warzonerat | 832275cf002c9434d86af37d429fa2210f432fba8104a6cca66794fa762dc184

Analysis

max time kernel
100s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
Size

13.0MB
MD5

5bf6e2677428bf5522ce0e73800d6e4e
SHA1

61b20e748faa569af58c8690e6bd88b4ed723bab
SHA256

832275cf002c9434d86af37d429fa2210f432fba8104a6cca66794fa762dc184
SHA512

bc62b1f8fc35472077d7127052f703141524edd5e93a14985a3645e2d47422858bbc66ea66dd617ffaf48349429dfd0bca321c72571a03ac73b07c2743159894
SSDEEP

196608:yU7d9xZSt4U7d9xZStSU7d9xZSt4U7d9xZStJ:D7d9xZo7d9xZS7d9xZo7d9xZy

Score

10^/10

warzonerat discovery infostealer persistence rat upx

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 30 IoCs

rat

resource	yara_rule
behavioral1/files/0x00080000000170f8-90.dat	warzonerat
behavioral1/files/0x0007000000016fc9-173.dat	warzonerat
behavioral1/files/0x0003000000018334-188.dat	warzonerat
behavioral1/files/0x0003000000018334-415.dat	warzonerat
behavioral1/files/0x0003000000018334-413.dat	warzonerat
behavioral1/files/0x0003000000018334-412.dat	warzonerat
behavioral1/files/0x0003000000018334-457.dat	warzonerat
behavioral1/files/0x0003000000018334-459.dat	warzonerat
behavioral1/files/0x0003000000018334-460.dat	warzonerat
behavioral1/files/0x0003000000018334-468.dat	warzonerat
behavioral1/files/0x0003000000018334-516.dat	warzonerat
behavioral1/files/0x0003000000018334-517.dat	warzonerat
behavioral1/files/0x0003000000018334-515.dat	warzonerat
behavioral1/files/0x0003000000018334-520.dat	warzonerat
behavioral1/files/0x0003000000018334-570.dat	warzonerat
behavioral1/files/0x0003000000018334-569.dat	warzonerat
behavioral1/files/0x0003000000018334-568.dat	warzonerat
behavioral1/files/0x0003000000018334-558.dat	warzonerat
behavioral1/files/0x0003000000018334-578.dat	warzonerat
behavioral1/files/0x0003000000018334-626.dat	warzonerat
behavioral1/files/0x0003000000018334-617.dat	warzonerat
behavioral1/files/0x0003000000018334-627.dat	warzonerat
behavioral1/files/0x0003000000018334-624.dat	warzonerat
behavioral1/files/0x0003000000018334-680.dat	warzonerat
behavioral1/files/0x0003000000018334-681.dat	warzonerat
behavioral1/files/0x0003000000018334-670.dat	warzonerat
behavioral1/files/0x0003000000018334-732.dat	warzonerat
behavioral1/files/0x0003000000018334-731.dat	warzonerat
behavioral1/files/0x0003000000018334-733.dat	warzonerat
behavioral1/files/0x0003000000018334-721.dat	warzonerat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1188	explorer.exe
1096	explorer.exe
1752	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2800	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
2800	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2080 set thread context of 2800	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	34
PID 2080 set thread context of 2736	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	35
PID 1188 set thread context of 1096	1188	explorer.exe	38
PID 1096 set thread context of 1752	1096	explorer.exe	39
PID 1096 set thread context of 1732	1096	explorer.exe	40

