azorult | hxxps://crackheap[.]net/

Analysis

max time kernel
1799s
max time network
1799s
platform
windows10_x64
resource
win10v20201028
submitted
15-02-2021 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://crackheap.net/
Sample

210215-fe9bcqlt6e

Score

10^/10

azorult plugx pony raccoon redline 8a5ae6012868ca42851ee67a7adea59c46a3fb6d bootkit discovery evasion infostealer persistence rat spyware stealer themida trojan upx

Malware Config

Extracted

Family

raccoon

Botnet

8a5ae6012868ca42851ee67a7adea59c46a3fb6d

Attributes

url4cnc
https://telete.in/jdiavolenok23

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5996-826-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 64 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exekeygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exekey.exefile.exekey.exe1F39.tmp.exe2005.tmp.exe20C1.tmp.exe2071.tmp.exe1F39.tmp.exeSetup.exeBC863AABC388D491.exeBC863AABC388D491.exemd2_2efs.exe1613382879276.exe1613382882589.exe2005.tmp.exe2005.tmp.exeThunderFW.exeBTRSetp.exe5363001.584862513.5336538.0193702.2gdrrr.exeWindows Host.exejfiag3g_gg.exejfiag3g_gg.exekeygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exekey.exefile.exe9A21.tmp.exe9A70.tmp.exe9A80.tmp.exe9D8C.tmp.exe9A21.tmp.exeSetup.exemd2_2efs.exeBTRSetp.exe750443.83477405.384605845.507303106.80gdrrr.exejfiag3g_gg.exejfiag3g_gg.exekeygen-pr.exekeygen-step-1.exekey.exekeygen-step-2.exekeygen-step-3.exekey.exekeygen-step-4.exe

pid	process
4220	software_reporter_tool.exe
4212	software_reporter_tool.exe
5584	software_reporter_tool.exe
5544	software_reporter_tool.exe
3480	keygen-pr.exe
3408	keygen-step-1.exe
2548	keygen-step-2.exe
3516	keygen-step-3.exe
4708	keygen-step-4.exe
420	key.exe
5808	file.exe
5740	key.exe
4828	1F39.tmp.exe
5928	2005.tmp.exe
1516	20C1.tmp.exe
5948	2071.tmp.exe
6076	1F39.tmp.exe
3628	Setup.exe
4644	BC863AABC388D491.exe
1248	BC863AABC388D491.exe
4956	md2_2efs.exe
5496	1613382879276.exe
5656	1613382882589.exe
4696	2005.tmp.exe
5996	2005.tmp.exe
4500	ThunderFW.exe
4736	BTRSetp.exe
6000	5363001.58
4228	4862513.53
5200	36538.0
5880	193702.2
4824	gdrrr.exe
4808	Windows Host.exe
1380	jfiag3g_gg.exe
2740	jfiag3g_gg.exe
5236	keygen-pr.exe
5232	keygen-step-1.exe
6040	keygen-step-2.exe
636	keygen-step-3.exe
4436	keygen-step-4.exe
4496	key.exe
5632	file.exe
4712	9A21.tmp.exe
4920	9A70.tmp.exe
5272	9A80.tmp.exe
5340	9D8C.tmp.exe
5604	9A21.tmp.exe
312	Setup.exe
5736	md2_2efs.exe
3956	BTRSetp.exe
2792	750443.8
5532	3477405.38
5484	4605845.50
6088	7303106.80
4868	gdrrr.exe
5284	jfiag3g_gg.exe
4256	jfiag3g_gg.exe
992	keygen-pr.exe
5816	keygen-step-1.exe
4080	key.exe
2504	keygen-step-2.exe
3880	keygen-step-3.exe
3964	key.exe
5076	keygen-step-4.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5836-821-0x0000000004500000-0x0000000004501000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

193702.27303106.801608836.172049922.2236538.04605845.50

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	193702.2
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	193702.2
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7303106.80
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1608836.17
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2049922.22
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	36538.0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	36538.0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4605845.50
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4605845.50
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7303106.80
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1608836.17
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2049922.22

Loads dropped DLL 32 IoCs

Processes:

software_reporter_tool.exe2071.tmp.exeMsiExec.exeMsiExec.exe9D8C.tmp.exekeygen-step-1.exe1E06.tmp.exeMsiExec.exe

pid	process
5584	software_reporter_tool.exe
5584	software_reporter_tool.exe
5584	software_reporter_tool.exe
5584	software_reporter_tool.exe
5584	software_reporter_tool.exe
5584	software_reporter_tool.exe
5584	software_reporter_tool.exe
5948	2071.tmp.exe
5948	2071.tmp.exe
5948	2071.tmp.exe
5948	2071.tmp.exe
5948	2071.tmp.exe
5948	2071.tmp.exe
5352	MsiExec.exe
2556	MsiExec.exe
5340	9D8C.tmp.exe
5340	9D8C.tmp.exe
5340	9D8C.tmp.exe
5340	9D8C.tmp.exe
5340	9D8C.tmp.exe
5340	9D8C.tmp.exe
5816	keygen-step-1.exe
5816	keygen-step-1.exe
5816	keygen-step-1.exe
5816	keygen-step-1.exe
4348	1E06.tmp.exe
4348	1E06.tmp.exe
4348	1E06.tmp.exe
4348	1E06.tmp.exe
4348	1E06.tmp.exe
4348	1E06.tmp.exe
2812	MsiExec.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

themida 6 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/5200-872-0x00000000012B0000-0x00000000012B1000-memory.dmp	themida
behavioral1/memory/5880-879-0x0000000000800000-0x0000000000801000-memory.dmp	themida
behavioral1/memory/5484-973-0x0000000001290000-0x0000000001291000-memory.dmp	themida
behavioral1/memory/6088-980-0x00000000013C0000-0x00000000013C1000-memory.dmp	themida
behavioral1/memory/2284-1091-0x0000000000E30000-0x0000000000E31000-memory.dmp	themida
behavioral1/memory/4268-1128-0x0000000000250000-0x0000000000251000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4862513.53gdrrr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	4862513.53
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gdrrr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

