azorult | hxxps://crackheap[.]net/

Analysis

max time kernel
586s
max time network
599s
platform
windows10_x64
resource
win10v20201028
submitted
15-02-2021 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://crackheap.net/
Sample

210215-fe9bcqlt6e

Score

10^/10

azorult plugx raccoon redline 8a5ae6012868ca42851ee67a7adea59c46a3fb6d bootkit discovery evasion infostealer persistence spyware stealer themida trojan upx

Malware Config

Extracted

Family

raccoon

Botnet

8a5ae6012868ca42851ee67a7adea59c46a3fb6d

Attributes

url4cnc
https://telete.in/jdiavolenok23

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/724-755-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 64 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exekey.exefile.exe9E3B.tmp.exe9E79.tmp.exe9F17.tmp.exe9FC3.tmp.exe9E3B.tmp.exeSetup.exeBC863AABC388D491.exeBC863AABC388D491.exemd2_2efs.exe1613382707622.exe1613382709934.exe9F17.tmp.exeBTRSetp.exeThunderFW.exe5507165.60710892.75634628.615478168.60gdrrr.exeWindows Host.exejfiag3g_gg.exejfiag3g_gg.exekeygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exekey.exefile.exe695.tmp.exe85B.tmp.exe88B.tmp.exeC80.tmp.exe695.tmp.exeGDIView.exeGDIView.exeSetup.exemd2_2efs.exekeygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exekey.exefile.exe46DA.tmp.exe47A6.tmp.exe47C6.tmp.exe4BFA.tmp.exeBTRSetp.exe46DA.tmp.exe3985730.438184457.908625543.94Setup.exe3015158.33gdrrr.exe

pid	process
4680	keygen-pr.exe
4692	keygen-step-1.exe
4804	keygen-step-2.exe
4972	keygen-step-3.exe
4920	keygen-step-4.exe
4780	key.exe
2308	file.exe
4520	9E3B.tmp.exe
1296	9E79.tmp.exe
2196	9F17.tmp.exe
3888	9FC3.tmp.exe
4968	9E3B.tmp.exe
4196	Setup.exe
4212	BC863AABC388D491.exe
1064	BC863AABC388D491.exe
2428	md2_2efs.exe
4116	1613382707622.exe
4504	1613382709934.exe
724	9F17.tmp.exe
3348	BTRSetp.exe
1696	ThunderFW.exe
5116	5507165.60
4892	710892.7
5108	5634628.61
4432	5478168.60
3916	gdrrr.exe
4856	Windows Host.exe
5196	jfiag3g_gg.exe
5420	jfiag3g_gg.exe
5732	keygen-pr.exe
5740	keygen-step-1.exe
5768	keygen-step-2.exe
5800	keygen-step-3.exe
5808	keygen-step-4.exe
6136	key.exe
5136	file.exe
4640	695.tmp.exe
1516	85B.tmp.exe
804	88B.tmp.exe
3956	C80.tmp.exe
2252	695.tmp.exe
4560	GDIView.exe
5264	GDIView.exe
1156	Setup.exe
5096	md2_2efs.exe
5832	keygen-pr.exe
6128	keygen-step-1.exe
2912	keygen-step-2.exe
5012	keygen-step-3.exe
5412	keygen-step-4.exe
1920	key.exe
5444	file.exe
1252	46DA.tmp.exe
3152	47A6.tmp.exe
816	47C6.tmp.exe
5104	4BFA.tmp.exe
5504	BTRSetp.exe
5508	46DA.tmp.exe
508	3985730.43
2652	8184457.90
5560	8625543.94
5648	Setup.exe
5668	3015158.33
5888	gdrrr.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/2056-685-0x0000000004670000-0x0000000004671000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3015158.332456459.265634628.615478168.60700068.77999659.873713941.403644473.407568639.838625543.94

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3015158.33
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3015158.33
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2456459.26
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5634628.61
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5478168.60
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	700068.7
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7999659.87
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3713941.40
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3644473.40
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7568639.83
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7568639.83
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3713941.40
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	700068.7
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5634628.61
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3644473.40
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8625543.94
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7999659.87
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2456459.26
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5478168.60
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8625543.94

Loads dropped DLL 29 IoCs

Processes:

9E79.tmp.exeMsiExec.exeMsiExec.exeC80.tmp.exeMsiExec.exe9BEF.tmp.exeMsiExec.exeMsiExec.exe823E.tmp.exe

pid	process
1296	9E79.tmp.exe
1296	9E79.tmp.exe
1296	9E79.tmp.exe
1296	9E79.tmp.exe
1296	9E79.tmp.exe
1296	9E79.tmp.exe
2268	MsiExec.exe
4488	MsiExec.exe
3956	C80.tmp.exe
2872	MsiExec.exe
3956	C80.tmp.exe
3956	C80.tmp.exe
3956	C80.tmp.exe
3956	C80.tmp.exe
3956	C80.tmp.exe
1288	9BEF.tmp.exe
5720	MsiExec.exe
1288	9BEF.tmp.exe
1288	9BEF.tmp.exe
1288	9BEF.tmp.exe
1288	9BEF.tmp.exe
1288	9BEF.tmp.exe
4756	MsiExec.exe
5676	823E.tmp.exe
5676	823E.tmp.exe
5676	823E.tmp.exe
5676	823E.tmp.exe
5676	823E.tmp.exe
5676	823E.tmp.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

themida 10 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral3/memory/5108-805-0x0000000000CA0000-0x0000000000CA1000-memory.dmp	themida
behavioral3/memory/4432-838-0x0000000000EF0000-0x0000000000EF1000-memory.dmp	themida
behavioral3/memory/5560-951-0x0000000000280000-0x0000000000281000-memory.dmp	themida
behavioral3/memory/5668-956-0x0000000000F70000-0x0000000000F71000-memory.dmp	themida
behavioral3/memory/4896-1198-0x0000000000960000-0x0000000000961000-memory.dmp	themida
behavioral3/memory/5392-1206-0x0000000001330000-0x0000000001331000-memory.dmp	themida
behavioral3/memory/4348-1240-0x0000000000C40000-0x0000000000C41000-memory.dmp	themida
behavioral3/memory/5488-1251-0x0000000000BD0000-0x0000000000BD1000-memory.dmp	themida
behavioral3/memory/5776-1360-0x0000000000B90000-0x0000000000B91000-memory.dmp	themida
behavioral3/memory/4704-1403-0x00000000001B0000-0x00000000001B1000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gdrrr.exe710892.7

