warzonerat | 22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994

Resubmissions

13-01-2025 04:24

250113-e1qgeaykcj 10

12-01-2025 18:25

250112-w2kqzswlap 10

Analysis

max time kernel
899s
max time network
439s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
Size

2.9MB
MD5

b301fcd837bc76a763b37dd59ae8c266
SHA1

2e6610726c9419df3a4d32a1bad0d5d6e3582c9d
SHA256

22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994
SHA512

2a639f1afec3848a10a91887e5f9009783bdefd0f87b7a7a55a9f4ddc261a61b29cf888ea562946b298cb423ccab748c3ace92fa961ef32926c00c1f21c907df
SSDEEP

24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHr:7v97AXmw4gxeOw46fUbNecCCFbNecE

Score

10^/10

warzonerat discovery infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023c12-34.dat	warzonerat
behavioral2/files/0x000300000000070b-221.dat	warzonerat
behavioral2/files/0x0009000000023c12-339.dat	warzonerat

Drops startup file 17 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 47 IoCs

pid	Process
3896	StikyNot.exe
676	StikyNot.exe
5000	StikyNot.exe
652	StikyNot.exe
3168	StikyNot.exe
4368	StikyNot.exe
4856	StikyNot.exe
4520	StikyNot.exe
2112	StikyNot.exe
2960	StikyNot.exe
1380	StikyNot.exe
1496	StikyNot.exe
3868	StikyNot.exe
3852	StikyNot.exe
1932	StikyNot.exe
3588	StikyNot.exe
1692	StikyNot.exe
5004	StikyNot.exe
388	StikyNot.exe
4612	StikyNot.exe
3132	StikyNot.exe
2180	StikyNot.exe
1396	StikyNot.exe
3716	StikyNot.exe
2352	StikyNot.exe
2304	StikyNot.exe
1924	StikyNot.exe
4068	StikyNot.exe
3908	StikyNot.exe
4740	StikyNot.exe
3636	StikyNot.exe
3284	StikyNot.exe
2848	StikyNot.exe
1584	StikyNot.exe
412	StikyNot.exe
4504	StikyNot.exe
4044	StikyNot.exe
3348	StikyNot.exe
2540	StikyNot.exe
3384	StikyNot.exe
4432	StikyNot.exe
244	StikyNot.exe
2624	StikyNot.exe
3380	StikyNot.exe
1120	StikyNot.exe
2832	StikyNot.exe
4008	StikyNot.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe

Suspicious use of SetThreadContext 45 IoCs

description	pid	Process	procid_target
PID 3184 set thread context of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 4716 set thread context of 1324	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	103
PID 4716 set thread context of 1068	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	104
PID 3896 set thread context of 676	3896	StikyNot.exe	109
PID 676 set thread context of 5000	676	StikyNot.exe	110
PID 652 set thread context of 3168	652	StikyNot.exe	115
PID 3168 set thread context of 4368	3168	StikyNot.exe	116
PID 3168 set thread context of 4456	3168	StikyNot.exe	117
PID 4856 set thread context of 4520	4856	StikyNot.exe	121
PID 4520 set thread context of 2112	4520	StikyNot.exe	122
PID 4520 set thread context of 2788	4520	StikyNot.exe	123
PID 2960 set thread context of 1380	2960	StikyNot.exe	127
PID 1380 set thread context of 1496	1380	StikyNot.exe	128
PID 1380 set thread context of 3192	1380	StikyNot.exe	129
PID 3868 set thread context of 3852	3868	StikyNot.exe	133
PID 3852 set thread context of 1932	3852	StikyNot.exe	134
PID 3852 set thread context of 436	3852	StikyNot.exe	135
PID 3588 set thread context of 1692	3588	StikyNot.exe	139
PID 1692 set thread context of 5004	1692	StikyNot.exe	140
PID 1692 set thread context of 1696	1692	StikyNot.exe	141
PID 388 set thread context of 4612	388	StikyNot.exe	145
PID 4612 set thread context of 3132	4612	StikyNot.exe	146
PID 2180 set thread context of 1396	2180	StikyNot.exe	151
PID 1396 set thread context of 3716	1396	StikyNot.exe	152
PID 1396 set thread context of 60	1396	StikyNot.exe	153
PID 2352 set thread context of 2304	2352	StikyNot.exe	157
PID 2304 set thread context of 1924	2304	StikyNot.exe	158
PID 4068 set thread context of 3908	4068	StikyNot.exe	163
PID 3908 set thread context of 4740	3908	StikyNot.exe	164
PID 3908 set thread context of 4500	3908	StikyNot.exe	165
PID 3636 set thread context of 3284	3636	StikyNot.exe	169
PID 3284 set thread context of 2848	3284	StikyNot.exe	170
PID 3284 set thread context of 3568	3284	StikyNot.exe	171
PID 1584 set thread context of 412	1584	StikyNot.exe	175
PID 412 set thread context of 4504	412	StikyNot.exe	176
PID 4044 set thread context of 3348	4044	StikyNot.exe	181
PID 3348 set thread context of 2540	3348	StikyNot.exe	182
PID 3348 set thread context of 2156	3348	StikyNot.exe	183
PID 3384 set thread context of 4432	3384	StikyNot.exe	187
PID 4432 set thread context of 244	4432	StikyNot.exe	188
PID 4432 set thread context of 2780	4432	StikyNot.exe	189
PID 2624 set thread context of 3380	2624	StikyNot.exe	193
PID 3380 set thread context of 1120	3380	StikyNot.exe	194
PID 3380 set thread context of 1000	3380	StikyNot.exe	195
PID 2832 set thread context of 4008	2832	StikyNot.exe	199

