azorult | hxxps://keygenninja[.]com/

Resubmissions

28-03-2021 14:03

210328-k4cvgmxem6 10

28-03-2021 09:38

210328-av8mak971a 10

27-03-2021 18:19

210327-4yh3gn24dn 10

Analysis

max time kernel
136s
max time network
172s
platform
windows10_x64
resource
win10v20201028
submitted
28-03-2021 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://keygenninja.com/
Sample

210328-av8mak971a

Score

10^/10

azorult raccoon 4ce8ad65ffaa0dffa8cc56e03b4fd65c31c1a91d infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

4ce8ad65ffaa0dffa8cc56e03b4fd65c31c1a91d

Attributes

url4cnc
https://telete.in/j90dadarobin

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Executes dropped EXE 14 IoCs

pid	Process
5496	keygen-pr.exe
5488	keygen-step-1.exe
5588	keygen-step-2.exe
5140	keygen-step-3.exe
5632	keygen-step-4.exe
5116	key.exe
5200	Setup.exe
4496	multitimer.exe
4472	F52E.tmp.exe
2072	setups.exe
3488	askinstall20.exe
4436	setups.tmp
5292	multitimer.exe
2904	multitimer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 5 IoCs

pid	Process
4436	setups.tmp
4436	setups.tmp
4436	setups.tmp
4436	setups.tmp
4436	setups.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwz10ucsb2e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FFZXGNO5U6\\multitimer.exe\" 1 3.1616924456.60604f28ba5ae"	multitimer.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	askinstall20.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
237	ipinfo.io
249	ipinfo.io

