c308d992b2dd20N.exe	107
PID 4576 wrote to memory of 4932	4576	d6ec3fabd45307dae7c308d992b2dd20N.exe	107
PID 4576 wrote to memory of 4932	4576	d6ec3fabd45307dae7c308d992b2dd20N.exe	107
PID 4576 wrote to memory of 4932	4576	d6ec3fabd45307dae7c308d992b2dd20N.exe	107
PID 4576 wrote to memory of 4932	4576	d6ec3fabd45307dae7c308d992b2dd20N.exe	107
PID 4576 wrote to memory of 1200	4576	d6ec3fabd45307dae7c308d992b2dd20N.exe	108
PID 4576 wrote to memory of 1200	4576	d6ec3fabd45307dae7c308d992b2dd20N.exe	108
PID 4576 wrote to memory of 1200	4576	d6ec3fabd45307dae7c308d992b2dd20N.exe	108
PID 4932 wrote to memory of 2012	4932	d6ec3fabd45307dae7c308d992b2dd20N.exe	109
PID 4932 wrote to memory of 2012	4932	d6ec3fabd45307dae7c308d992b2dd20N.exe	109
PID 4932 wrote to memory of 2012	4932	d6ec3fabd45307dae7c308d992b2dd20N.exe	109
PID 2012 wrote to memory of 3272	2012	explorer.exe	110
PID 2012 wrote to memory of 3272	2012	explorer.exe	110
PID 2012 wrote to memory of 3272	2012	explorer.exe	110
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112
PID 2012 wrote to memory of 3548	2012	explorer.exe	112

C:\Users\Admin\AppData\Local\Temp\d6ec3fabd45307dae7c308d992b2dd20N.exe
"C:\Users\Admin\AppData\Local\Temp\d6ec3fabd45307dae7c308d992b2dd20N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\d6ec3fabd45307dae7c308d992b2dd20N.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:932
- C:\Users\Admin\AppData\Local\Temp\d6ec3fabd45307dae7c308d992b2dd20N.exe
  C:\Users\Admin\AppData\Local\Temp\d6ec3fabd45307dae7c308d992b2dd20N.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\d6ec3fabd45307dae7c308d992b2dd20N.exe
    C:\Users\Admin\AppData\Local\Temp\d6ec3fabd45307dae7c308d992b2dd20N.exe
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3272
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3548
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:672
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4760
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:536
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
d6ec3fabd45307dae7c308d992b2dd20

SHA1
72b86e54b784f9fde943f83278677dfe2221399c

SHA256
684f1249ded24468d83ecd163e94fce5d14ec10c478211894d4e5f5c54b047a3

SHA512
b67894ab3cf9f878f2e7769b75eb0b27e2a4d0fa7108482bff934b9c596317832259141b08fa642608a5a86653817e834f37f51623839660e4c78710e77b1484

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.9MB

MD5
67eedbbe25096c6373699f547036cf3f

SHA1
2670da5d6a44d425192127687682dd8fc019ae4f

SHA256
80add05ce43e1d2e2a31a8bee072718c54548cf4322a09cd0c0791a41810bbe4

SHA512
47eda05589f4320b8ed39cf2698d762a42bb80cc8064faae0a79cddd70a8b2cd8d0dff32bf65882eecfde74731f354a332bdb818cad654eb37541459fc23cf6d

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.8MB

MD5
f9310a57301d646e86a11c0aacc18dac

SHA1
3e54e18e0056eec81c0094f0838e401b1aab623b

SHA256
672e14bdb09aa8598cd911e5fb1225719de0d661872e65a0b98ec0c7543e9732

SHA512
80cc81491e56e341ed00620a3febf822a55fe9e9816a38a0b95bff689e7fdb2cc7769757b1344b70dea0125a7b56600f957d6aea713b4873aaf8c58c0aa483be

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.9MB

MD5
46032e0b63780e222d293593b0c27829

SHA1
ea5bb16789ebcec7ab0418a919edda55f66ea5e7

SHA256
081b11ecd22cf5a1765db87c954e29178244e821f203d9b88e9add93cc84e322

SHA512
c418d26870b5a4d5b460361df9ad4f33cb1f9b55803c6884bd7edba938fbbcc942f04149716cac88d2c9e623bfe23f399039be4b4b48afe755f0372e82761b91

Download Submit
memory/672-94-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/672-93-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/672-91-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/672-90-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/672-89-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/672-92-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1116-140-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1668-78-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1668-82-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1668-75-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1668-76-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1668-79-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1668-77-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1668-112-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1764-205-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1780-175-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2340-118-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2420-167-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3548-38-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3548-39-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3548-60-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3548-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3548-46-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3548-37-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3548-41-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3548-64-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4072-101-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4072-103-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4072-99-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4072-104-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4072-100-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4072-102-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4148-155-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4280-191-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4324-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4324-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-130-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4540-216-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4576-2-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4576-23-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4576-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4576-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4576-10-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4576-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4576-11-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4576-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4576-9-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/4576-6-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4576-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4576-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4576-8-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4932-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4932-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4932-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-232-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download