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gdrrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	710892.7

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BC863AABC388D491.exemd2_2efs.exe7568639.835478168.60Setup.exe8625543.943015158.33Setup.exeSetup.exeSetup.exe2456459.26Setup.exemd2_2efs.exe5634628.61md2_2efs.exe7999659.873644473.403713941.40BC863AABC388D491.exemd2_2efs.exemd2_2efs.exe700068.7

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BC863AABC388D491.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7568639.83
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5478168.60
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8625543.94
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3015158.33
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2456459.26
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5634628.61
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7999659.87
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3644473.40
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3713941.40
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BC863AABC388D491.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	700068.7

Drops Chrome extension 1 IoCs

Processes:

BC863AABC388D491.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbkhpidnlldpilcnmfclgkbpoknjheaj\1.0.0.0_0\manifest.json	BC863AABC388D491.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

msiexec.exe

description ioc process

File opened for modification C:\Users\Admin\Desktop\desktop.ini msiexec.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

337 api.ipify.org
430 api.ipify.org
475 api.ipify.org
159 api.ipify.org
221 ip-api.com
276 api.ipify.org

flow	ioc
337	api.ipify.org
430	api.ipify.org
475	api.ipify.org
159	api.ipify.org
221	ip-api.com
276	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeBC863AABC388D491.exeBC863AABC388D491.exeSetup.exeSetup.exeSetup.exeSetup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	BC863AABC388D491.exe
File opened for modification	\??\PhysicalDrive0	BC863AABC388D491.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

Setup.exe5634628.615478168.60Setup.exe8625543.943015158.33Setup.exeSetup.exe7999659.873644473.407568639.833713941.40Setup.exe700068.72456459.26

pid	process
4196	Setup.exe
5108	5634628.61
4432	5478168.60
1156	Setup.exe
5560	8625543.94
5668	3015158.33
5648	Setup.exe
2484	Setup.exe
4896	7999659.87
5392	3644473.40
4348	7568639.83
5488	3713941.40
96	Setup.exe
5776	700068.7
4704	2456459.26

Suspicious use of SetThreadContext 18 IoCs

Processes:

9E3B.tmp.exeBC863AABC388D491.exe9F17.tmp.exe695.tmp.exe46DA.tmp.exe85B.tmp.exekeygen-step-2.exe99FB.tmp.exe47A6.tmp.exe9B06.tmp.exekeygen-step-2.exekeygen-step-2.exe8106.tmp.exekeygen-step-2.exekeygen-step-2.exe8174.tmp.exe3468.tmp.exe

description	pid	process	target process
PID 4520 set thread context of 4968	4520	9E3B.tmp.exe	9E3B.tmp.exe
PID 4212 set thread context of 4444	4212	BC863AABC388D491.exe	firefox.exe
PID 4212 set thread context of 4988	4212	BC863AABC388D491.exe	firefox.exe
PID 2196 set thread context of 724	2196	9F17.tmp.exe	9F17.tmp.exe
PID 4640 set thread context of 2252	4640	695.tmp.exe	695.tmp.exe
PID 1252 set thread context of 5508	1252	46DA.tmp.exe	46DA.tmp.exe
PID 1516 set thread context of 4108	1516	85B.tmp.exe	85B.tmp.exe
PID 4228 set thread context of 5276	4228	keygen-step-2.exe	keygen-step-2.exe
PID 4452 set thread context of 4512	4452	99FB.tmp.exe	99FB.tmp.exe
PID 3152 set thread context of 5436	3152	47A6.tmp.exe	47A6.tmp.exe
PID 3284 set thread context of 3708	3284	9B06.tmp.exe	9B06.tmp.exe
PID 5600 set thread context of 616	5600	keygen-step-2.exe	keygen-step-2.exe
PID 616 set thread context of 5872	616	keygen-step-2.exe	keygen-step-2.exe
PID 6020 set thread context of 1432	6020	8106.tmp.exe	8106.tmp.exe
PID 4484 set thread context of 5112	4484	keygen-step-2.exe	keygen-step-2.exe
PID 5112 set thread context of 3480	5112	keygen-step-2.exe	keygen-step-2.exe
PID 3504 set thread context of 2040	3504	8174.tmp.exe	8174.tmp.exe
PID 356 set thread context of 5844	356	3468.tmp.exe	3468.tmp.exe

Drops file in Program Files directory 15 IoCs

Processes:

msiexec.exemsiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI5F66.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f782630.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f782630.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI279F.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9761.tmp	msiexec.exe
File created	C:\Windows\Installer\f782633.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID728.tmp	msiexec.exe
File created	C:\Windows\Installer\f782628.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f782628.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\f78262a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE700.tmp	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2056	2428	WerFault.exe	md2_2efs.exe
5400	5096	WerFault.exe	md2_2efs.exe
5852	5276	WerFault.exe	keygen-step-2.exe
1520	5376	WerFault.exe	md2_2efs.exe
4508	5952	WerFault.exe	md2_2efs.exe
4912	616	WerFault.exe	keygen-step-2.exe
3180	3448	WerFault.exe	md2_2efs.exe
4836	5112	WerFault.exe	keygen-step-2.exe
6060	4384	WerFault.exe	md2_2efs.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeBC863AABC388D491.exeBC863AABC388D491.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	BC863AABC388D491.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	BC863AABC388D491.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	BC863AABC388D491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	BC863AABC388D491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	BC863AABC388D491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	BC863AABC388D491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