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe

NTFS ADS 12 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
3896	StikyNot.exe
3896	StikyNot.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
652	StikyNot.exe
652	StikyNot.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
4856	StikyNot.exe
4856	StikyNot.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe
1068	diskperf.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
1324	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
1324	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
3896	StikyNot.exe
3896	StikyNot.exe
5000	StikyNot.exe
5000	StikyNot.exe
652	StikyNot.exe
652	StikyNot.exe
4368	StikyNot.exe
4368	StikyNot.exe
4856	StikyNot.exe
4856	StikyNot.exe
2112	StikyNot.exe
2112	StikyNot.exe
2960	StikyNot.exe
2960	StikyNot.exe
1496	StikyNot.exe
1496	StikyNot.exe
3868	StikyNot.exe
3868	StikyNot.exe
1932	StikyNot.exe
1932	StikyNot.exe
3588	StikyNot.exe
3588	StikyNot.exe
5004	StikyNot.exe
5004	StikyNot.exe
388	StikyNot.exe
388	StikyNot.exe
3132	StikyNot.exe
3132	StikyNot.exe
2180	StikyNot.exe
2180	StikyNot.exe
3716	StikyNot.exe
3716	StikyNot.exe
2352	StikyNot.exe
2352	StikyNot.exe
1924	StikyNot.exe
1924	StikyNot.exe
4068	StikyNot.exe
4068	StikyNot.exe
4740	StikyNot.exe
4740	StikyNot.exe
3636	StikyNot.exe
3636	StikyNot.exe
2848	StikyNot.exe
2848	StikyNot.exe
1584	StikyNot.exe
1584	StikyNot.exe
4504	StikyNot.exe
4504	StikyNot.exe
4044	StikyNot.exe
4044	StikyNot.exe
2540	StikyNot.exe
2540	StikyNot.exe
3384	StikyNot.exe
3384	StikyNot.exe
244	StikyNot.exe
244	StikyNot.exe
2624	StikyNot.exe
2624	StikyNot.exe
1120	StikyNot.exe
1120	StikyNot.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 544	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	83
PID 3184 wrote to memory of 544	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	83
PID 3184 wrote to memory of 544	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	83
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 3184 wrote to memory of 4716	3184	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	85
PID 4716 wrote to memory of 1324	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	103
PID 4716 wrote to memory of 1324	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	103
PID 4716 wrote to memory of 1324	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	103
PID 4716 wrote to memory of 1324	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	103
PID 4716 wrote to memory of 1324	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	103
PID 4716 wrote to memory of 1324	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	103
PID 4716 wrote to memory of 1324	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	103
PID 4716 wrote to memory of 1324	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	103
PID 4716 wrote to memory of 1068	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	104
PID 4716 wrote to memory of 1068	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	104
PID 4716 wrote to memory of 1068	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	104
PID 4716 wrote to memory of 1068	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	104
PID 4716 wrote to memory of 1068	4716	22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe	104
PID 1068 wrote to memory of 3896	1068	diskperf.exe	106
PID 1068 wrote to memory of 3896	1068	diskperf.exe	106
PID 1068 wrote to memory of 3896	1068	diskperf.exe	106
PID 3896 wrote to memory of 1556	3896	StikyNot.exe	107
PID 3896 wrote to memory of 1556	3896	StikyNot.exe	107
PID 3896 wrote to memory of 1556	3896	StikyNot.exe	107
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109
PID 3896 wrote to memory of 676	3896	StikyNot.exe	109