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4776	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000ac0b4cf7be2b60709ed7e1bd31b0524a34928e2832a8df1b2b32ce0d41308d32f561207ae548a65100204611ed8244a9bc370a64ae2b64fa01c1	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000dd3449c92db4ecb40732c0dd06c4fb0ab5ea560bb1e28bb4b2b6c9b2ae066aa0c4b2ab5c76daee9d7fdfbc27ef5c1e52764184260c7fd2632800c514d3c94ec7d989192dbef572de81ad47cf4fe459d0d7f1a09614d2a24f30df	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000660c462b9091d13e946f0fa39394647a0eed2806a77fc093d5f3bbe5091333179540b185cf139f87eb861e5a7e6a54d5210ceacec9420b972b4bf003422d2f824192013a073ff8bbe1a4af2fa530a4c637586053447e5ffa5537ec19d588424fbc20f6378cb3a4d429e706e98b8860e322f1e01b5dd3eb4facd8a2eabfc4dcc6860c2ef331118687306f2dd43311f0fd2af7708645e198fb9d4e55d4808149310f758078d7f7e614835b3102ed6a4b6a018af5fd6848598a0fba95cc4b601fdaa17a684b2c0769a6f7cddcd7e5356c507bca120253a86596a93ae5ae06ff68332f3d49172bdf063dcae4ce996e114f0c03d7bf02fda0d53eccef6fd55ffff9faa6dc2e31d120ad3150c0a743a79dc8a43ad12605dfd2b52f3bfa7e0af000c5760079abe5506bea3e7f8191b2187b15493fd8db1ebeddd6353d792ebfcca209be8932349c9c5e8a2493463dca424ae3e8390ce5bce161b066d68dd49ea485f8161829eec5469b8ed5e531e7e8b0a9b2cf078d39bbf8fec9d79e560e648d49855ab57ce29d04c086321361dcab0e3a2c5f687b81518b54a8e24ea1467c64a00633387acb9fea0a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 717a2ef4b623d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{5AA39F60-173D-493E-BD45-D3686E9ABFDF}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	keygen-step-2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	keygen-step-2.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2168	PING.EXE
2468	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	246	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe
4684	chrome.exe
4684	chrome.exe
2872	chrome.exe
2872	chrome.exe
4612	chrome.exe
4612	chrome.exe
5776	chrome.exe
5776	chrome.exe
5824	chrome.exe
5824	chrome.exe
6068	chrome.exe
6068	chrome.exe
4876	chrome.exe
4876	chrome.exe
5104	chrome.exe
5104	chrome.exe
4436	setups.tmp
4436	setups.tmp
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: 33	5920	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5920	AUDIODG.EXE
Token: SeDebugPrivilege	5200	Setup.exe
Token: SeCreateTokenPrivilege	3488	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	3488	askinstall20.exe
Token: SeLockMemoryPrivilege	3488	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	3488	askinstall20.exe
Token: SeMachineAccountPrivilege	3488	askinstall20.exe
Token: SeTcbPrivilege	3488	askinstall20.exe
Token: SeSecurityPrivilege	3488	askinstall20.exe
Token: SeTakeOwnershipPrivilege	3488	askinstall20.exe
Token: SeLoadDriverPrivilege	3488	askinstall20.exe
Token: SeSystemProfilePrivilege	3488	askinstall20.exe
Token: SeSystemtimePrivilege	3488	askinstall20.exe
Token: SeProfSingleProcessPrivilege	3488	askinstall20.exe
Token: SeIncBasePriorityPrivilege	3488	askinstall20.exe
Token: SeCreatePagefilePrivilege	3488	askinstall20.exe
Token: SeCreatePermanentPrivilege	3488	askinstall20.exe
Token: SeBackupPrivilege	3488	askinstall20.exe
Token: SeRestorePrivilege	3488	askinstall20.exe
Token: SeShutdownPrivilege	3488	askinstall20.exe
Token: SeDebugPrivilege	3488	askinstall20.exe
Token: SeAuditPrivilege	3488	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	3488	askinstall20.exe
Token: SeChangeNotifyPrivilege	3488	askinstall20.exe
Token: SeRemoteShutdownPrivilege	3488	askinstall20.exe
Token: SeUndockPrivilege	3488	askinstall20.exe
Token: SeSyncAgentPrivilege	3488	askinstall20.exe
Token: SeEnableDelegationPrivilege	3488	askinstall20.exe
Token: SeManageVolumePrivilege	3488	askinstall20.exe
Token: SeImpersonatePrivilege	3488	askinstall20.exe
Token: SeCreateGlobalPrivilege	3488	askinstall20.exe
Token: 31	3488	askinstall20.exe
Token: 32	3488	askinstall20.exe
Token: 33	3488	askinstall20.exe
Token: 34	3488	askinstall20.exe
Token: 35	3488	askinstall20.exe
Token: SeDebugPrivilege	4496	multitimer.exe
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	5816	MicrosoftEdge.exe
Token: SeDebugPrivilege	5816	MicrosoftEdge.exe
Token: SeDebugPrivilege	5816	MicrosoftEdge.exe
Token: SeDebugPrivilege	5816	MicrosoftEdge.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5816	MicrosoftEdge.exe
5148	MicrosoftEdgeCP.exe
5148	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4752	4684	chrome.exe	19
PID 4684 wrote to memory of 4752	4684	chrome.exe	19
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 3744	4684	chrome.exe	75
PID 4684 wrote to memory of 4236	4684	chrome.exe	76
PID 4684 wrote to memory of 4236	4684	chrome.exe	76
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77
PID 4684 wrote to memory of 4168	4684	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenninja.com/
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0x60,0xd4,0x7ffefc546e00,0x7ffefc546e10,0x7ffefc546e20
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1600 /prefetch:2
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4228 /prefetch:8
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
  "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
  2⤵
  PID:2392
- - C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff749ed7740,0x7ff749ed7750,0x7ff749ed7760
    3⤵
    PID:200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4368 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6580 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6840 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6972 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4256 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7396 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7400 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7680 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7720 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7952 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7944 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7956 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8412 /prefetch:8
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8416 /prefetch:8
  2⤵
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8092 /prefetch:8
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:5132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8244 /prefetch:8
  2⤵
  PID:5460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,15812921230035666588,825335894440963016,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=8024 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4900