695.tmp.exe46DA.tmp.exe99FB.tmp.exekeygen-step-2.exe9E3B.tmp.exekeygen-step-2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	695.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	46DA.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	99FB.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	99FB.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	keygen-step-2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	keygen-step-2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9E3B.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9E3B.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	695.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	46DA.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	keygen-step-2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	keygen-step-2.exe

Delays execution with timeout.exe 10 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3808	timeout.exe
1836	timeout.exe
4872	timeout.exe
1332	timeout.exe
4944	timeout.exe
4980	timeout.exe
4016	timeout.exe
2208	timeout.exe
4528	timeout.exe
972	timeout.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4392 taskkill.exe

pid	process
4392	taskkill.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

file.exesvchost.exefile.exefile.exefile.exefile.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies registry class 2 IoCs

Processes:

chrome.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file.exeSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs ping.exe 1 TTPs 26 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4600	PING.EXE
3000	PING.EXE
4176	PING.EXE
3388	PING.EXE
5328	PING.EXE
5368	PING.EXE
2820	PING.EXE
3372	PING.EXE
4876	PING.EXE
3320	PING.EXE
5228	PING.EXE
904	PING.EXE
6004	PING.EXE
4204	PING.EXE
3100	PING.EXE
5564	PING.EXE
5240	PING.EXE
2732	PING.EXE
4232	PING.EXE
5052	PING.EXE
5784	PING.EXE
4844	PING.EXE
4388	PING.EXE
4544	PING.EXE
4052	PING.EXE
5084	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exefile.exe9E3B.tmp.exe1613382707622.exeWerFault.exe1613382709934.exemsiexec.exechrome.exechrome.exechrome.exe9F17.tmp.exe5507165.60

pid	process
2780	chrome.exe
2780	chrome.exe
1192	chrome.exe
1192	chrome.exe
4644	chrome.exe
4644	chrome.exe
5084	chrome.exe
5084	chrome.exe
4852	chrome.exe
4852	chrome.exe
4244	chrome.exe
4244	chrome.exe
376	chrome.exe
376	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4892	chrome.exe
4892	chrome.exe
4820	chrome.exe
4820	chrome.exe
4244	chrome.exe
4244	chrome.exe
2308	file.exe
2308	file.exe
2308	file.exe
2308	file.exe
4968	9E3B.tmp.exe
4968	9E3B.tmp.exe
4116	1613382707622.exe
4116	1613382707622.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
4504	1613382709934.exe
4504	1613382709934.exe
4772	msiexec.exe
4772	msiexec.exe
2836	chrome.exe
2836	chrome.exe
2392	chrome.exe
2392	chrome.exe
5140	chrome.exe
5140	chrome.exe
724	9F17.tmp.exe
724	9F17.tmp.exe
724	9F17.tmp.exe
5116	5507165.60
5116	5507165.60
5116	5507165.60

Suspicious behavior: SetClipboardViewer 4 IoCs

Processes:

8184457.907058085.77672651.76683479.73

pid process

2652 8184457.90
5828 7058085.77
4360 672651.7
6024 6683479.73

pid	process
2652	8184457.90
5828	7058085.77
4360	672651.7
6024	6683479.73

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

9F17.tmp.exefile.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2196	9F17.tmp.exe
Token: SeDebugPrivilege	2308	file.exe
Token: SeShutdownPrivilege	3104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3104	msiexec.exe
Token: SeSecurityPrivilege	4772	msiexec.exe
Token: SeCreateTokenPrivilege	3104	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3104	msiexec.exe
Token: SeLockMemoryPrivilege	3104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3104	msiexec.exe
Token: SeMachineAccountPrivilege	3104	msiexec.exe
Token: SeTcbPrivilege	3104	msiexec.exe
Token: SeSecurityPrivilege	3104	msiexec.exe
Token: SeTakeOwnershipPrivilege	3104	msiexec.exe
Token: SeLoadDriverPrivilege	3104	msiexec.exe
Token: SeSystemProfilePrivilege	3104	msiexec.exe
Token: SeSystemtimePrivilege	3104	msiexec.exe
Token: SeProfSingleProcessPrivilege	3104	msiexec.exe
Token: SeIncBasePriorityPrivilege	3104	msiexec.exe
Token: SeCreatePagefilePrivilege	3104	msiexec.exe
Token: SeCreatePermanentPrivilege	3104	msiexec.exe
Token: SeBackupPrivilege	3104	msiexec.exe
Token: SeRestorePrivilege	3104	msiexec.exe
Token: SeShutdownPrivilege	3104	msiexec.exe
Token: SeDebugPrivilege	3104	msiexec.exe
Token: SeAuditPrivilege	3104	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3104	msiexec.exe
Token: SeChangeNotifyPrivilege	3104	msiexec.exe
Token: SeRemoteShutdownPrivilege	3104	msiexec.exe
Token: SeUndockPrivilege	3104	msiexec.exe
Token: SeSyncAgentPrivilege	3104	msiexec.exe
Token: SeEnableDelegationPrivilege	3104	msiexec.exe
Token: SeManageVolumePrivilege	3104	msiexec.exe
Token: SeImpersonatePrivilege	3104	msiexec.exe
Token: SeCreateGlobalPrivilege	3104	msiexec.exe
Token: SeCreateTokenPrivilege	3104	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3104	msiexec.exe
Token: SeLockMemoryPrivilege	3104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3104	msiexec.exe
Token: SeMachineAccountPrivilege	3104	msiexec.exe
Token: SeTcbPrivilege	3104	msiexec.exe
Token: SeSecurityPrivilege	3104	msiexec.exe
Token: SeTakeOwnershipPrivilege	3104	msiexec.exe
Token: SeLoadDriverPrivilege	3104	msiexec.exe
Token: SeSystemProfilePrivilege	3104	msiexec.exe
Token: SeSystemtimePrivilege	3104	msiexec.exe
Token: SeProfSingleProcessPrivilege	3104	msiexec.exe
Token: SeIncBasePriorityPrivilege	3104	msiexec.exe
Token: SeCreatePagefilePrivilege	3104	msiexec.exe
Token: SeCreatePermanentPrivilege	3104	msiexec.exe
Token: SeBackupPrivilege	3104	msiexec.exe
Token: SeRestorePrivilege	3104	msiexec.exe
Token: SeShutdownPrivilege	3104	msiexec.exe
Token: SeDebugPrivilege	3104	msiexec.exe
Token: SeAuditPrivilege	3104	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3104	msiexec.exe
Token: SeChangeNotifyPrivilege	3104	msiexec.exe
Token: SeRemoteShutdownPrivilege	3104	msiexec.exe
Token: SeUndockPrivilege	3104	msiexec.exe
Token: SeSyncAgentPrivilege	3104	msiexec.exe
Token: SeEnableDelegationPrivilege	3104	msiexec.exe
Token: SeManageVolumePrivilege	3104	msiexec.exe
Token: SeImpersonatePrivilege	3104	msiexec.exe
Token: SeCreateGlobalPrivilege	3104	msiexec.exe
Token: SeCreateTokenPrivilege	3104	msiexec.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exemsiexec.exechrome.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exe