2049922.22md2_2efs.exe36538.0Setup.exeSetup.exe7303106.801608836.17Setup.exeBC863AABC388D491.exemd2_2efs.exe4605845.50BC863AABC388D491.exe193702.2md2_2efs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2049922.22
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	36538.0
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7303106.80
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1608836.17
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BC863AABC388D491.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4605845.50
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BC863AABC388D491.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	193702.2
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Drops Chrome extension 1 IoCs

Processes:

BC863AABC388D491.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjapkekkicmfibmmdojdakfkbihjlmdm\1.0.0.0_0\manifest.json	BC863AABC388D491.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

259 api.ipify.org
173 api.ipify.org
227 ip-api.com

flow	ioc
259	api.ipify.org
173	api.ipify.org
227	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeBC863AABC388D491.exeBC863AABC388D491.exeSetup.exeSetup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	BC863AABC388D491.exe
File opened for modification	\??\PhysicalDrive0	BC863AABC388D491.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

Setup.exe36538.0193702.2Setup.exe4605845.507303106.80Setup.exe1608836.172049922.22

pid process

3628 Setup.exe
5200 36538.0
5880 193702.2
312 Setup.exe
5484 4605845.50
6088 7303106.80
4336 Setup.exe
2284 1608836.17
4268 2049922.22

pid	process
3628	Setup.exe
5200	36538.0
5880	193702.2
312	Setup.exe
5484	4605845.50
6088	7303106.80
4336	Setup.exe
2284	1608836.17
4268	2049922.22

Suspicious use of SetThreadContext 10 IoCs

Processes:

key.exe1F39.tmp.exeBC863AABC388D491.exe2005.tmp.exe9A21.tmp.exekey.exe9A70.tmp.exe1E64.tmp.exe200B.tmp.exe

description	pid	process	target process
PID 420 set thread context of 5740	420	key.exe	key.exe
PID 4828 set thread context of 6076	4828	1F39.tmp.exe	1F39.tmp.exe
PID 4644 set thread context of 5552	4644	BC863AABC388D491.exe	firefox.exe
PID 4644 set thread context of 4776	4644	BC863AABC388D491.exe	firefox.exe
PID 5928 set thread context of 5996	5928	2005.tmp.exe	2005.tmp.exe
PID 4712 set thread context of 5604	4712	9A21.tmp.exe	9A21.tmp.exe
PID 4080 set thread context of 3964	4080	key.exe	key.exe
PID 4920 set thread context of 5248	4920	9A70.tmp.exe	9A70.tmp.exe
PID 4444 set thread context of 6044	4444	1E64.tmp.exe	1E64.tmp.exe
PID 5868 set thread context of 5048	5868	200B.tmp.exe	200B.tmp.exe

Drops file in Windows directory 10 IoCs

Processes:

WerFault.exemsiexec.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Installer\f7b5603.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5836.tmp	msiexec.exe
File created	C:\Windows\Installer\f7b5603.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\f7b5605.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79A6.tmp	msiexec.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5836 4956 WerFault.exe md2_2efs.exe
6132 5736 WerFault.exe md2_2efs.exe

pid	pid_target	process	target process
5836	4956	WerFault.exe	md2_2efs.exe
6132	5736	WerFault.exe	md2_2efs.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeSystemSettings.exeBC863AABC388D491.exeBC863AABC388D491.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	BC863AABC388D491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	BC863AABC388D491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	BC863AABC388D491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	BC863AABC388D491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	BC863AABC388D491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	BC863AABC388D491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

keygen-step-1.exe1E64.tmp.exe1F39.tmp.exe9A21.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	keygen-step-1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1E64.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1E64.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1F39.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1F39.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9A21.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9A21.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	keygen-step-1.exe

Delays execution with timeout.exe 7 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

5900 timeout.exe
4652 timeout.exe
3084 timeout.exe
5492 timeout.exe
208 timeout.exe
4236 timeout.exe
5064 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4572 taskkill.exe
Modifies Control Panel 1 IoCs
evasion

Processes:

SystemSettings.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors SystemSettings.exe

pid	process
5900	timeout.exe
4652	timeout.exe
3084	timeout.exe
5492	timeout.exe
208	timeout.exe
4236	timeout.exe
5064	timeout.exe

pid	process
4572	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors	SystemSettings.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

file.exesvchost.exefile.exefile.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	chrome.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file.exeSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4396	PING.EXE
5408	PING.EXE
508	PING.EXE
4888	PING.EXE
6104	PING.EXE
5700	PING.EXE
2508	PING.EXE
6048	PING.EXE
4724	PING.EXE
5276	PING.EXE
5944	PING.EXE
5896	PING.EXE
428	PING.EXE
5844	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exechrome.exechrome.exefile.exe1F39.tmp.exekey.exe1613382879276.exeWerFault.exe1613382882589.exe2005.tmp.exe2005.tmp.exe5363001.58jfiag3g_gg.exe36538.0msiexec.exe

pid	process
984	chrome.exe
984	chrome.exe
1028	chrome.exe
1028	chrome.exe
4528	chrome.exe
4528	chrome.exe
4952	chrome.exe
4952	chrome.exe
3736	chrome.exe
3736	chrome.exe
4280	chrome.exe
4280	chrome.exe
4504	chrome.exe
4504	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
4244	chrome.exe
4244	chrome.exe
4220	software_reporter_tool.exe
4220	software_reporter_tool.exe
4024	chrome.exe
4024	chrome.exe
4580	chrome.exe
4580	chrome.exe
5808	file.exe
5808	file.exe
5808	file.exe
5808	file.exe
6076	1F39.tmp.exe
6076	1F39.tmp.exe
420	key.exe
420	key.exe
5496	1613382879276.exe
5496	1613382879276.exe
5836	WerFault.exe
5836	WerFault.exe
5836	WerFault.exe
5836	WerFault.exe
5836	WerFault.exe
5836	WerFault.exe
5836	WerFault.exe
5836	WerFault.exe
5836	WerFault.exe
5836	WerFault.exe
5836	WerFault.exe
5836	WerFault.exe
5836	WerFault.exe
5836	WerFault.exe
5656	1613382882589.exe
5656	1613382882589.exe
5928	2005.tmp.exe
5928	2005.tmp.exe
5996	2005.tmp.exe
5996	2005.tmp.exe
6000	5363001.58
6000	5363001.58
2740	jfiag3g_gg.exe
2740	jfiag3g_gg.exe
5200	36538.0
5200	36538.0
4984	msiexec.exe
4984	msiexec.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