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5284

C:\Users\Admin\AppData\Local\Temp\Temp2_Alcohol.Alcohol.120.v1.4.0.Bu.crack.by.F4CG.zip\Alcohol.Alcohol.120.v1.4.0.Bu.crack.by.F4CG.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_Alcohol.Alcohol.120.v1.4.0.Bu.crack.by.F4CG.zip\Alcohol.Alcohol.120.v1.4.0.Bu.crack.by.F4CG.exe"
1⤵
PID:5372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  PID:5548
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    PID:5496
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      PID:5116
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:4404
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:5488
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
    keygen-step-2.exe
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:5588
  - - C:\Users\Admin\AppData\Roaming\F52E.tmp.exe
      "C:\Users\Admin\AppData\Roaming\F52E.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:2468
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    PID:5140
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      PID:4532
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2168
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    PID:5632
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5200
    - - C:\Users\Admin\AppData\Local\Temp\FFZXGNO5U6\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FFZXGNO5U6\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
      - C:\Users\Admin\AppData\Local\Temp\FFZXGNO5U6\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FFZXGNO5U6\multitimer.exe" 1 3.1616924456.60604f28ba5ae 101
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\FFZXGNO5U6\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FFZXGNO5U6\multitimer.exe" 2 3.1616924456.60604f28ba5ae
        7⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\4qjngq0onym\1tbz54cngvl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4qjngq0onym\1tbz54cngvl.exe" /VERYSILENT
        8⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\is-N2OQ6.tmp\1tbz54cngvl.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N2OQ6.tmp\1tbz54cngvl.tmp" /SL5="$103B0,2592217,780800,C:\Users\Admin\AppData\Local\Temp\4qjngq0onym\1tbz54cngvl.exe" /VERYSILENT
        9⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\oenqwc5hnhu\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oenqwc5hnhu\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\is-T8RJC.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-T8RJC.tmp\Setup3310.tmp" /SL5="$20432,138429,56832,C:\Users\Admin\AppData\Local\Temp\oenqwc5hnhu\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\ujfzqjax3hk\AwesomePoolU1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ujfzqjax3hk\AwesomePoolU1.exe"
        8⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\js1orow1z12\zmzesstwq1e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\js1orow1z12\zmzesstwq1e.exe" /ustwo INSTALL
        8⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\rkv5fmux0bg\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rkv5fmux0bg\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\is-566DR.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-566DR.tmp\vict.tmp" /SL5="$40446,870426,780800,C:\Users\Admin\AppData\Local\Temp\rkv5fmux0bg\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\nldd32hcxsb\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nldd32hcxsb\vpn.exe" /silent /subid=482
        8⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\is-54H7R.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-54H7R.tmp\vpn.tmp" /SL5="$20488,15170975,270336,C:\Users\Admin\AppData\Local\Temp\nldd32hcxsb\vpn.exe" /silent /subid=482
        9⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\2umprus1b5w\pzldk5eelua.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2umprus1b5w\pzldk5eelua.exe" /1-610
        8⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Patient-Resonance'
        9⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\m0fqutatnbe\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\m0fqutatnbe\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\is-O1HSH.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-O1HSH.tmp\IBInstaller_97039.tmp" /SL5="$30524,12297635,721408,C:\Users\Admin\AppData\Local\Temp\m0fqutatnbe\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        
        PID:5996
    - - C:\Users\Admin\AppData\Local\Temp\EMTE5MSED9\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMTE5MSED9\setups.exe" ll
        5⤵
        Executes dropped EXE
        
        PID:2072
      - C:\Users\Admin\AppData\Local\Temp\is-OTCO0.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OTCO0.tmp\setups.tmp" /SL5="$60242,408070,216064,C:\Users\Admin\AppData\Local\Temp\EMTE5MSED9\setups.exe" ll
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Drops Chrome extension
      Suspicious use of AdjustPrivilegeToken
      PID:3488
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:5756
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
    - - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
        5⤵
        
        PID:5308
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
        5⤵
        
        PID:3920
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffeec026e00,0x7ffeec026e10,0x7ffeec026e20
        6⤵
        
        PID:2448
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1768,16125933128335664409,13213281117269238481,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1852 /prefetch:8
        6⤵
        
        PID:5192
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1768,16125933128335664409,13213281117269238481,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1840 /prefetch:8
        6⤵
        
        PID:5144
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1768,16125933128335664409,13213281117269238481,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1792 /prefetch:2
        6⤵
        
        PID:5644
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1768,16125933128335664409,13213281117269238481,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:1
        6⤵
        
        PID:2640
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1768,16125933128335664409,13213281117269238481,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
        6⤵
        
        PID:4440
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1768,16125933128335664409,13213281117269238481,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
        6⤵
        
        PID:1056
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1768,16125933128335664409,13213281117269238481,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        6⤵
        
        PID:5668
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1768,16125933128335664409,13213281117269238481,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
        6⤵
        
        PID:2244
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1768,16125933128335664409,13213281117269238481,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
        6⤵
        
        PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      PID:4232

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5816

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5960

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/184-387-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1460-281-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-268-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-296-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-298-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-299-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-300-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-301-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-297-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-294-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-291-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-289-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-287-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-285-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-283-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-282-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-293-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-280-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-279-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-278-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-267-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-277-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-295-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-276-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-275-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-274-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-273-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-269-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-270-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-272-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-271-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-266-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-265-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-264-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-284-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-292-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-290-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-288-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/1460-286-0x0000025ECECE0000-0x0000025ECECE00F8-memory.dmp

Filesize
248B

Download
memory/2072-369-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/2136-253-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-226-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-251-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-250-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-249-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-248-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-247-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-246-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-245-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-244-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-243-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-242-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-241-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-240-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-239-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-238-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-237-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-236-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-235-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-234-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-233-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-232-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-231-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-230-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-229-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-228-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-227-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-252-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-225-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-262-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-254-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-255-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-261-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-256-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-260-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-259-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-257-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2136-258-0x000001D937BF0000-0x000001D937BF00F8-memory.dmp