pid	process
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
3104	msiexec.exe
3104	msiexec.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
5304	msiexec.exe
2976	msiexec.exe
5304	msiexec.exe
2976	msiexec.exe
4652	msiexec.exe
4652	msiexec.exe
5188	msiexec.exe
5188	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1192 wrote to memory of 1256	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1256	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3764	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2780	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2780	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2828	1192	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://crackheap.net/
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffe306b6e00,0x7ffe306b6e10,0x7ffe306b6e20
2⤵
PID:1256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1520 /prefetch:2
2⤵
PID:3764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1732 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 /prefetch:8
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
2⤵
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
2⤵
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
2⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
2⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
2⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
2⤵
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4412 /prefetch:8
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5452 /prefetch:8
2⤵
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5480 /prefetch:8
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
2⤵
PID:4760

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7e21c7740,0x7ff7e21c7750,0x7ff7e21c7760
3⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5748 /prefetch:8
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5340 /prefetch:8
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5112 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5076 /prefetch:8
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:8
2⤵
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4500 /prefetch:8
2⤵
PID:864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5872 /prefetch:8
2⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6012 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6136 /prefetch:8
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6260 /prefetch:8
2⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6400 /prefetch:8
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6116 /prefetch:8
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6680 /prefetch:8
2⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6672 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6920 /prefetch:8
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7044 /prefetch:8
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7284 /prefetch:8
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7164 /prefetch:8
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7432 /prefetch:8
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7440 /prefetch:8
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7832 /prefetch:8
2⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7984 /prefetch:8
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8124 /prefetch:8
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4360 /prefetch:8
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4044 /prefetch:8
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8200 /prefetch:8
2⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8092 /prefetch:8
2⤵
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7912 /prefetch:8
2⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
2⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7736 /prefetch:8
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7872 /prefetch:8
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7484 /prefetch:8
2⤵
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5144 /prefetch:8
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=768 /prefetch:8
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7944 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3360 /prefetch:8
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 /prefetch:8
2⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1608 /prefetch:1
2⤵
PID:804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2764 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1372 /prefetch:1
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4820 /prefetch:8
2⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5748 /prefetch:8
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3996 /prefetch:8
2⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3764 /prefetch:8
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4820 /prefetch:8
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7528 /prefetch:8
2⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5584 /prefetch:8
2⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4188 /prefetch:8
2⤵
PID:3452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7388 /prefetch:8
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4128 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4080 /prefetch:8
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7408 /prefetch:8
2⤵
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8160 /prefetch:8
2⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7268 /prefetch:1
2⤵
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
2⤵
PID:3892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
2⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 /prefetch:8
2⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3040 /prefetch:8
2⤵
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3020 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2052 /prefetch:8
2⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9122809756248387481,18230266389580061821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3576 /prefetch:8
2⤵
PID:4276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\Temp2_Adobe_After_Effects_CS4_keygen.zip\Adobe_After_Effects_CS4_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_Adobe_After_Effects_CS4_keygen.zip\Adobe_After_Effects_CS4_keygen.exe"
1⤵
PID:4136

C:\Users\Admin\Desktop\Adobe_After_Effects_CS4_keygen.exe
"C:\Users\Admin\Desktop\Adobe_After_Effects_CS4_keygen.exe"
1⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:4680

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:4692

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
PID:4804

C:\Users\Admin\AppData\Roaming\9E79.tmp.exe
"C:\Users\Admin\AppData\Roaming\9E79.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\9E79.tmp.exe"
5⤵
PID:304

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:3808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
4⤵
PID:4300

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:2732

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:4972

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:864

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4876

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:4920

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Users\Admin\AppData\Roaming\9E3B.tmp.exe
"C:\Users\Admin\AppData\Roaming\9E3B.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4520

C:\Users\Admin\AppData\Roaming\9E3B.tmp.exe
"C:\Users\Admin\AppData\Roaming\9E3B.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4968

C:\Users\Admin\AppData\Roaming\9F17.tmp.exe
"C:\Users\Admin\AppData\Roaming\9F17.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Users\Admin\AppData\Roaming\9F17.tmp.exe
"{path}"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:724

C:\Users\Admin\AppData\Roaming\9FC3.tmp.exe
"C:\Users\Admin\AppData\Roaming\9FC3.tmp.exe"
5⤵
- Executes dropped EXE
PID:3888

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\9FC3.tmp.exe
6⤵
PID:4768

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:1332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
PID:4608

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:3320

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:4196

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3104

C:\Users\Admin\AppData\Local\Temp\BC863AABC388D491.exe
C:\Users\Admin\AppData\Local\Temp\BC863AABC388D491.exe 0011 installp1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
PID:4212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4444

C:\Users\Admin\AppData\Roaming\1613382707622.exe
"C:\Users\Admin\AppData\Roaming\1613382707622.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613382707622.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4988