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2240-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2240-2-0x0000000001C90000-0x0000000001CD6000-memory.dmp	upx
behavioral1/memory/2240-43-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/files/0x00080000000170f8-90.dat	upx
behavioral1/memory/1188-102-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/files/0x0007000000016fc9-173.dat	upx
behavioral1/files/0x0003000000018334-188.dat	upx
behavioral1/memory/1424-240-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1084-261-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2864-307-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/files/0x0003000000018334-415.dat	upx
behavioral1/memory/2644-383-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2248-414-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/files/0x0003000000018334-413.dat	upx
behavioral1/files/0x0003000000018334-412.dat	upx
behavioral1/files/0x0003000000018334-457.dat	upx
behavioral1/files/0x0003000000018334-459.dat	upx
behavioral1/files/0x0003000000018334-460.dat	upx
behavioral1/files/0x0003000000018334-468.dat	upx
behavioral1/files/0x0003000000018334-516.dat	upx
behavioral1/files/0x0003000000018334-517.dat	upx
behavioral1/files/0x0003000000018334-515.dat	upx
behavioral1/files/0x0003000000018334-520.dat	upx
behavioral1/files/0x0003000000018334-570.dat	upx
behavioral1/files/0x0003000000018334-569.dat	upx
behavioral1/files/0x0003000000018334-568.dat	upx
behavioral1/files/0x0003000000018334-558.dat	upx
behavioral1/files/0x0003000000018334-578.dat	upx
behavioral1/files/0x0003000000018334-626.dat	upx
behavioral1/files/0x0003000000018334-617.dat	upx
behavioral1/files/0x0003000000018334-627.dat	upx
behavioral1/files/0x0003000000018334-624.dat	upx
behavioral1/files/0x0003000000018334-680.dat	upx
behavioral1/files/0x0003000000018334-681.dat	upx
behavioral1/files/0x0003000000018334-670.dat	upx
behavioral1/files/0x0003000000018334-732.dat	upx
behavioral1/files/0x0003000000018334-731.dat	upx
behavioral1/files/0x0003000000018334-733.dat	upx
behavioral1/files/0x0003000000018334-721.dat	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
2800	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
1188	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
2800	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
2800	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
1188	explorer.exe
1188	explorer.exe
1752	explorer.exe
1752	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2308	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2308	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2308	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2308	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2080	2240	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	32
PID 2080 wrote to memory of 2800	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2800	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2800	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2800	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2800	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2800	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2800	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2800	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2800	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2736	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	35
PID 2080 wrote to memory of 2736	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	35
PID 2080 wrote to memory of 2736	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	35
PID 2080 wrote to memory of 2736	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	35
PID 2080 wrote to memory of 2736	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	35
PID 2080 wrote to memory of 2736	2080	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	35
PID 2800 wrote to memory of 1188	2800	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	36
PID 2800 wrote to memory of 1188	2800	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	36
PID 2800 wrote to memory of 1188	2800	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	36
PID 2800 wrote to memory of 1188	2800	5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe	36
PID 1188 wrote to memory of 1956	1188	explorer.exe	37
PID 1188 wrote to memory of 1956	1188	explorer.exe	37
PID 1188 wrote to memory of 1956	1188	explorer.exe	37
PID 1188 wrote to memory of 1956	1188	explorer.exe	37
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38
PID 1188 wrote to memory of 1096	1188	explorer.exe	38

C:\Users\Admin\AppData\Local\Temp\5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        
        PID:1956
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1096
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1100
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:1192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2404
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1756
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2488
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1456
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1888
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2396
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1696
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2588
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2548
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2524
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2456
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2788
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2404
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2204
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2984
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2000
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1436
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2588
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:864
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1732
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
13.0MB

MD5
5bf6e2677428bf5522ce0e73800d6e4e

SHA1
61b20e748faa569af58c8690e6bd88b4ed723bab

SHA256
832275cf002c9434d86af37d429fa2210f432fba8104a6cca66794fa762dc184

SHA512
bc62b1f8fc35472077d7127052f703141524edd5e93a14985a3645e2d47422858bbc66ea66dd617ffaf48349429dfd0bca321c72571a03ac73b07c2743159894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\system\explorer.exe

Filesize
13.0MB

MD5
c892c02d59f81edf2f521df100111210

SHA1
370047b37e8110b6b4f28a4c971516befad89477

SHA256
ed3b8a9fc8cacf4f3756daaa04877740943e6aa033568cf73ab952c996ff58d0

SHA512
128d90fac6aa5ee474d04c329d6cc6a9e8c046990ca3de338fb16ae892430deed16d3a93667eb571af4b3f58a684c2c0afc7386f84f3b56424a43bad65f89580