Filesize
248B

Download
memory/2640-413-0x000001C9D1CF0000-0x000001C9D1CF00F8-memory.dmp

Filesize
248B

Download
memory/2904-378-0x0000000002830000-0x0000000002832000-memory.dmp

Filesize
8KB

Download
memory/2904-376-0x00007FFED89C0000-0x00007FFED9360000-memory.dmp

Filesize
9.6MB

Download
memory/3012-317-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-338-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-311-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-315-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-318-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-320-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-322-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-323-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-325-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-326-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-328-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-329-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-330-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-332-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-333-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-334-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-335-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-336-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-312-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-304-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-310-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-303-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-305-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-339-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-306-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-307-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-340-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-337-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-331-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-308-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-309-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-327-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-324-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-321-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-319-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-316-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-314-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3012-313-0x0000024F5A310000-0x0000024F5A3100F8-memory.dmp

Filesize
248B

Download
memory/3116-416-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/3392-54-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-61-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-59-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-58-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-57-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-56-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-55-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-53-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-32-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-33-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-24-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-25-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-26-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-27-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-28-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-29-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-30-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-34-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-31-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-35-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-44-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-60-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-36-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-37-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-38-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-52-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-39-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-40-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-41-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-42-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-43-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-45-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-46-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-47-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-48-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-49-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-50-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3392-51-0x00000165DC580000-0x00000165DC5800F8-memory.dmp

Filesize
248B

Download
memory/3488-96-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-70-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-98-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-99-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-63-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-64-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-65-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-66-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-67-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-68-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-69-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-97-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-71-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-72-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-73-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-74-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-75-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-76-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-77-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-78-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-80-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-100-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-95-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-79-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-81-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-82-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-94-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-93-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-92-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-91-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-90-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-89-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-88-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-87-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-86-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-85-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-84-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3488-83-0x00000247BC150000-0x00000247BC1500F8-memory.dmp

Filesize
248B

Download
memory/3600-417-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/3600-418-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/3664-419-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/3744-6-0x00007FFF05010000-0x00007FFF05011000-memory.dmp

Filesize
4KB

Download
memory/4168-420-0x000000006FD90000-0x000000007047E000-memory.dmp

Filesize
6.9MB

Download
memory/4168-421-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/4232-388-0x00000000006F0000-0x00000000006FD000-memory.dmp

Filesize
52KB

Download
memory/4300-391-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/4300-408-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4300-394-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4300-411-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4300-396-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4300-393-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4300-397-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4300-398-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4300-399-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4300-400-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4300-401-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4300-402-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4300-395-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4300-405-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4300-406-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4300-409-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4300-404-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4300-403-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4300-410-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4300-407-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4436-370-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4436-366-0x0000000003971000-0x000000000399C000-memory.dmp

Filesize
172KB

Download
memory/4436-367-0x0000000003AF1000-0x0000000003AF8000-memory.dmp

Filesize
28KB

Download
memory/4444-137-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-128-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-139-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-138-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-136-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-135-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-134-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-133-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-132-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-131-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-130-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-129-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-127-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-126-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-125-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-102-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-103-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-104-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-105-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-106-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-107-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-108-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-109-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-110-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-124-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-111-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-112-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-113-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-114-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-115-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-116-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-123-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-122-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-117-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-121-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-120-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-118-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4444-119-0x000001FC93A80000-0x000001FC93A800F8-memory.dmp

Filesize
248B

Download
memory/4472-374-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4472-373-0x0000000000AD0000-0x0000000000B61000-memory.dmp

Filesize
580KB

Download
memory/4472-371-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/4496-368-0x0000000002E00000-0x0000000002E02000-memory.dmp

Filesize
8KB

Download
memory/4496-365-0x00007FFED89C0000-0x00007FFED9360000-memory.dmp

Filesize
9.6MB

Download
memory/4604-392-0x00007FFED89C0000-0x00007FFED9360000-memory.dmp

Filesize
9.6MB

Download
memory/4604-412-0x00000000011C0000-0x00000000011C2000-memory.dmp

Filesize
8KB

Download
memory/4752-390-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/5116-364-0x0000000002590000-0x000000000272C000-memory.dmp

Filesize
1.6MB

Download
memory/5200-360-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/5200-363-0x000000001CE50000-0x000000001CE52000-memory.dmp

Filesize
8KB

Download
memory/5200-359-0x00007FFEE5E80000-0x00007FFEE686C000-memory.dmp

Filesize
9.9MB

Download
memory/5292-377-0x0000000000E20000-0x0000000000E22000-memory.dmp

Filesize
8KB

Download
memory/5292-375-0x00007FFED89C0000-0x00007FFED9360000-memory.dmp

Filesize
9.6MB

Download
memory/5588-358-0x0000000000E70000-0x0000000000E7D000-memory.dmp

Filesize
52KB

Download
memory/5592-386-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/6012-415-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download