C:\Users\Admin\AppData\Roaming\1613382709934.exe
"C:\Users\Admin\AppData\Roaming\1613382709934.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613382709934.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4504

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
6⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\BC863AABC388D491.exe"
6⤵
PID:5036

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:5228

C:\Users\Admin\AppData\Local\Temp\BC863AABC388D491.exe
C:\Users\Admin\AppData\Local\Temp\BC863AABC388D491.exe 200 installp1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops Chrome extension
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:2276

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4392

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\BC863AABC388D491.exe"
6⤵
PID:4828

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:4232

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
5⤵
PID:4908

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4600

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 2772
5⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
4⤵
- Executes dropped EXE
PID:3348

C:\ProgramData\5507165.60
"C:\ProgramData\5507165.60"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\ProgramData\710892.7
"C:\ProgramData\710892.7"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4892

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
- Executes dropped EXE
PID:4856

C:\ProgramData\5634628.61
"C:\ProgramData\5634628.61"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5108

C:\ProgramData\5478168.60
"C:\ProgramData\5478168.60"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4432

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3916

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:5196

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:5420

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B8189ADC07C4EAFA19A331BEC44D8654 C
2⤵
- Loads dropped DLL
PID:2268

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:808

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 57EC384DCD0BA50CD7C91719F6FE852B C
2⤵
- Loads dropped DLL
PID:4488

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 716A4400719E184729A9710CC8C55382 C
2⤵
- Loads dropped DLL
PID:2872

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 214DCCE64574ED5AB91D939E5B077D1D C
2⤵
- Loads dropped DLL
PID:5720

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3215B770E6D226A5ACB5CCB072840E8B C
2⤵
- Loads dropped DLL
PID:4756

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6A32FB4C2D6FE1F419F114A3E4B3AB35 C
2⤵
PID:348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1984

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe21156e00,0x7ffe21156e10,0x7ffe21156e20
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1700,11957251890643140165,14333550029169239284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1904 /prefetch:8
2⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,11957251890643140165,14333550029169239284,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1700,11957251890643140165,14333550029169239284,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1724 /prefetch:2
2⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1700,11957251890643140165,14333550029169239284,131072 --lang=en-US --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
2⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1700,11957251890643140165,14333550029169239284,131072 --lang=en-US --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
2⤵
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1700,11957251890643140165,14333550029169239284,131072 --lang=en-US --extension-process --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
2⤵
PID:1048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1700,11957251890643140165,14333550029169239284,131072 --disable-gpu-compositing --lang=en-US --extension-process --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1700,11957251890643140165,14333550029169239284,131072 --disable-gpu-compositing --lang=en-US --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1700,11957251890643140165,14333550029169239284,131072 --disable-gpu-compositing --lang=en-US --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
2⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1700,11957251890643140165,14333550029169239284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1700,11957251890643140165,14333550029169239284,131072 --disable-gpu-compositing --lang=en-US --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
2⤵
PID:5288

C:\Users\Admin\Desktop\Adobe_After_Effects_CS4_keygen.exe
"C:\Users\Admin\Desktop\Adobe_After_Effects_CS4_keygen.exe"
1⤵
PID:5588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen.bat" "
2⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:5732

C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe"
4⤵
- Executes dropped EXE
PID:6136

C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:5740

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
PID:5768

C:\Users\Admin\AppData\Roaming\C80.tmp.exe
"C:\Users\Admin\AppData\Roaming\C80.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3956

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\C80.tmp.exe"
5⤵
PID:2648

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:4980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-2.exe" >> NUL
4⤵
PID:3244

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4844

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:5800

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-3.exe"
4⤵
PID:5192

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:5052

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:5808

C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5136

C:\Users\Admin\AppData\Roaming\695.tmp.exe
"C:\Users\Admin\AppData\Roaming\695.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4640

C:\Users\Admin\AppData\Roaming\695.tmp.exe
"C:\Users\Admin\AppData\Roaming\695.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2252

C:\Users\Admin\AppData\Roaming\85B.tmp.exe
"C:\Users\Admin\AppData\Roaming\85B.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1516

C:\Users\Admin\AppData\Roaming\85B.tmp.exe
"{path}"
6⤵
PID:4108

C:\Users\Admin\AppData\Roaming\88B.tmp.exe
"C:\Users\Admin\AppData\Roaming\88B.tmp.exe"
5⤵
- Executes dropped EXE
PID:804

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\88B.tmp.exe
6⤵
PID:1408

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
5⤵
PID:4000

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:4388

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1156

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5304

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
5⤵
PID:4952

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:3000

C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 2932
5⤵
- Program crash
PID:5400

C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe"
4⤵
- Executes dropped EXE
PID:5504

C:\ProgramData\3985730.43
"C:\ProgramData\3985730.43"
5⤵
- Executes dropped EXE
PID:508

C:\ProgramData\8184457.90
"C:\ProgramData\8184457.90"
5⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2652

C:\ProgramData\8625543.94
"C:\ProgramData\8625543.94"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5560

C:\ProgramData\3015158.33
"C:\ProgramData\3015158.33"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5668

C:\Users\Admin\AppData\Local\Temp\RarSFX4\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\gdrrr.exe"
4⤵
- Executes dropped EXE
PID:5888

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:3776

C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
"C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"
1⤵
- Executes dropped EXE
PID:4560

C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
"C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"
1⤵
- Executes dropped EXE
PID:5264

C:\Users\Admin\Desktop\Adobe_After_Effects_CS4_keygen.exe
"C:\Users\Admin\Desktop\Adobe_After_Effects_CS4_keygen.exe"
1⤵
PID:652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen.bat" "
2⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:5832

C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe"
4⤵
- Executes dropped EXE
PID:1920

C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:6128

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:5012

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-3.exe"
4⤵
PID:5236

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4544

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:5412

C:\Users\Admin\AppData\Local\Temp\RarSFX6\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\file.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5444

C:\Users\Admin\AppData\Roaming\46DA.tmp.exe
"C:\Users\Admin\AppData\Roaming\46DA.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1252