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
12.6MB

MD5
6a223935d2c78d40333a7045ef903a44

SHA1
2e5f3f193a1a959cdf4377248cc55b37894f5ae9

SHA256
948bcaa41300f0f00521f3e1ba043bbb34737eabf215a5c05285c86451a9bff8

SHA512
5e8235a232200f33e63273b0e43e0a1bfd6742ca7d4ff7dda2de181fcd314746c87abb28a0d2bba0321e2dcfbcfb58658063dfe1b44e49c2cb86b65aa3e61981

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
10.9MB

MD5
013f8dc55c12de76ac4ff317243cedf3

SHA1
2fd78f9fae087d834203ad57a42b5463588fb676

SHA256
74faccfccb5eebef981946790728f2534bc2868bb1d4dcd031e38e2e49a6971e

SHA512
383154dab4b1d83ba6466071157706ad0d0d2275ccb5654786eaf9b9b930d2db1b1f8db15b3905129be09f112489655cfa37bf2b8896fd478bc098dff221d277

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
8.6MB

MD5
627eb73d700b94ece3a393423c171d10

SHA1
b43b91a44eda1d55863f2da87ab9158a3290a34b

SHA256
1c294a05c56eb111e88f4f9f6779d021e1d4cb6b886caa867772f5c947d64e0a

SHA512
7edccda3f986e6edb85b5da40a87d449a5ad34247c0763ed3ec966131799b8e0f12082991fcabca1d51f76fc101ee033a33583a6bacf5b107832fda909e94a66

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
7.9MB

MD5
358d60106f31b200c8344ba14076f19c

SHA1
5cbb28a897578682a7e0e326b36e11e6502eb2da

SHA256
bb0e6a2e996963e09609ca3092a51bf7f435be076c723999b2d40a7c5ccb0357

SHA512
993a03d8b7b9e8ed6105ac6819888d92f361baf5fb018667393fc8a18a26f1c59e448bed1eeef02a715c9694433389ab73b346bcaff26687d2aa29f829f1b481

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
9.6MB

MD5
8f96bd60b4ac89d8b6ca2e33d0ab33f8

SHA1
5faa2e10d85f996bc039888193a3cf0a3cd098d5

SHA256
2c585d125542029964b8ed047b35b60d17060682a789c45e7e9df72fdd31e24b

SHA512
d32830af54fad4da9b27db9fb8f918c188727d62e129eb2321ef0aa7fa6ad185ce024182925dc74c532526577e648cc575fefe1aa20af067ac033a533c4ee2b7

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
5.5MB

MD5
3629a8555a44b8a9ae27032ddf110395

SHA1
c997c261438c87e45575a5040972037398b0b4a5

SHA256
f263d356db73f49f1e339f8d9928727bb47cf889bdb1e52ee414f3a5a4db57af

SHA512
7f15d8685c9215f92dcaebc7388a0fa11bc05dfb3aacd66c1b495aa8ecef0a8c8ed8ab9df2283702044dc9ae4a775d4ed5c454a296a1e8b6d210a8c92fd0ed76

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
8.1MB

MD5
c556e1aff395586bc96701f9e0d7456f

SHA1
78087c89560204fab69f83268403327d284891cb

SHA256
9d5e607ffd327e3fc66601c8931e51ee4e0673b3d02ad68a0f4cd99cfe924ec7

SHA512
581091d1466ab43a313ccb6e532da1cec5999dbdd5583d7fb3a9f67d5c8b65f74564899b855684fa2fd43e060c7172091996e2ecbacb415bb7afb82b3fdd1829

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
8.5MB

MD5
ba4cbf488ff99ad189b1bff041eaa0fa

SHA1
32af7299d2f8ac5421e6ac900a0c32922ea80400

SHA256
e835227fe4aa3c1696bd2c3400a5782aafed190c598e20d0322239c1f991234e

SHA512
19b20b47e1fb6639b2da1bfdb6f7dbd12b5f542494941460e7ac3107d4f8311f41afb86f763e3fd75747fc99da602b305b900a7f25e1178c3a3659afd176873d