3477405.383707847.40

pid process

5532 3477405.38
4244 3707847.40

pid	process
5532	3477405.38
4244	3707847.40

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe2005.tmp.exefile.exekey.exemsiexec.exemsiexec.exe

description	pid	process
Token: 33	4212	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4212	software_reporter_tool.exe
Token: 33	4220	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4220	software_reporter_tool.exe
Token: 33	5584	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5584	software_reporter_tool.exe
Token: 33	5544	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5544	software_reporter_tool.exe
Token: SeDebugPrivilege	5928	2005.tmp.exe
Token: SeDebugPrivilege	5808	file.exe
Token: SeImpersonatePrivilege	420	key.exe
Token: SeTcbPrivilege	420	key.exe
Token: SeChangeNotifyPrivilege	420	key.exe
Token: SeCreateTokenPrivilege	420	key.exe
Token: SeBackupPrivilege	420	key.exe
Token: SeRestorePrivilege	420	key.exe
Token: SeIncreaseQuotaPrivilege	420	key.exe
Token: SeAssignPrimaryTokenPrivilege	420	key.exe
Token: SeImpersonatePrivilege	420	key.exe
Token: SeTcbPrivilege	420	key.exe
Token: SeChangeNotifyPrivilege	420	key.exe
Token: SeCreateTokenPrivilege	420	key.exe
Token: SeBackupPrivilege	420	key.exe
Token: SeRestorePrivilege	420	key.exe
Token: SeIncreaseQuotaPrivilege	420	key.exe
Token: SeAssignPrimaryTokenPrivilege	420	key.exe
Token: SeImpersonatePrivilege	420	key.exe
Token: SeTcbPrivilege	420	key.exe
Token: SeChangeNotifyPrivilege	420	key.exe
Token: SeCreateTokenPrivilege	420	key.exe
Token: SeBackupPrivilege	420	key.exe
Token: SeRestorePrivilege	420	key.exe
Token: SeIncreaseQuotaPrivilege	420	key.exe
Token: SeAssignPrimaryTokenPrivilege	420	key.exe
Token: SeImpersonatePrivilege	420	key.exe
Token: SeTcbPrivilege	420	key.exe
Token: SeChangeNotifyPrivilege	420	key.exe
Token: SeCreateTokenPrivilege	420	key.exe
Token: SeBackupPrivilege	420	key.exe
Token: SeRestorePrivilege	420	key.exe
Token: SeIncreaseQuotaPrivilege	420	key.exe
Token: SeAssignPrimaryTokenPrivilege	420	key.exe
Token: SeImpersonatePrivilege	420	key.exe
Token: SeTcbPrivilege	420	key.exe
Token: SeChangeNotifyPrivilege	420	key.exe
Token: SeCreateTokenPrivilege	420	key.exe
Token: SeBackupPrivilege	420	key.exe
Token: SeRestorePrivilege	420	key.exe
Token: SeIncreaseQuotaPrivilege	420	key.exe
Token: SeAssignPrimaryTokenPrivilege	420	key.exe
Token: SeShutdownPrivilege	6140	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6140	msiexec.exe
Token: SeSecurityPrivilege	4984	msiexec.exe
Token: SeCreateTokenPrivilege	6140	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	6140	msiexec.exe
Token: SeLockMemoryPrivilege	6140	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6140	msiexec.exe
Token: SeMachineAccountPrivilege	6140	msiexec.exe
Token: SeTcbPrivilege	6140	msiexec.exe
Token: SeSecurityPrivilege	6140	msiexec.exe
Token: SeTakeOwnershipPrivilege	6140	msiexec.exe
Token: SeLoadDriverPrivilege	6140	msiexec.exe
Token: SeSystemProfilePrivilege	6140	msiexec.exe
Token: SeSystemtimePrivilege	6140	msiexec.exe

Suspicious use of FindShellTrayWindow 20 IoCs

Processes:

chrome.exemsiexec.exemsiexec.exemsiexec.exe

pid	process
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
6140	msiexec.exe
6140	msiexec.exe
6092	msiexec.exe
6092	msiexec.exe
5956	msiexec.exe
5956	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SystemSettings.exe

pid process

2380 SystemSettings.exe

pid	process
2380	SystemSettings.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1028 wrote to memory of 3744	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3744	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 3784	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 984	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 984	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 2368	1028	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://crackheap.net/
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ffc48d36e00,0x7ffc48d36e10,0x7ffc48d36e20
2⤵
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1688 /prefetch:2
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1736 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2600 /prefetch:1
2⤵
PID:192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
2⤵
PID:1312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
2⤵
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1
2⤵
PID:416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
2⤵
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 /prefetch:8
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:8
2⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:8
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff755207740,0x7ff755207750,0x7ff755207760
3⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:8
2⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4968 /prefetch:8
2⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4536 /prefetch:8
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4648 /prefetch:8
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:8
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5216 /prefetch:8
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5172 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5164 /prefetch:8
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5648 /prefetch:8
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5916 /prefetch:8
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5912 /prefetch:8
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6148 /prefetch:8
2⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7056 /prefetch:8
2⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7068 /prefetch:8
2⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7028 /prefetch:8
2⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6232 /prefetch:8
2⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6212 /prefetch:8
2⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
2⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7604 /prefetch:8
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7624 /prefetch:8
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7640 /prefetch:8
2⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7632 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7696 /prefetch:8
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7704 /prefetch:8
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7692 /prefetch:8
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7984 /prefetch:8
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5644 /prefetch:8
2⤵
PID:1248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
2⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8304 /prefetch:8
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8476 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8572 /prefetch:8
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8624 /prefetch:8
2⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8888 /prefetch:1
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9012 /prefetch:8
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8260 /prefetch:8
2⤵
PID:4288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9440 /prefetch:8
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8848 /prefetch:8
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9468 /prefetch:1
2⤵
PID:5628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
2⤵
PID:5856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9112 /prefetch:1
2⤵
PID:6076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
2⤵
PID:6112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1836 /prefetch:1
2⤵
PID:5308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9480 /prefetch:1
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9128 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8228 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4384 /prefetch:8
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5288 /prefetch:8
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
2⤵
PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5692 /prefetch:8
2⤵
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5800 /prefetch:8
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=4492 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 /prefetch:8
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
2⤵
PID:1188