C:\Users\Admin\AppData\Roaming\46DA.tmp.exe
"C:\Users\Admin\AppData\Roaming\46DA.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5508

C:\Users\Admin\AppData\Roaming\47A6.tmp.exe
"C:\Users\Admin\AppData\Roaming\47A6.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3152

C:\Users\Admin\AppData\Roaming\47A6.tmp.exe
"{path}"
6⤵
PID:5436

C:\Users\Admin\AppData\Roaming\47C6.tmp.exe
"C:\Users\Admin\AppData\Roaming\47C6.tmp.exe"
5⤵
- Executes dropped EXE
PID:816

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\47C6.tmp.exe
6⤵
PID:5336

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:4944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX6\file.exe"
5⤵
PID:1884

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:904

C:\Users\Admin\AppData\Local\Temp\RarSFX6\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\Setup.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5648

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2976

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX6\Setup.exe"
5⤵
PID:5208

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:3388

C:\Users\Admin\AppData\Local\Temp\RarSFX6\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\md2_2efs.exe"
4⤵
- Checks whether UAC is enabled
PID:5376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 4720
5⤵
- Program crash
PID:1520

C:\Users\Admin\AppData\Local\Temp\RarSFX6\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\BTRSetp.exe"
4⤵
PID:4304

C:\ProgramData\6940688.76
"C:\ProgramData\6940688.76"
5⤵
PID:1580

C:\ProgramData\672651.7
"C:\ProgramData\672651.7"
5⤵
- Suspicious behavior: SetClipboardViewer
PID:4360

C:\ProgramData\7568639.83
"C:\ProgramData\7568639.83"
5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4348

C:\ProgramData\3713941.40
"C:\ProgramData\3713941.40"
5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5488

C:\Users\Admin\AppData\Local\Temp\RarSFX6\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\gdrrr.exe"
4⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
PID:2912

C:\Users\Admin\AppData\Roaming\4BFA.tmp.exe
"C:\Users\Admin\AppData\Roaming\4BFA.tmp.exe"
4⤵
- Executes dropped EXE
PID:5104

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-2.exe"
4⤵
PID:5308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-2.exe" >> NUL
4⤵
PID:2440

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4176

C:\Users\Admin\Desktop\Adobe_After_Effects_CS4_keygen.exe
"C:\Users\Admin\Desktop\Adobe_After_Effects_CS4_keygen.exe"
1⤵
PID:5380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen.bat" "
2⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Suspicious use of SetThreadContext
PID:4228

C:\Users\Admin\AppData\Roaming\9BEF.tmp.exe
"C:\Users\Admin\AppData\Roaming\9BEF.tmp.exe"
4⤵
- Loads dropped DLL
PID:1288

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\9BEF.tmp.exe"
5⤵
PID:4548

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:2208

C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-2.exe"
4⤵
PID:5276

C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-2.exe"
5⤵
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 528
5⤵
- Program crash
PID:5852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-2.exe" >> NUL
4⤵
PID:5704

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4204

C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-4.exe
keygen-step-4.exe
3⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\RarSFX8\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\file.exe"
4⤵
- Modifies data under HKEY_USERS
PID:2356

C:\Users\Admin\AppData\Roaming\99FB.tmp.exe
"C:\Users\Admin\AppData\Roaming\99FB.tmp.exe"
5⤵
- Suspicious use of SetThreadContext
PID:4452

C:\Users\Admin\AppData\Roaming\99FB.tmp.exe
"C:\Users\Admin\AppData\Roaming\99FB.tmp.exe"
6⤵
- Checks processor information in registry
PID:4512

C:\Users\Admin\AppData\Roaming\9B45.tmp.exe
"C:\Users\Admin\AppData\Roaming\9B45.tmp.exe"
5⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\9B45.tmp.exe
6⤵
PID:1372

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:4016

C:\Users\Admin\AppData\Roaming\9B06.tmp.exe
"C:\Users\Admin\AppData\Roaming\9B06.tmp.exe"
5⤵
- Suspicious use of SetThreadContext
PID:3284

C:\Users\Admin\AppData\Roaming\9B06.tmp.exe
"{path}"
6⤵
PID:5384

C:\Users\Admin\AppData\Roaming\9B06.tmp.exe
"{path}"
6⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX8\file.exe"
5⤵
PID:6000

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:5328

C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"
4⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2484

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:4652

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"
5⤵
PID:5152

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:5784

C:\Users\Admin\AppData\Local\Temp\RarSFX8\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\md2_2efs.exe"
4⤵
- Checks whether UAC is enabled
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 2672
5⤵
- Program crash
PID:4508

C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe"
4⤵
PID:4268

C:\ProgramData\7558573.83
"C:\ProgramData\7558573.83"
5⤵
PID:5464

C:\ProgramData\7058085.77
"C:\ProgramData\7058085.77"
5⤵
- Suspicious behavior: SetClipboardViewer
PID:5828

C:\ProgramData\7999659.87
"C:\ProgramData\7999659.87"
5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4896

C:\ProgramData\3644473.40
"C:\ProgramData\3644473.40"
5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5392

C:\Users\Admin\AppData\Local\Temp\RarSFX8\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\gdrrr.exe"
4⤵
PID:5544

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-3.exe
keygen-step-3.exe
3⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-3.exe"
4⤵
PID:2164

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:6004

C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-1.exe
keygen-step-1.exe
3⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
PID:200

C:\Users\Admin\AppData\Local\Temp\RarSFX8\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\key.exe"
4⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\RarSFX8\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX8\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:4712

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b4d85cb810674819818da705d564dee7 /t 2988 /p 2984
1⤵
PID:3768

C:\Users\Admin\Desktop\Adobe_After_Effects_CS4_keygen.exe
"C:\Users\Admin\Desktop\Adobe_After_Effects_CS4_keygen.exe"
1⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen.bat" "
2⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-1.exe
keygen-step-1.exe
3⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe"
4⤵
PID:5568

