warzonerat | fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c

Resubmissions

13/01/2025, 04:25

250113-e1646awjay 10

12/01/2025, 18:11

250112-wssegavrfl 10

Analysis

max time kernel
898s
max time network
837s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe
Size

1.8MB
MD5

8fbadab3fee07f074017c6b0a9804bdf
SHA1

87a4b286a1d2d88c3d0e037bbabc485c9b62d7d8
SHA256

fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c
SHA512

0333207cee1e97189b031cdcef05450510c2d1f77fe3e45afedec1a5f2ebf307a634320f99c8689696ad5f74c2fb7270e4061ed7e13cde195982d5cafdd3402a
SSDEEP

12288:BUrjP8Xuc2UY0B8TIwDDMistJ6gicRzubSFJeOgTpBA7W2FeDSIGVH/KIDgDgUef:ujjSYIUDJ86giGTPQDbGV6eH81kT

Score

10^/10

warzonerat discovery infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x0034000000016d64-38.dat	warzonerat
behavioral1/files/0x0008000000016d89-39.dat	warzonerat

Executes dropped EXE 33 IoCs

pid	Process
1508	StikyNot.exe
568	StikyNot.exe
1980	StikyNot.exe
2120	StikyNot.exe
2616	StikyNot.exe
2968	StikyNot.exe
344	StikyNot.exe
1040	StikyNot.exe
2316	StikyNot.exe
2248	StikyNot.exe
2960	StikyNot.exe
1588	StikyNot.exe
2592	StikyNot.exe
2160	StikyNot.exe
2392	StikyNot.exe
2192	StikyNot.exe
1084	StikyNot.exe
1516	StikyNot.exe
2312	StikyNot.exe
2840	StikyNot.exe
2788	StikyNot.exe
852	StikyNot.exe
1808	StikyNot.exe
332	StikyNot.exe
2132	StikyNot.exe
2528	StikyNot.exe
688	StikyNot.exe
1848	StikyNot.exe
2312	StikyNot.exe
352	StikyNot.exe
2420	StikyNot.exe
1112	StikyNot.exe
1156	StikyNot.exe

Loads dropped DLL 18 IoCs

pid	Process
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
1644	diskperf.exe
2660	diskperf.exe
2836	diskperf.exe
2188	diskperf.exe
1984	diskperf.exe
2560	diskperf.exe
2188	diskperf.exe
2876	diskperf.exe
2264	diskperf.exe
1556	diskperf.exe
1976	diskperf.exe
1644	diskperf.exe
1984	diskperf.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe

Suspicious use of SetThreadContext 34 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 2576	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	30
PID 2232 set thread context of 2560	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	31
PID 1508 set thread context of 568	1508	StikyNot.exe	34
PID 1508 set thread context of 1644	1508	StikyNot.exe	35
PID 1980 set thread context of 2120	1980	StikyNot.exe	37
PID 1980 set thread context of 2660	1980	StikyNot.exe	38
PID 2616 set thread context of 2968	2616	StikyNot.exe	40
PID 2616 set thread context of 2836	2616	StikyNot.exe	41
PID 344 set thread context of 1040	344	StikyNot.exe	43
PID 344 set thread context of 2188	344	StikyNot.exe	44
PID 2316 set thread context of 2248	2316	StikyNot.exe	46
PID 2316 set thread context of 1984	2316	StikyNot.exe	47
PID 2960 set thread context of 1588	2960	StikyNot.exe	49
PID 2960 set thread context of 2680	2960	StikyNot.exe	50
PID 2592 set thread context of 2160	2592	StikyNot.exe	52
PID 2592 set thread context of 2876	2592	StikyNot.exe	53
PID 2392 set thread context of 2192	2392	StikyNot.exe	55
PID 2392 set thread context of 1936	2392	StikyNot.exe	56
PID 1084 set thread context of 1516	1084	StikyNot.exe	58
PID 1084 set thread context of 2264	1084	StikyNot.exe	59
PID 2312 set thread context of 2840	2312	StikyNot.exe	61
PID 2312 set thread context of 1556	2312	StikyNot.exe	62
PID 2788 set thread context of 852	2788	StikyNot.exe	64
PID 2788 set thread context of 1976	2788	StikyNot.exe	65
PID 1808 set thread context of 332	1808	StikyNot.exe	67
PID 1808 set thread context of 1788	1808	StikyNot.exe	68
PID 2132 set thread context of 2528	2132	StikyNot.exe	70
PID 2132 set thread context of 856	2132	StikyNot.exe	71
PID 688 set thread context of 1848	688	StikyNot.exe	73
PID 688 set thread context of 2780	688	StikyNot.exe	74
PID 2312 set thread context of 352	2312	StikyNot.exe	76
PID 2312 set thread context of 1356	2312	StikyNot.exe	77
PID 2420 set thread context of 1112	2420	StikyNot.exe	79
PID 2420 set thread context of 344	2420	StikyNot.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe