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\88.253.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\88.253.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=5cfZxKSsfCrltkxG1sKG8vSmidosJ7wkGDLRie70 --registry-suffix=ESET --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\88.253.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\88.253.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=88.253.200 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff70d8e2a58,0x7ff70d8e2a68,0x7ff70d8e2a78
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4212

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\88.253.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\88.253.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_4220_MSAKXBCSWZFFIUEN" --sandboxed-process-id=2 --init-done-notifier=692 --sandbox-mojo-pipe-token=16943057593857831326 --mojo-platform-channel-handle=668 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5584

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\88.253.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\88.253.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_4220_MSAKXBCSWZFFIUEN" --sandboxed-process-id=3 --init-done-notifier=916 --sandbox-mojo-pipe-token=1519648121703095478 --mojo-platform-channel-handle=912
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1976 /prefetch:8
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8132 /prefetch:8
2⤵
PID:5640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9504 /prefetch:8
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9120 /prefetch:8
2⤵
PID:5784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4244 /prefetch:8
2⤵
PID:5704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9028 /prefetch:8
2⤵
PID:5848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9036 /prefetch:8
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9320 /prefetch:8
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3576 /prefetch:8
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6048 /prefetch:8
2⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9300 /prefetch:8
2⤵
PID:5952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
2⤵
PID:5988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:1
2⤵
PID:6064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3252 /prefetch:8
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=768 /prefetch:1
2⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
2⤵
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4200 /prefetch:8
2⤵
PID:1752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1676,4386879444494770061,3358094650931727762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\Temp2_PGP_Desktop_for_Windows_10_1_keygen_by_KeygenNinja.zip\PGP_Desktop_for_Windows_10_1_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_PGP_Desktop_for_Windows_10_1_keygen_by_KeygenNinja.zip\PGP_Desktop_for_Windows_10_1_keygen_by_KeygenNinja.exe"
1⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:3480

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:5740

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:3408

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
PID:2548

C:\Users\Admin\AppData\Roaming\2071.tmp.exe
"C:\Users\Admin\AppData\Roaming\2071.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5948

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\2071.tmp.exe"
5⤵
PID:2924

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:4652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
4⤵
PID:5644

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:5276

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:3516

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:416

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4724

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:4708

C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5808

C:\Users\Admin\AppData\Roaming\1F39.tmp.exe
"C:\Users\Admin\AppData\Roaming\1F39.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4828

C:\Users\Admin\AppData\Roaming\1F39.tmp.exe
"C:\Users\Admin\AppData\Roaming\1F39.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6076

C:\Users\Admin\AppData\Roaming\2005.tmp.exe
"C:\Users\Admin\AppData\Roaming\2005.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5928

C:\Users\Admin\AppData\Roaming\2005.tmp.exe
"{path}"
6⤵
- Executes dropped EXE
PID:4696

C:\Users\Admin\AppData\Roaming\2005.tmp.exe
"{path}"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5996

C:\Users\Admin\AppData\Roaming\20C1.tmp.exe
"C:\Users\Admin\AppData\Roaming\20C1.tmp.exe"
5⤵
- Executes dropped EXE
PID:1516

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\20C1.tmp.exe
6⤵
PID:5884

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:5900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
5⤵
PID:4816

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:4396

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:3628

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6140

C:\Users\Admin\AppData\Local\Temp\BC863AABC388D491.exe
C:\Users\Admin\AppData\Local\Temp\BC863AABC388D491.exe 0011 installp1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
PID:4644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:5552

C:\Users\Admin\AppData\Roaming\1613382879276.exe
"C:\Users\Admin\AppData\Roaming\1613382879276.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613382879276.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5496

C:\Users\Admin\AppData\Roaming\1613382882589.exe
"C:\Users\Admin\AppData\Roaming\1613382882589.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613382882589.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
6⤵
- Executes dropped EXE
PID:4500

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\BC863AABC388D491.exe"
6⤵
PID:1864

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:5700

C:\Users\Admin\AppData\Local\Temp\BC863AABC388D491.exe
C:\Users\Admin\AppData\Local\Temp\BC863AABC388D491.exe 200 installp1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops Chrome extension
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
PID:1248

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:1872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4572

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\BC863AABC388D491.exe"
6⤵
PID:4744

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:6104

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
5⤵
PID:4992

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4888

C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 2700
5⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5836

C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
4⤵
- Executes dropped EXE
PID:4736

C:\ProgramData\5363001.58
"C:\ProgramData\5363001.58"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6000

C:\ProgramData\4862513.53
"C:\ProgramData\4862513.53"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4228

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
- Executes dropped EXE
PID:4808

C:\ProgramData\36538.0
"C:\ProgramData\36538.0"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5200

C:\ProgramData\193702.2
"C:\ProgramData\193702.2"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5880

C:\Users\Admin\AppData\Local\Temp\RarSFX2\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gdrrr.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4824

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:1380

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5732

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5180

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 89868A398823140004D108D4036F930D C
2⤵
- Loads dropped DLL
PID:5352

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1920

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8480204802530C8F9D80AE9732B447DC C
2⤵
- Loads dropped DLL
PID:2556

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 87C533A655BF366D8912A31FF2D90D55 C
2⤵
- Loads dropped DLL
PID:2812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1476

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2588

C:\Users\Admin\Desktop\PGP_Desktop_for_Windows_10_1_keygen_by_KeygenNinja.exe
"C:\Users\Admin\Desktop\PGP_Desktop_for_Windows_10_1_keygen_by_KeygenNinja.exe"
1⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen.bat" "
2⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:5236

C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe"
4⤵
- Executes dropped EXE
PID:4496

C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:5232

C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
PID:6040

C:\Users\Admin\AppData\Roaming\9D8C.tmp.exe
"C:\Users\Admin\AppData\Roaming\9D8C.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5340

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\9D8C.tmp.exe"
5⤵
PID:5036

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:5492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exe" >> NUL
4⤵
PID:5472