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
3.1MB

MD5
627e274178dcc737622ed2be0f6f5502

SHA1
6b9babc1697a0b58b7907463eb3c5fe76eaab963

SHA256
8e52ac3bd96176dcb2589150513d955525c6ad8c909779236b24da336423db86

SHA512
141e69667a44e7f54379f0ee9c7095ea155a0de602aadcdb38a2cc9e6423c157495cadcf71661eaf6abae749b1e5904c4f569a5caa4e45495d55c81cc1b1e636

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.8MB

MD5
d64579985be59941da25529f147aab92

SHA1
47d17d23ee66de97c5ca876ae4cf11059f22e07a

SHA256
a5af8e8c59c1ccaf9c261c755ba4c896d70fb982275fa3754fcfdb26f024cd3b

SHA512
ce3e40096ade4afa69d4e19f9bc2105e1f9bb2e05d83d783620092440c4e0dfdc22781a76df2c47798758693871babaf3e46784ecfb9df4ffdc5a8ce03fd252f

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
3.1MB

MD5
c0bfdcf8155d9730950037ad3d9e6807

SHA1
55fc4d4c5932f3846c3bf34a7b5a83d9489a205c

SHA256
3e5666e84d8eba3e1fd0e573187e9e1b44ae7652112080a3d9d18345433fd137

SHA512
554ea054f8d5a054369cf78cb914b28838a454f52b5031261ebe57533488750221cafe441d4a01e766a15aec11fd99ec33545d2ac82109772998e3d9f4d3a053

Download Submit
\Windows\system\spoolsv.exe

Filesize
13.0MB

MD5
290ddd1830dc744229fd747f828bed90

SHA1
0cdd4e5b4806fe076a2951d0574b1bbe3d2e5567

SHA256
a17d21718479ce15d77bac5a4ac5623310fc08253216bac2795983da918484a6

SHA512
89b8e68268cb6ad861d914c1871548ba97e929b4b2ba1299bb7653353bf4495d65618e7d1e42ee5868c21c9dee16844874f14c9efa4f6f8a249819b2eb6fed47

Download Submit
\Windows\system\spoolsv.exe

Filesize
11.6MB

MD5
9ab1f1dabea96b838ab3f10c73422190

SHA1
94bfc1dac5a5f348265ed74d2568a300a47ae470

SHA256
961add0e247bc5bdb556343131eb822f6ecb197ad3da7700ce3b90a0ec03ec69

SHA512
d22248662518056ac582757a1021d13cf38a8eb7038cd11b0ca25aa84bc722a8ae20cc78a672cae61b07b46b2e236efba115ceb6308fe927516149f025e0c50f

Download Submit
\Windows\system\spoolsv.exe

Filesize
10.7MB

MD5
45d07374d005f2b49c5073fd1d9e1428

SHA1
672cdd7638cefee0244221972c97de638f42c7d6

SHA256
c41f1e45bf4bf71c6d6c7c2dd8d9100da10cb3fe3b5058d608ae9f2a4769fa2e

SHA512
721c6b5faa9fccbb080923ee96beb1644238ae5a52da753541c4f847e9a69fa21b5bf1d56b4e70c6a6eb901fbb600efd719f991697e7cbf43a3cd86097fc0d69

Download Submit
\Windows\system\spoolsv.exe

Filesize
11.4MB

MD5
096c2ce614a147a5c7c96baedaa50a10

SHA1
560e7ccb2211276fcb2640254cb2386c7fc2fc6e

SHA256
f8f72f4b558b1b8746508f8164fe3c46494bb78ea8c10cdac9ff4ce75b6cdac2

SHA512
63ae893b55b25dbc2d40d23fe5f57766b984c518322d1cd2c47d64747922d7ca93b7ca8e654a1613ffca0b79e1b8d78609e400303d12dab4a3c86a5dad9ba2ed