NTFS ADS 20 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
2560	diskperf.exe
1644	diskperf.exe
2560	diskperf.exe
1644	diskperf.exe
2560	diskperf.exe
1644	diskperf.exe
1644	diskperf.exe
2560	diskperf.exe
1644	diskperf.exe
2560	diskperf.exe
1644	diskperf.exe
2560	diskperf.exe
1644	diskperf.exe
2560	diskperf.exe
1644	diskperf.exe
2560	diskperf.exe
1644	diskperf.exe
2560	diskperf.exe
1644	diskperf.exe
2560	diskperf.exe
2660	diskperf.exe
1644	diskperf.exe
2560	diskperf.exe
2660	diskperf.exe
1644	diskperf.exe
2560	diskperf.exe
2660	diskperf.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
2576	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe
2576	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe
568	StikyNot.exe
568	StikyNot.exe
2120	StikyNot.exe
2120	StikyNot.exe
2968	StikyNot.exe
2968	StikyNot.exe
1040	StikyNot.exe
1040	StikyNot.exe
2248	StikyNot.exe
2248	StikyNot.exe
1588	StikyNot.exe
1588	StikyNot.exe
2160	StikyNot.exe
2160	StikyNot.exe
2192	StikyNot.exe
2192	StikyNot.exe
1516	StikyNot.exe
1516	StikyNot.exe
2840	StikyNot.exe
2840	StikyNot.exe
852	StikyNot.exe
852	StikyNot.exe
332	StikyNot.exe
332	StikyNot.exe
2528	StikyNot.exe
2528	StikyNot.exe
1848	StikyNot.exe
1848	StikyNot.exe
352	StikyNot.exe
352	StikyNot.exe
1112	StikyNot.exe
1112	StikyNot.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2576	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	30
PID 2232 wrote to memory of 2576	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	30
PID 2232 wrote to memory of 2576	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	30
PID 2232 wrote to memory of 2576	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	30
PID 2232 wrote to memory of 2576	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	30
PID 2232 wrote to memory of 2576	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	30
PID 2232 wrote to memory of 2576	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	30
PID 2232 wrote to memory of 2576	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	30
PID 2232 wrote to memory of 2576	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	30
PID 2232 wrote to memory of 2560	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	31
PID 2232 wrote to memory of 2560	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	31
PID 2232 wrote to memory of 2560	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	31
PID 2232 wrote to memory of 2560	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	31
PID 2232 wrote to memory of 2560	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	31
PID 2232 wrote to memory of 2560	2232	fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe	31
PID 2560 wrote to memory of 1508	2560	diskperf.exe	33
PID 2560 wrote to memory of 1508	2560	diskperf.exe	33
PID 2560 wrote to memory of 1508	2560	diskperf.exe	33
PID 2560 wrote to memory of 1508	2560	diskperf.exe	33
PID 1508 wrote to memory of 568	1508	StikyNot.exe	34
PID 1508 wrote to memory of 568	1508	StikyNot.exe	34
PID 1508 wrote to memory of 568	1508	StikyNot.exe	34
PID 1508 wrote to memory of 568	1508	StikyNot.exe	34
PID 1508 wrote to memory of 568	1508	StikyNot.exe	34
PID 1508 wrote to memory of 568	1508	StikyNot.exe	34
PID 1508 wrote to memory of 568	1508	StikyNot.exe	34
PID 1508 wrote to memory of 568	1508	StikyNot.exe	34
PID 1508 wrote to memory of 568	1508	StikyNot.exe	34
PID 1508 wrote to memory of 1644	1508	StikyNot.exe	35
PID 1508 wrote to memory of 1644	1508	StikyNot.exe	35
PID 1508 wrote to memory of 1644	1508	StikyNot.exe	35
PID 1508 wrote to memory of 1644	1508	StikyNot.exe	35
PID 1508 wrote to memory of 1644	1508	StikyNot.exe	35
PID 1508 wrote to memory of 1644	1508	StikyNot.exe	35
PID 2560 wrote to memory of 1980	2560	diskperf.exe	36
PID 2560 wrote to memory of 1980	2560	diskperf.exe	36
PID 2560 wrote to memory of 1980	2560	diskperf.exe	36
PID 2560 wrote to memory of 1980	2560	diskperf.exe	36
PID 1980 wrote to memory of 2120	1980	StikyNot.exe	37
PID 1980 wrote to memory of 2120	1980	StikyNot.exe	37
PID 1980 wrote to memory of 2120	1980	StikyNot.exe	37
PID 1980 wrote to memory of 2120	1980	StikyNot.exe	37
PID 1980 wrote to memory of 2120	1980	StikyNot.exe	37
PID 1980 wrote to memory of 2120	1980	StikyNot.exe	37
PID 1980 wrote to memory of 2120	1980	StikyNot.exe	37
PID 1980 wrote to memory of 2120	1980	StikyNot.exe	37
PID 1980 wrote to memory of 2120	1980	StikyNot.exe	37
PID 1980 wrote to memory of 2660	1980	StikyNot.exe	38
PID 1980 wrote to memory of 2660	1980	StikyNot.exe	38
PID 1980 wrote to memory of 2660	1980	StikyNot.exe	38
PID 1980 wrote to memory of 2660	1980	StikyNot.exe	38
PID 1980 wrote to memory of 2660	1980	StikyNot.exe	38
PID 1980 wrote to memory of 2660	1980	StikyNot.exe	38
PID 2560 wrote to memory of 2616	2560	diskperf.exe	39
PID 2560 wrote to memory of 2616	2560	diskperf.exe	39
PID 2560 wrote to memory of 2616	2560	diskperf.exe	39
PID 2560 wrote to memory of 2616	2560	diskperf.exe	39
PID 2616 wrote to memory of 2968	2616	StikyNot.exe	40
PID 2616 wrote to memory of 2968	2616	StikyNot.exe	40
PID 2616 wrote to memory of 2968	2616	StikyNot.exe	40
PID 2616 wrote to memory of 2968	2616	StikyNot.exe	40
PID 2616 wrote to memory of 2968	2616	StikyNot.exe	40
PID 2616 wrote to memory of 2968	2616	StikyNot.exe	40
PID 2616 wrote to memory of 2968	2616	StikyNot.exe	40