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:2508

C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:636

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe"
4⤵
PID:5536

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:5944

C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:4436

C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5632

C:\Users\Admin\AppData\Roaming\9A21.tmp.exe
"C:\Users\Admin\AppData\Roaming\9A21.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4712

C:\Users\Admin\AppData\Roaming\9A21.tmp.exe
"C:\Users\Admin\AppData\Roaming\9A21.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5604

C:\Users\Admin\AppData\Roaming\9A70.tmp.exe
"C:\Users\Admin\AppData\Roaming\9A70.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4920

C:\Users\Admin\AppData\Roaming\9A70.tmp.exe
"{path}"
6⤵
PID:5248

C:\Users\Admin\AppData\Roaming\9A80.tmp.exe
"C:\Users\Admin\AppData\Roaming\9A80.tmp.exe"
5⤵
- Executes dropped EXE
PID:5272

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\9A80.tmp.exe
6⤵
PID:4376

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:3084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
5⤵
PID:4300

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:5896

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:312

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:6092

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
5⤵
PID:4872

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:5844

C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 2680
5⤵
- Program crash
PID:6132

C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe"
4⤵
- Executes dropped EXE
PID:3956

C:\ProgramData\750443.8
"C:\ProgramData\750443.8"
5⤵
- Executes dropped EXE
PID:2792

C:\ProgramData\3477405.38
"C:\ProgramData\3477405.38"
5⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:5532

C:\ProgramData\4605845.50
"C:\ProgramData\4605845.50"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5484

C:\ProgramData\7303106.80
"C:\ProgramData\7303106.80"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6088

C:\Users\Admin\AppData\Local\Temp\RarSFX4\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\gdrrr.exe"
4⤵
- Executes dropped EXE
PID:4868

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:5284

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:4256

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4392

C:\Users\Admin\Desktop\PGP_Desktop_for_Windows_10_1_keygen_by_KeygenNinja.exe
"C:\Users\Admin\Desktop\PGP_Desktop_for_Windows_10_1_keygen_by_KeygenNinja.exe"
1⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen.bat" "
2⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:992

C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4080

C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "keygen-step-1.exe"
4⤵
PID:864

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
5⤵
- Delays execution with timeout.exe
PID:208

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
PID:2504

C:\Users\Admin\AppData\Roaming\1E06.tmp.exe
"C:\Users\Admin\AppData\Roaming\1E06.tmp.exe"
4⤵
- Loads dropped DLL
PID:4348

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1E06.tmp.exe"
5⤵
PID:648

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:5064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-2.exe" >> NUL
4⤵
PID:2044

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:6048

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:3880

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-3.exe"
4⤵
PID:3960

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:5408

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:5076

C:\Users\Admin\AppData\Local\Temp\RarSFX7\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\file.exe"
4⤵
- Modifies data under HKEY_USERS
PID:5364

C:\Users\Admin\AppData\Roaming\1E64.tmp.exe
"C:\Users\Admin\AppData\Roaming\1E64.tmp.exe"
5⤵
- Suspicious use of SetThreadContext
PID:4444

C:\Users\Admin\AppData\Roaming\1E64.tmp.exe
"C:\Users\Admin\AppData\Roaming\1E64.tmp.exe"
6⤵
- Checks processor information in registry
PID:6044

C:\Users\Admin\AppData\Roaming\200B.tmp.exe
"C:\Users\Admin\AppData\Roaming\200B.tmp.exe"
5⤵
- Suspicious use of SetThreadContext
PID:5868

C:\Users\Admin\AppData\Roaming\200B.tmp.exe
"{path}"
6⤵
PID:5048

C:\Users\Admin\AppData\Roaming\2089.tmp.exe
"C:\Users\Admin\AppData\Roaming\2089.tmp.exe"
5⤵
PID:5452

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\2089.tmp.exe
6⤵
PID:5796

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:4236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX7\file.exe"
5⤵
PID:5148

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:508

C:\Users\Admin\AppData\Local\Temp\RarSFX7\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\Setup.exe"
4⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4336

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:5956

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX7\Setup.exe"
5⤵
PID:6028

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:428

C:\Users\Admin\AppData\Local\Temp\RarSFX7\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\md2_2efs.exe"
4⤵
- Checks whether UAC is enabled
PID:4876

C:\Users\Admin\AppData\Local\Temp\RarSFX7\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\BTRSetp.exe"
4⤵
PID:4056

C:\ProgramData\980884.10
"C:\ProgramData\980884.10"
5⤵
PID:5164

C:\ProgramData\3707847.40
"C:\ProgramData\3707847.40"
5⤵
- Suspicious behavior: SetClipboardViewer
PID:4244

C:\ProgramData\1608836.17
"C:\ProgramData\1608836.17"
5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2284

C:\ProgramData\2049922.22
"C:\ProgramData\2049922.22"
5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4268

C:\Users\Admin\AppData\Local\Temp\RarSFX7\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\gdrrr.exe"
4⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5912

C:\GDIView.exe
"C:\GDIView.exe"
1⤵
PID:4084

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\014cd4f662b54e2fb761ef1f99c53e18 /t 2208 /p 4084
1⤵
PID:2600

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Checks SCSI registry key(s)
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
4a7ffce191da517a25b149619456764f

SHA1
f4f7b298936a7252edde14f3a8f1ada8900b51db

SHA256
f20289b06a54e1d4433429691104146fc164faffc122e10c96c61ad1e43cc837

SHA512
7d5f0e10a464f9c78df0cf3986afd277658e630910214ac168870cab3418464030773892e5ac6cd466f67ec9e643da7e0f32f8ac6776de502f99d4c9c97f9eb9

Download Submit
\??\pipe\crashpad_1028_OJSRWHDKRIFLENJT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/192-218-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-205-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-9-0x0000000000000000-mapping.dmp

Download
memory/192-200-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-202-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-203-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-204-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-206-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-196-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-207-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-208-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-209-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-211-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-220-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-213-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-214-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-215-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-216-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-194-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-199-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-212-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-221-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-222-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-223-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-224-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-226-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-227-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-228-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-229-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-230-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-225-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-217-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-210-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-219-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-201-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-198-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-197-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-193-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/192-195-0x000001AC248C0000-0x000001AC248C00F8-memory.dmp