Download Submit
\Windows\system\spoolsv.exe

Filesize
11.6MB

MD5
a46a8561957d3d4a32b29269a36b1bfe

SHA1
6a0751215a70978945d5f710af03accb8e4481d1

SHA256
f764ad4bfa66299e08f84c8d47648b68f7e91bba0b1a2bf5d6d1a7b4c04e8ddf

SHA512
8be818b09cefe5ec7293a2a98ef3153116cef7181e3d2a219b9ace7528b8793585f1fa0811860477c6780d49f4ddc9582fa2a444144e01f13a5f61c03ca77f96

Download Submit
\Windows\system\spoolsv.exe

Filesize
11.5MB

MD5
b7c9c1e83778258ddd4b4c3765433679

SHA1
38dbeec8df33d2b72da624e07cf32f5fdc252b52

SHA256
6aa22d74603123d5bcc2ca38e304e9312406616b8df98bbe06fb3f818b3c4099

SHA512
0113edd8941724d48eb043e312b5088cd5b776930d144644965aa8d2363596be6d5a3a9a089979dac81b980f76160ff1e0d147f2ac713dea3b51a40c120aec41

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.8MB

MD5
e23d53e11fbc29e332c02e056de508eb

SHA1
e8b0daff48ff26c13dc9acda6a8c28376d620c6b

SHA256
eee4cfd1726d7f2a11092f1ef51fed86980f8872ec6a3398da32d00451521322

SHA512
c1ef98214f477c1093094987ccbdd61a267e799b3ed591818dbc276ad644c95ce95c63460d8772d6af2bf9c32e07422c50504e3b13d8ac71482b0e63da6be1fd

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.7MB

MD5
f327762c55fde3b81029ba4993f62a0d

SHA1
5dc1610cde5e31747628c8764c85e4125a7246b6

SHA256
364cbc31df3128a2765b87c013b3496937fec347c35e78a50e017071f4b143dc

SHA512
f872e1f62b5339d4c1f21d41beb5888a526117305405ccee8a170e0b901f6b89d995783d4d36e805b99d8f573a3e5bd40fb593525e134104c70ba92a6107b006

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.0MB

MD5
5b55bb758efdd1c84700543b648f0e4d

SHA1
18ac33b9bd15f5a3d42547ab9c28a73f25cdb455

SHA256
edda8f0886818194d64420178911b1cc9500d07e8ff83d51aed64b13b97474ac

SHA512
06da11f0e1ad2bb416a29a54dc7c42d21da9e81f497face2742d5c599399c4a002c386f60f068d09f65772cab83234b410aa6174bd50167345ec5772d30ed74c

Download Submit
\Windows\system\spoolsv.exe

Filesize
10.2MB

MD5
f515c9ce11107c8ca05ac578bbd9d509

SHA1
0d6046bff6a1c19775bf0189a087e487e7b1cc89

SHA256
fe0a578e87ab4081d5ca3dca1a5fd3c8e350893503e454174ed9b178c8b42b71

SHA512
42860326603f4d088fdf58402469b7191fe180331b54b0969c07733e889cb6324f883a074707676f83bd2fbd9bbbf38e3386ac1d1928b9e98fc8e179d190c01e

Download Submit
\Windows\system\spoolsv.exe

Filesize
10.1MB

MD5
eaee85b7341d03d64f6df65fe77a15ac

SHA1
4670c6caf4a06f1208d48edbaac918054efab64b

SHA256
91336082c6ff98cc83ecddb09a7e27dfac94f0e514dd14c443d6d2c064b4e320

SHA512
c824a0e079aac52d0950210612258306537eda42c9ac777fff0f930d01c8b28e0fde7e4a446db7909503ad3fcfd557211bf4f330acbf1eb211d4c6ffb80190ca

Download Submit
\Windows\system\spoolsv.exe

Filesize
6.0MB

MD5
4c1118698ee3ed03c8f5ca95f9b3edc0

SHA1
640e5a10f4f4926051cdcd56b8b43389ed509970

SHA256
08ffdc96fbba545090a7254eda527cf71d898e85b58c1556ac9e50c3c66ac9c0

SHA512
5c7b4951401bc3d412f03cdbb82fa961373c4288f38c406239ee3d5c308f412aefefbb79eebb6c664b8870a231177311194cf7ff376f1adf40b8cec06fef6f9a