C:\Users\Admin\AppData\Local\Temp\fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe
C:\Users\Admin\AppData\Local\Temp\fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe
  C:\Users\Admin\AppData\Local\Temp\fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2576
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
    C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:568
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      PID:1644
    - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2316
      - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2248
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        10⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1156
    - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2420
      - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1112
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:344
- - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
    C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2120
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      PID:2660
    - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2960
      - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1588
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2680
- - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
    C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2968
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:2836
    - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2592
      - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2160
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        8⤵
        
        PID:1788
- - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
    C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:344
  - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1040
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:2188
    - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2392
      - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2192
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1936
    - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:852
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:352
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        8⤵
        
        PID:1356
- - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
    C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2312
  - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2840
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:1556
    - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:688
      - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1848
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
1.8MB

MD5
16e8977d356cbb57da1a2652f1eb4cf1

SHA1
04b1c126f0576dfeddf762a0d1d61d49036199fa

SHA256
883dd43dde22cfac821e474b6df094c420a6cd47e2ede896e82afa5c81fcb262

SHA512
89aef83f48d1c71d153d7ade9d5d36037c0f555b3e0fccd0fa044c148b6018a7368370c9ac9ae649b1a8e322ef073198dc5c01d0b1250a0726474e3f4c8ea275

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

Filesize
1.8MB

MD5
8fbadab3fee07f074017c6b0a9804bdf

SHA1
87a4b286a1d2d88c3d0e037bbabc485c9b62d7d8

SHA256
fda9c8dc11e87a2253800b7a579ef3e12c43e383a8294e081088ac63e697086c

SHA512
0333207cee1e97189b031cdcef05450510c2d1f77fe3e45afedec1a5f2ebf307a634320f99c8689696ad5f74c2fb7270e4061ed7e13cde195982d5cafdd3402a