Filesize
248B

Download
memory/416-148-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-152-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-172-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-171-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-170-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-169-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-168-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-167-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-166-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-165-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-164-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-163-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-162-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-161-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-160-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-159-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-157-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-156-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-155-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-154-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-153-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-173-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-151-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-150-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-149-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-19-0x0000000000000000-mapping.dmp

Download
memory/416-147-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-146-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-145-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-144-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-143-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-174-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-175-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-176-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-177-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-178-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-179-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-180-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/416-158-0x000001E4E76E0000-0x000001E4E76E00F8-memory.dmp

Filesize
248B

Download
memory/420-781-0x00000000027C0000-0x000000000295C000-memory.dmp

Filesize
1.6MB

Download
memory/420-804-0x0000000000DB0000-0x0000000000E9F000-memory.dmp

Filesize
956KB

Download
memory/420-805-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/420-806-0x0000000000330000-0x000000000034B000-memory.dmp

Filesize
108KB

Download
memory/984-5-0x0000000000000000-mapping.dmp

Download
memory/1144-128-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-105-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-125-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-124-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-123-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-122-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-121-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-120-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-119-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-118-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-117-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-116-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-115-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-113-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-112-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-111-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-110-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-109-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-108-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-107-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-106-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-126-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-104-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-127-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-16-0x0000000000000000-mapping.dmp

Download
memory/1144-141-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-129-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-130-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-131-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-132-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-114-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-139-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-133-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-134-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-135-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-136-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-137-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-138-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1144-140-0x000002F9EEB20000-0x000002F9EEB200F8-memory.dmp

Filesize
248B

Download
memory/1248-817-0x0000000003840000-0x0000000003CEF000-memory.dmp

Filesize
4.7MB

Download
memory/1248-281-0x0000000000000000-mapping.dmp

Download
memory/1252-757-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-754-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-740-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-743-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-750-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-763-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-736-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-739-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-741-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-742-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-744-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-745-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-746-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-747-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-737-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-748-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-773-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-772-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-771-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-770-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-769-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-768-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-767-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-766-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-765-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-764-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-762-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-761-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-760-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-759-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-758-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-749-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-751-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-752-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-753-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-738-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-755-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1252-756-0x000001944B370000-0x000001944B3700F8-memory.dmp

Filesize
248B

Download
memory/1312-102-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-71-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-83-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-82-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-68-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-77-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-70-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-90-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-72-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-73-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-84-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-85-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-86-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-87-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-88-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-89-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-91-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-92-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-93-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-94-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-66-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-65-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-69-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-67-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-74-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-75-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-76-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-78-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-79-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-80-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-95-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-81-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-15-0x0000000000000000-mapping.dmp

Download
memory/1312-96-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-97-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-98-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-99-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-100-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1312-101-0x000001DC70CD0000-0x000001DC70CD00F8-memory.dmp

Filesize
248B

Download
memory/1516-791-0x0000000000400000-0x000000000395C000-memory.dmp

Filesize
53.4MB

Download
memory/1516-787-0x00000000059A0000-0x0000000008EFC000-memory.dmp

Filesize
53.4MB

Download
memory/2000-11-0x0000000000000000-mapping.dmp

Download
memory/2284-1091-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2284-1089-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2284-1099-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/2368-7-0x0000000000000000-mapping.dmp

Download
memory/2504-1008-0x0000000000E70000-0x0000000000E7D000-memory.dmp

Filesize
52KB

Download
memory/2548-780-0x0000000001340000-0x000000000134D000-memory.dmp

Filesize
52KB

Download
memory/2600-1105-0x00000198DD7A0000-0x00000198DD7A1000-memory.dmp

Filesize
4KB

Download
memory/2792-954-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2792-964-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/3628-807-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/3704-32-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-39-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-28-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-29-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-30-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-26-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-33-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-63-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-35-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-38-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-40-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-45-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-51-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-60-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-62-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-61-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-59-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-58-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-57-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-13-0x0000000000000000-mapping.dmp

Download
memory/3704-56-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-31-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-34-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-36-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-37-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-27-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-55-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-41-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-54-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-42-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-43-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-44-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-46-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-47-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-48-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-49-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-50-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-52-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3704-53-0x0000012474870000-0x00000124748700F8-memory.dmp

Filesize
248B

Download
memory/3736-589-0x0000000000000000-mapping.dmp

Download
memory/3744-2-0x0000000000000000-mapping.dmp

Download
memory/3784-6-0x00007FFC514C0000-0x00007FFC514C1000-memory.dmp

Filesize
4KB

Download
memory/3784-4-0x0000000000000000-mapping.dmp

Download
memory/3900-291-0x0000000000000000-mapping.dmp

Download
memory/3956-953-0x000000001D020000-0x000000001D022000-memory.dmp

Filesize
8KB

Download
memory/3956-947-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/3964-1010-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3988-293-0x0000000000000000-mapping.dmp

Download
memory/4056-1069-0x000000001CF40000-0x000000001CF42000-memory.dmp

Filesize
8KB

Download
memory/4056-1065-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/4072-704-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-713-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-718-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-720-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-721-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-723-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-697-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-698-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-699-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-700-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-701-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-702-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-703-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-705-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-706-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-707-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-709-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-708-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-710-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-711-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-712-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-715-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-714-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-716-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-717-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-719-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-722-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-725-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-728-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-731-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-733-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-732-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-730-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-729-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-727-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-726-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4072-724-0x000002002C650000-0x000002002C6500F8-memory.dmp

Filesize
248B

Download
memory/4080-1056-0x0000000000550000-0x000000000056B000-memory.dmp

Filesize
108KB

Download
memory/4080-1055-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4080-1046-0x00000000030C0000-0x00000000031AF000-memory.dmp

Filesize
956KB

Download
memory/4080-1007-0x00000000029A0000-0x0000000002B3C000-memory.dmp

Filesize
1.6MB

Download
memory/4228-856-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4228-867-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/4228-859-0x0000000000FA0000-0x0000000000FAB000-memory.dmp

Filesize
44KB

Download
memory/4228-854-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/4228-22-0x0000000000000000-mapping.dmp