C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Suspicious use of SetThreadContext
PID:5600

C:\Users\Admin\AppData\Roaming\823E.tmp.exe
"C:\Users\Admin\AppData\Roaming\823E.tmp.exe"
4⤵
- Loads dropped DLL
PID:5676

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\823E.tmp.exe"
5⤵
PID:1748

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:4872

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-2.exe"
4⤵
- Suspicious use of SetThreadContext
PID:616

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-2.exe"
5⤵
- Checks processor information in registry
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 524
5⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-2.exe" >> NUL
4⤵
PID:5500

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4052

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-3.exe
keygen-step-3.exe
3⤵
PID:5372

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-3.exe"
4⤵
PID:5948

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:3100

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-4.exe
keygen-step-4.exe
3⤵
PID:5620

C:\Users\Admin\AppData\Local\Temp\RarSFX10\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\file.exe"
4⤵
- Modifies data under HKEY_USERS
PID:5572

C:\Users\Admin\AppData\Roaming\8106.tmp.exe
"C:\Users\Admin\AppData\Roaming\8106.tmp.exe"
5⤵
- Suspicious use of SetThreadContext
PID:6020

C:\Users\Admin\AppData\Roaming\8106.tmp.exe
"C:\Users\Admin\AppData\Roaming\8106.tmp.exe"
6⤵
PID:1432

C:\Users\Admin\AppData\Roaming\8174.tmp.exe
"C:\Users\Admin\AppData\Roaming\8174.tmp.exe"
5⤵
- Suspicious use of SetThreadContext
PID:3504

C:\Users\Admin\AppData\Roaming\8174.tmp.exe
"{path}"
6⤵
PID:1712

C:\Users\Admin\AppData\Roaming\8174.tmp.exe
"{path}"
6⤵
PID:2040

C:\Users\Admin\AppData\Roaming\81C3.tmp.exe
"C:\Users\Admin\AppData\Roaming\81C3.tmp.exe"
5⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\81C3.tmp.exe
6⤵
PID:5956

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:4528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX10\file.exe"
5⤵
PID:3676

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:5368

C:\Users\Admin\AppData\Local\Temp\RarSFX10\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\Setup.exe"
4⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:96

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5188

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX10\Setup.exe"
5⤵
PID:4260

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:5084

C:\Users\Admin\AppData\Local\Temp\RarSFX10\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\md2_2efs.exe"
4⤵
- Checks whether UAC is enabled
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 2772
5⤵
- Program crash
PID:3180

C:\Users\Admin\AppData\Local\Temp\RarSFX10\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\BTRSetp.exe"
4⤵
PID:5256

C:\ProgramData\6212691.68
"C:\ProgramData\6212691.68"
5⤵
PID:5004

C:\ProgramData\6683479.73
"C:\ProgramData\6683479.73"
5⤵
- Suspicious behavior: SetClipboardViewer
PID:6024

C:\ProgramData\700068.7
"C:\ProgramData\700068.7"
5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5776

C:\ProgramData\2456459.26
"C:\ProgramData\2456459.26"
5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4704

C:\Users\Admin\AppData\Local\Temp\RarSFX10\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\gdrrr.exe"
4⤵
PID:5716

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5604

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:2780

C:\Users\Admin\Desktop\Adobe_After_Effects_CS4_keygen.exe
"C:\Users\Admin\Desktop\Adobe_After_Effects_CS4_keygen.exe"
1⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX11\keygen.bat" "
2⤵
PID:5284

C:\Users\Admin\AppData\Local\Temp\RarSFX11\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\RarSFX12\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX12\key.exe"
4⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\RarSFX12\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX12\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\RarSFX11\keygen-step-1.exe
keygen-step-1.exe
3⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\RarSFX11\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Suspicious use of SetThreadContext
PID:4484

C:\Users\Admin\AppData\Roaming\2DE0.tmp.exe
"C:\Users\Admin\AppData\Roaming\2DE0.tmp.exe"
4⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\RarSFX11\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX11\keygen-step-2.exe"
4⤵
- Suspicious use of SetThreadContext
PID:5112

C:\Users\Admin\AppData\Local\Temp\RarSFX11\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX11\keygen-step-2.exe"
5⤵
- Checks processor information in registry
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 524
5⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX11\keygen-step-2.exe" >> NUL
4⤵
PID:5660

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:2820

C:\Users\Admin\AppData\Local\Temp\RarSFX11\keygen-step-3.exe
keygen-step-3.exe
3⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX11\keygen-step-3.exe"
4⤵
PID:4764

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:3372

C:\Users\Admin\AppData\Local\Temp\RarSFX11\keygen-step-4.exe
keygen-step-4.exe
3⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\RarSFX13\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX13\file.exe"
4⤵
PID:4832

C:\Users\Admin\AppData\Roaming\3468.tmp.exe
"C:\Users\Admin\AppData\Roaming\3468.tmp.exe"
5⤵
- Suspicious use of SetThreadContext
PID:356

C:\Users\Admin\AppData\Roaming\3468.tmp.exe
"C:\Users\Admin\AppData\Roaming\3468.tmp.exe"
6⤵
PID:5844

C:\Users\Admin\AppData\Roaming\3787.tmp.exe
"C:\Users\Admin\AppData\Roaming\3787.tmp.exe"
5⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\3787.tmp.exe
6⤵
PID:5176

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:972

C:\Users\Admin\AppData\Roaming\3776.tmp.exe
"C:\Users\Admin\AppData\Roaming\3776.tmp.exe"
5⤵
PID:5928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX13\file.exe"
5⤵
PID:4316

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:5564

C:\Users\Admin\AppData\Local\Temp\RarSFX13\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX13\Setup.exe"
4⤵
PID:4364

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
PID:3176

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX13\Setup.exe"
5⤵
PID:3640

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:5240

C:\Users\Admin\AppData\Local\Temp\RarSFX13\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX13\md2_2efs.exe"
4⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 2724
5⤵
- Program crash
PID:6060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5
73f6d0da60e501a81f81c6ecc348413a