Download Submit
memory/332-572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/344-221-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/344-199-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/352-691-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/568-90-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/688-626-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/688-649-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1040-228-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1084-422-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1084-423-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1084-445-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1156-743-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1508-57-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1508-87-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1508-60-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1516-451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1556-625-0x0000000000BC0000-0x0000000000CD4000-memory.dmp

Filesize
1.1MB

Download
memory/1556-624-0x0000000000BC0000-0x0000000000CD4000-memory.dmp

Filesize
1.1MB

Download
memory/1588-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-93-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1644-704-0x0000000000D00000-0x0000000000E14000-memory.dmp

Filesize
1.1MB

Download
memory/1644-703-0x0000000000D00000-0x0000000000E14000-memory.dmp

Filesize
1.1MB

Download
memory/1644-244-0x0000000000D00000-0x0000000000E14000-memory.dmp

Filesize
1.1MB

Download
memory/1644-243-0x0000000000D00000-0x0000000000E14000-memory.dmp

Filesize
1.1MB

Download
memory/1808-569-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1808-546-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1848-651-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-663-0x0000000000C70000-0x0000000000D84000-memory.dmp

Filesize
1.1MB

Download
memory/1976-664-0x0000000000C70000-0x0000000000D84000-memory.dmp

Filesize
1.1MB

Download
memory/1980-108-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1980-110-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1980-132-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1984-742-0x0000000000CF0000-0x0000000000E04000-memory.dmp

Filesize
1.1MB

Download
memory/2120-139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-604-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2132-586-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2160-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2188-504-0x0000000000D80000-0x0000000000E94000-memory.dmp

Filesize
1.1MB

Download
memory/2188-378-0x0000000000D80000-0x0000000000E94000-memory.dmp

Filesize
1.1MB

Download
memory/2188-506-0x0000000000D80000-0x0000000000E94000-memory.dmp

Filesize
1.1MB

Download
memory/2232-30-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2232-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2232-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2232-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2232-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2248-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-585-0x0000000000CC0000-0x0000000000DD4000-memory.dmp

Filesize
1.1MB

Download
memory/2264-584-0x0000000000CC0000-0x0000000000DD4000-memory.dmp

Filesize
1.1MB

Download
memory/2312-464-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2312-665-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2312-684-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2312-492-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2312-466-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2316-245-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2316-266-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2392-380-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2392-406-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2420-705-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2420-729-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2528-612-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2560-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2560-463-0x0000000000620000-0x0000000000734000-memory.dmp

Filesize
1.1MB

Download
memory/2560-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2560-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-198-0x0000000000620000-0x0000000000734000-memory.dmp

Filesize
1.1MB

Download
memory/2560-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2560-58-0x0000000000620000-0x0000000000734000-memory.dmp

Filesize
1.1MB

Download
memory/2560-29-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2560-50-0x0000000000620000-0x0000000000734000-memory.dmp

Filesize
1.1MB

Download
memory/2560-37-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2560-154-0x0000000000620000-0x0000000000734000-memory.dmp

Filesize
1.1MB

Download
memory/2560-56-0x0000000000620000-0x0000000000734000-memory.dmp

Filesize
1.1MB

Download
memory/2560-109-0x0000000000620000-0x0000000000734000-memory.dmp

Filesize
1.1MB

Download
memory/2560-59-0x0000000000620000-0x0000000000734000-memory.dmp

Filesize
1.1MB

Download
memory/2560-465-0x0000000000620000-0x0000000000734000-memory.dmp

Filesize
1.1MB

Download
memory/2576-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-34-0x0000000000440000-0x00000000005C1000-memory.dmp

Filesize
1.5MB

Download
memory/2576-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-356-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2592-335-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2616-155-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2616-177-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2660-288-0x0000000000D50000-0x0000000000E64000-memory.dmp

Filesize
1.1MB

Download
memory/2660-290-0x0000000000D50000-0x0000000000E64000-memory.dmp

Filesize
1.1MB

Download
memory/2788-507-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2788-526-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2788-505-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2840-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-544-0x0000000000C00000-0x0000000000D14000-memory.dmp

Filesize
1.1MB

Download
memory/2876-545-0x0000000000C00000-0x0000000000D14000-memory.dmp

Filesize
1.1MB

Download
memory/2960-314-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2960-291-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download