Download
memory/4244-1087-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4244-1074-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/4268-1136-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4268-1128-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/4268-1127-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/4280-590-0x0000000000000000-mapping.dmp

Download
memory/4288-297-0x0000000000000000-mapping.dmp

Download
memory/4308-289-0x0000000000000000-mapping.dmp

Download
memory/4320-24-0x0000000000000000-mapping.dmp

Download
memory/4332-186-0x0000000000000000-mapping.dmp

Download
memory/4336-1059-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/4344-244-0x0000000000000000-mapping.dmp

Download
memory/4348-1039-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/4348-1043-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4396-250-0x0000000000000000-mapping.dmp

Download
memory/4408-275-0x0000000000000000-mapping.dmp

Download
memory/4412-301-0x0000000000000000-mapping.dmp

Download
memory/4432-248-0x0000000000000000-mapping.dmp

Download
memory/4436-277-0x0000000000000000-mapping.dmp

Download
memory/4440-188-0x0000000000000000-mapping.dmp

Download
memory/4440-256-0x0000000000000000-mapping.dmp

Download
memory/4444-1040-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/4448-252-0x0000000000000000-mapping.dmp

Download
memory/4464-294-0x0000000000000000-mapping.dmp

Download
memory/4488-190-0x0000000000000000-mapping.dmp

Download
memory/4496-924-0x0000000002520000-0x00000000026BC000-memory.dmp

Filesize
1.6MB

Download
memory/4508-258-0x0000000000000000-mapping.dmp

Download
memory/4528-192-0x0000000000000000-mapping.dmp

Download
memory/4628-584-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-586-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-548-0x0000000000000000-mapping.dmp

Download
memory/4628-564-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-562-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-561-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-559-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-558-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-556-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-555-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-554-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-553-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-552-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-551-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-550-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-560-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-563-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-570-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-577-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-565-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-587-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-557-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-566-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-585-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-567-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-568-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-569-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-583-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-582-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-581-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-580-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-579-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-578-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-576-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-575-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-574-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-573-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-572-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4628-571-0x000001CF4D4F0000-0x000001CF4D4F00F8-memory.dmp

Filesize
248B

Download
memory/4632-260-0x0000000000000000-mapping.dmp

Download
memory/4644-279-0x0000000000000000-mapping.dmp

Download
memory/4644-816-0x0000000002EA0000-0x000000000334F000-memory.dmp

Filesize
4.7MB

Download
memory/4672-284-0x0000000000000000-mapping.dmp

Download
memory/4676-262-0x0000000000000000-mapping.dmp

Download
memory/4680-361-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-379-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-375-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-374-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-373-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-372-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-371-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-370-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-349-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-369-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-368-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-366-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-365-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-364-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-363-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-362-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-360-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-358-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-283-0x0000000000000000-mapping.dmp

Download
memory/4680-377-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-378-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-351-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-354-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-342-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-367-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-376-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-343-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-359-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-344-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-357-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-345-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-356-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-346-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-352-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-353-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-355-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-347-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-348-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4680-350-0x000001A76F930000-0x000001A76F9300F8-memory.dmp

Filesize
248B

Download
memory/4712-938-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4728-266-0x0000000000000000-mapping.dmp

Download
memory/4736-850-0x0000000001240000-0x0000000001261000-memory.dmp

Filesize
132KB

Download
memory/4736-845-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/4736-848-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/4736-849-0x00000000012C0000-0x00000000012C2000-memory.dmp

Filesize
8KB

Download
memory/4736-846-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/4736-851-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/4776-824-0x00000191F5400000-0x00000191F5401000-memory.dmp

Filesize
4KB

Download
memory/4784-232-0x0000000000000000-mapping.dmp

Download
memory/4788-268-0x0000000000000000-mapping.dmp

Download
memory/4808-896-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/4808-866-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/4820-234-0x0000000000000000-mapping.dmp

Download
memory/4820-299-0x0000000000000000-mapping.dmp

Download
memory/4828-797-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/4828-799-0x0000000002CD0000-0x0000000002D15000-memory.dmp

Filesize
276KB

Download
memory/4860-236-0x0000000000000000-mapping.dmp

Download
memory/4864-321-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-330-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-335-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-326-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-305-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-306-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-307-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-264-0x0000000000000000-mapping.dmp

Download
memory/4864-337-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-325-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-324-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-340-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-322-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-336-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-338-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-304-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-308-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-319-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-309-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-303-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-318-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-311-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-332-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-333-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-316-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-339-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-329-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-328-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-314-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-334-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-331-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-327-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-323-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-320-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-317-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-315-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-313-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-312-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4864-310-0x000001EB90300000-0x000001EB903000F8-memory.dmp

Filesize
248B

Download
memory/4884-270-0x0000000000000000-mapping.dmp

Download
memory/4908-238-0x0000000000000000-mapping.dmp

Download
memory/4920-935-0x0000000001880000-0x0000000001881000-memory.dmp

Filesize
4KB

Download
memory/4920-934-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/4920-922-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/4948-240-0x0000000000000000-mapping.dmp

Download
memory/4952-272-0x0000000000000000-mapping.dmp

Download
memory/4968-287-0x0000000000000000-mapping.dmp

Download
memory/4984-242-0x0000000000000000-mapping.dmp

Download
memory/5000-273-0x0000000000000000-mapping.dmp

Download
memory/5048-1114-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/5048-1107-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/5068-546-0x0000000000000000-mapping.dmp

Download
memory/5080-182-0x0000000000000000-mapping.dmp

Download
memory/5088-246-0x0000000000000000-mapping.dmp

Download
memory/5092-254-0x0000000000000000-mapping.dmp

Download
memory/5092-183-0x0000000000000000-mapping.dmp

Download
memory/5116-185-0x0000000000000000-mapping.dmp

Download
memory/5164-1077-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/5164-1072-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/5200-869-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/5200-872-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/5200-890-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/5200-898-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/5248-1037-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/5248-1020-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/5272-936-0x0000000005A10000-0x0000000008F6C000-memory.dmp

Filesize
53.4MB

Download
memory/5308-523-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-528-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-510-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-512-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-513-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-514-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-515-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-516-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-518-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-519-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-520-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-521-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-522-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-524-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-525-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-532-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-544-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-543-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-542-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-526-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-527-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-541-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-540-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-517-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-529-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-530-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-507-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-511-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-531-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-533-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-539-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-534-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-535-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-509-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-536-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-537-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-505-0x0000000000000000-mapping.dmp