C:\Users\Admin\AppData\Local\Temp\22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
C:\Users\Admin\AppData\Local\Temp\22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:544
- C:\Users\Admin\AppData\Local\Temp\22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
  C:\Users\Admin\AppData\Local\Temp\22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
    C:\Users\Admin\AppData\Local\Temp\22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1324
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        
        PID:1556
    - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:676
      - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5000
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4860
  - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2708
    - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3168
      - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4368
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5004
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        NTFS ADS
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4740
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        12⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3132
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3716
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:3680
  - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:808
    - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4520
      - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2112
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4504
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:244
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2780
  - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        
        PID:4356
    - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1380
      - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        NTFS ADS
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        12⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4008
  - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:632
    - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3852
      - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        
        C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1932
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe

Filesize
2.9MB

MD5
7b3e6c9221cfbfda65f1aef66de968f9

SHA1
d23df3d51caaa4df317b8221202f1c745af17bb5

SHA256
561848b8e2c1cd2c3794c6a93084d7307e6d66bf29a52a91c624f057c4b7b7fa

SHA512
c55a14df75c31fe1f8aa10e0a911fe7a03c272a9580e24510764fff68f87efd4824a1ad232d14570003c6b9099170a525084393b95d3263e880ce7ab957fd8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

Filesize
256KB

MD5
75dd7f93b08bca6216df8088086a9e6b

SHA1
ddd44efaf4ae7663a6af74db1e703bbc0324599d

SHA256
f48a5b8233c5589531d78d5f784354d0b229972ffff42f590389ba749df214e9

SHA512
073b823cd079ddeab0237f7029347224125bc7eedcc1fc0b98e4cd5323e0106c2a3546bd04645d238a345f92b68b4b13130b118d0ab6a0465510468b1c690def

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

Filesize
2.9MB

MD5
06e212fabdb40b2ee1cd018de8f8e439

SHA1
c24b2c19ca81c6628869ef7c937927b648fbcaf2

SHA256
d66a53b6a5b72e15d5b9eaf219c5db2942e648a19844cef3823e4bf706ec5ae8

SHA512
38ea76b1c80711fc7f702972771d052ce3cb635153011949f7653d04b5c86cc754c53ad9adda58686be673164d02c04914441f9c912aff397633d8057d075b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

Filesize
2.9MB

MD5
b301fcd837bc76a763b37dd59ae8c266

SHA1
2e6610726c9419df3a4d32a1bad0d5d6e3582c9d

SHA256
22d5f44e696e41317081c500a2ee9aecc18e0093d05e3f99e21e2ccb7ca4f994

SHA512
2a639f1afec3848a10a91887e5f9009783bdefd0f87b7a7a55a9f4ddc261a61b29cf888ea562946b298cb423ccab748c3ace92fa961ef32926c00c1f21c907df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
111B

MD5
07c899cd56d9927267b6cd3dd28380f9

SHA1
a747a274cd533b269e70e34a47d881a7589f5ba0

SHA256
d4d15d9142d1a50e07925f9ccae4874f2d9de3fbe615a0615a9f23835b93e6e3

SHA512
ef1f721ff50fe0e3db878bf80c35fa4cb89de3b9e9dfe70d8beb6bc6b368027daf8e0fcc6b39558122a7e4519014be8f1653eda6e47d70bc00e322682bcf8be9

Download Submit
memory/676-58-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/676-59-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/676-60-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/676-57-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/676-55-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/676-56-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/676-53-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/676-54-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/676-77-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/676-79-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1068-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1068-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1068-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1324-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1324-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1324-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-215-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1496-218-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2112-170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3168-101-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3168-124-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/3168-120-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3168-105-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/3168-104-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3168-103-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/3168-102-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3168-100-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/4368-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4368-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-147-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4520-171-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/4520-149-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4520-148-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/4520-146-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4520-145-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/4716-10-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4716-30-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4716-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4716-11-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/4716-4-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4716-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4716-5-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/4716-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4716-8-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4716-12-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4716-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4716-2-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4716-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4716-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5000-74-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download