Download Submit
\Windows\system\spoolsv.exe

Filesize
6.1MB

MD5
0422fa59ed070f36311590e56a251362

SHA1
b07ccace73b613c85ff4754fcd66748de997e5bd

SHA256
1d8d01309667e66b6adcffb4e4d53a4843cd401e4c6ed7188cf19adebf2805d0

SHA512
af198b36b38a341ad7f7ce6fd4c0c714d83d8fccc5cb1178cc19abc1a20629bd1e2fd3d6c5826722bab02ac2ae9362e2d907fed4193e4d3432c1f0ba6649aff2

Download Submit
\Windows\system\spoolsv.exe

Filesize
7.3MB

MD5
f9cd58b0640f87d004e69a420fd97875

SHA1
398af497f763c4ae2d848e97514e9ceb5a675b5a

SHA256
cd45d8697434df80874490404d5fa5b64e410de86b6e80b770bb7ab1aaa77522

SHA512
ce894f54c6e8205b16e88967addc7c2a1d863c928b35acff517f24245540822824d76c3b26aae8d97af02505f56aaa8992569fba90e45dc736b49fee0e96da60

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.1MB

MD5
fba478552e3b8e6ad8346b0e4e757c24

SHA1
9545adebc305cec19a9b8b8a54a38d12cac72dec

SHA256
c3108888d80b4072fea9e6b7083d5661d4e069489ea3f025b596108d5deff248

SHA512
c13c00c9124ec833d98bddbde55916fa0d5d5c1dd4d360fe9673326612e62dc81ce63b31e0d3cdee92118a636ad771e1971200eab4a0209a3c5d66d47cd24d29

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.8MB

MD5
50022d6e99b7fbbbffed14025e6d4b7e

SHA1
4e7a00932d583e3d25913cbb35d7c58274c99736

SHA256
f14081a01466b41cf9b0e9349e9c6118a85343e82500bf63a612a0f4f411bb1c

SHA512
9c00b017c7d6915f9d600a69a7aed4429e5570b55e4056108c7f3ee1385ef68f271d193eea87dada64aea9003fec9a98f417eb4d81493b76a2956825ec538245

Download Submit
\Windows\system\spoolsv.exe

Filesize
4.7MB

MD5
f820c364928f7aad63842633a34c1a5c

SHA1
b85f04b0c45080ad319d73064fba574dfcfaf9bc

SHA256
03b1ff9dd29675d0efceb6398dca9e960eaab66352f57fc879db9d2b878d5559

SHA512
dd25da621b54d18923c01df281104af1cd8cb93e58092dab881ead0e306e1d574a3ee5e423d2389ec9cf6fea679c987ade3758844925f45990feb8f1437272dd

Download Submit
memory/1084-261-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1084-262-0x0000000000350000-0x0000000000396000-memory.dmp

Filesize
280KB

Download
memory/1096-187-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1096-149-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1188-102-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1424-240-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1752-308-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/1752-194-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/1752-574-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/1752-571-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/1752-514-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/1752-360-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/1752-361-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/1752-306-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/1752-255-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/1752-256-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/1756-300-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1888-441-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1912-259-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2080-52-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2080-47-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2080-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-45-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2080-42-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2080-3-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2080-23-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-54-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2080-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-72-0x0000000007160000-0x00000000071A6000-memory.dmp

Filesize
280KB

Download
memory/2080-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-32-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-33-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2080-92-0x0000000007160000-0x0000000007172000-memory.dmp

Filesize
72KB

Download
memory/2080-91-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2080-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-49-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-44-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2080-53-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2080-51-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-50-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2080-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2080-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2240-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2240-2-0x0000000001C90000-0x0000000001CD6000-memory.dmp

Filesize
280KB

Download
memory/2240-43-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2248-414-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2644-383-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-87-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2736-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2800-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-100-0x00000000024E0000-0x0000000002526000-memory.dmp

Filesize
280KB

Download
memory/2800-99-0x00000000024E0000-0x0000000002526000-memory.dmp

Filesize
280KB

Download
memory/2800-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-316-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/2864-307-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2928-381-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download