Download
memory/5308-508-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5308-538-0x0000026E34950000-0x0000026E349500F8-memory.dmp

Filesize
248B

Download
memory/5340-940-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/5340-944-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/5364-1009-0x00000000001D0000-0x00000000001DD000-memory.dmp

Filesize
52KB

Download
memory/5364-1016-0x00000000038F0000-0x000000000393A000-memory.dmp

Filesize
296KB

Download
memory/5452-1022-0x0000000005F20000-0x000000000947C000-memory.dmp

Filesize
53.4MB

Download
memory/5484-971-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/5484-973-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/5484-981-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/5532-957-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/5532-965-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/5552-819-0x00000199DD900000-0x00000199DD901000-memory.dmp

Filesize
4KB

Download
memory/5552-818-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/5584-598-0x00007FFC51110000-0x00007FFC51111000-memory.dmp

Filesize
4KB

Download
memory/5584-599-0x00007FFC51B20000-0x00007FFC51B21000-memory.dmp

Filesize
4KB

Download
memory/5584-607-0x0000020580E50000-0x0000020580E90000-memory.dmp

Filesize
256KB

Download
memory/5584-606-0x0000020580E50000-0x0000020580E51000-memory.dmp

Filesize
4KB

Download
memory/5628-411-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-407-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-384-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-386-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-387-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-394-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-381-0x0000000000000000-mapping.dmp

Download
memory/5628-402-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-383-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-418-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-420-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-419-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-417-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-416-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-415-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-414-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-385-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-413-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-412-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-389-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-410-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-409-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-408-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-388-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-390-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-406-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-405-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-391-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-404-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-403-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-392-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-393-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-401-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-400-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-399-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-398-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-397-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-396-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5628-395-0x0000021475390000-0x00000214753900F8-memory.dmp

Filesize
248B

Download
memory/5632-926-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5632-912-0x00000000004C0000-0x00000000004CD000-memory.dmp

Filesize
52KB

Download
memory/5740-779-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/5740-782-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/5808-778-0x0000000000C60000-0x0000000000C6D000-memory.dmp

Filesize
52KB

Download
memory/5808-786-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5836-820-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/5836-821-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/5856-424-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-454-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-440-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-439-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-438-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-437-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-436-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-435-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-434-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-433-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-432-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-431-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-430-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-429-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-428-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-427-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-426-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-425-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-442-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-422-0x0000000000000000-mapping.dmp

Download
memory/5856-443-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-444-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-445-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-447-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-446-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-448-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-450-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-451-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-453-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-441-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-456-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-459-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-460-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-458-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-457-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-455-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-452-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5856-449-0x0000011E57850000-0x0000011E578500F8-memory.dmp

Filesize
248B

Download
memory/5868-1018-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/5868-1011-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/5868-1021-0x00000000016B0000-0x00000000016B1000-memory.dmp

Filesize
4KB

Download
memory/5880-868-0x0000000077D14000-0x0000000077D15000-memory.dmp

Filesize
4KB

Download
memory/5880-899-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/5880-879-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/5880-876-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/5928-788-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/5928-790-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/5928-792-0x0000000005470000-0x00000000054AD000-memory.dmp

Filesize
244KB

Download
memory/5928-794-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/5928-795-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/5928-796-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/5928-825-0x0000000006DD0000-0x0000000006E19000-memory.dmp

Filesize
292KB

Download
memory/5928-793-0x00000000052E0000-0x00000000052E2000-memory.dmp

Filesize
8KB

Download
memory/5928-789-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/5928-784-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/5928-783-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/5948-800-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/5948-802-0x00000000030F0000-0x0000000003182000-memory.dmp

Filesize
584KB

Download
memory/5948-803-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/5988-631-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-633-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-636-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-617-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-618-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-619-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-620-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-621-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-622-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-623-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-624-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-625-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-626-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-627-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-634-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-628-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-629-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-635-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-638-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-642-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-646-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-650-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-654-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-637-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-653-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-652-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-651-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-649-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-632-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-630-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-648-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-639-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-647-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-645-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-640-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-641-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-644-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5988-643-0x00000147DC6C0000-0x00000147DC6C00F8-memory.dmp

Filesize
248B

Download
memory/5996-835-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/5996-837-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/5996-831-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/5996-830-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/5996-842-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/5996-839-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/5996-838-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/5996-834-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/5996-832-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/5996-827-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/5996-843-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download
memory/5996-836-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/5996-826-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5996-833-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/6000-857-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/6000-853-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/6000-852-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/6000-871-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/6000-865-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/6000-862-0x000000000A710000-0x000000000A745000-memory.dmp

Filesize
212KB

Download
memory/6040-913-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/6044-1045-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6064-660-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-689-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-657-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-658-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-659-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-673-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-661-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-662-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-663-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-664-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-665-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-656-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-667-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-676-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-666-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-668-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-669-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-670-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-671-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-672-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-674-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-675-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-677-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-679-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-681-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-684-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-687-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-691-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-693-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-692-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-690-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-678-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-688-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-686-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-685-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-683-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-682-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6064-680-0x000001D31D130000-0x000001D31D1300F8-memory.dmp

Filesize
248B

Download
memory/6076-462-0x0000000000000000-mapping.dmp

Download
memory/6076-798-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6076-801-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6088-980-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/6088-995-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/6088-976-0x00000000718E0000-0x0000000071FCE000-memory.dmp

Filesize
6.9MB

Download
memory/6112-467-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-473-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-472-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-469-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-474-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-468-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-476-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-477-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-478-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-479-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-480-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-482-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-483-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-484-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-485-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-486-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-487-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-488-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-489-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-491-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-466-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-492-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-493-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-494-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-495-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-496-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-497-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-498-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-500-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-501-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-502-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-503-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-499-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-490-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-481-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-475-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-471-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-470-0x000001C95A420000-0x000001C95A4200F8-memory.dmp

Filesize
248B

Download
memory/6112-464-0x0000000000000000-mapping.dmp

Download
memory/6132-946-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download