SHA1
1445b5552db219dcf03e3cf95e1d8b51c1469a11

SHA256
0dc4aa1ed41456c50da42d668c42c59cc9234b7ecb57bc30dfa5249aea460ca1

SHA512
2cf98e8bd3faf877c094fb013fccebed4f8b99b41fa8d5eaf8f9838b8e940611ec6dede4171ea9e2b497fe4757427e77176e8de4de201e662ee0b628ec209a68

Download Submit
\??\pipe\crashpad_1192_UJCGZHDQWHDCNAIJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/356-1438-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/376-387-0x0000000000000000-mapping.dmp

Download
memory/508-943-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/508-930-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/616-1315-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/724-777-0x0000000006610000-0x0000000006611000-memory.dmp

Filesize
4KB

Download
memory/724-761-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/724-779-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/724-824-0x0000000006C20000-0x0000000006C21000-memory.dmp

Filesize
4KB

Download
memory/724-756-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/724-759-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/724-760-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/724-784-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/724-762-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/724-755-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/724-763-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/724-764-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/724-765-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/724-766-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/804-425-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-412-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-416-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-427-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-431-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-430-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-429-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-428-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-426-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-404-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-424-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-423-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-422-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-421-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-420-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-419-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-418-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-417-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-415-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-414-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-413-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-409-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-411-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-410-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-408-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-407-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-406-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-405-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-403-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-400-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-870-0x0000000005A10000-0x0000000008F6C000-memory.dmp

Filesize
53.4MB

Download
memory/804-392-0x0000000000000000-mapping.dmp

Download
memory/804-402-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-401-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-399-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-398-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-397-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-396-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-395-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/804-394-0x0000013192450000-0x00000131924500F8-memory.dmp

Filesize
248B

Download
memory/816-910-0x0000000005C10000-0x000000000916C000-memory.dmp

Filesize
53.4MB

Download
memory/864-243-0x0000000000000000-mapping.dmp

Download
memory/904-93-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-79-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-97-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-96-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-95-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-94-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-91-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-14-0x0000000000000000-mapping.dmp

Download
memory/904-90-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-89-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-88-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-86-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-85-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-84-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-63-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-67-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-69-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-73-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-77-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-83-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-81-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-82-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-80-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-100-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-87-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-92-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-99-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-78-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-98-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-64-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-65-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-66-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-68-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-70-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-71-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-72-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-74-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-75-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/904-76-0x00000269D4C00000-0x00000269D4C000F8-memory.dmp

Filesize
248B

Download
memory/1064-680-0x0000000002ED0000-0x000000000337F000-memory.dmp

Filesize
4.7MB

Download
memory/1252-921-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/1256-2-0x0000000000000000-mapping.dmp

Download
memory/1288-1095-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1288-1079-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1296-672-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/1296-675-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1296-674-0x0000000003100000-0x0000000003192000-memory.dmp

Filesize
584KB

Download
memory/1516-860-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/1516-872-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/1516-873-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/1520-1129-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1580-1246-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/1580-1223-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/1764-328-0x0000000000000000-mapping.dmp

Download
memory/1892-245-0x0000000000000000-mapping.dmp

Download
memory/1920-894-0x0000000003400000-0x000000000359C000-memory.dmp

Filesize
1.6MB

Download
memory/2004-206-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-199-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-992-0x0000000002D70000-0x0000000002F0C000-memory.dmp

Filesize
1.6MB

Download
memory/2004-10-0x0000000000000000-mapping.dmp

Download
memory/2004-187-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-191-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-180-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-181-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-182-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-183-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-185-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-186-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-188-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-189-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-190-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-192-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-193-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-194-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-195-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-196-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-198-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-184-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-200-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-201-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-202-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-203-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-204-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-205-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-207-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-208-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-209-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-210-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-211-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-212-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-213-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-214-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-215-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-217-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-216-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2004-197-0x000001EEC4440000-0x000001EEC44400F8-memory.dmp

Filesize
248B

Download
memory/2040-1429-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/2040-1416-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-742-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-688-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-714-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-713-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-712-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-749-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-741-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-716-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-743-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-715-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-744-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-745-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-746-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-747-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-748-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-717-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-718-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-719-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-720-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-722-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-721-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-723-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-724-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-726-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-684-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/2056-685-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/2056-687-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-750-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-690-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-689-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-691-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-692-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-694-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-693-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-696-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-695-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-697-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-727-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-699-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-700-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-698-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-701-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-702-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-703-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-711-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-705-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-704-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-706-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-707-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-708-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-709-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-740-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-739-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-738-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-736-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-737-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-734-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-735-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-733-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-730-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-732-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-731-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-729-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-728-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-725-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2056-710-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2076-127-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-111-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-115-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-121-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-131-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-112-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-128-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-110-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-108-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-107-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-106-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-105-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-104-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-103-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-101-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-117-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-118-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-119-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-102-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-122-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-123-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-124-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-125-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-126-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-120-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-109-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-114-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-130-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-132-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-133-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-129-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-134-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-116-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-138-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-137-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-136-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-17-0x0000000000000000-mapping.dmp

Download
memory/2076-135-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2076-113-0x000001ABC68A0000-0x000001ABC68A00F8-memory.dmp

Filesize
248B

Download
memory/2160-340-0x0000000000000000-mapping.dmp

Download
memory/2196-663-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/2196-666-0x0000000004EF0000-0x0000000004EF2000-memory.dmp

Filesize
8KB

Download
memory/2196-662-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/2196-665-0x0000000004F90000-0x0000000004FCD000-memory.dmp

Filesize
244KB

Download
memory/2196-667-0x00000000083B0000-0x00000000083B1000-memory.dmp

Filesize
4KB

Download
memory/2196-668-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2196-661-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/2196-754-0x0000000006910000-0x0000000006959000-memory.dmp

Filesize
292KB

Download
memory/2196-657-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2196-656-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/2196-669-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2208-473-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-453-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-436-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-472-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-437-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-471-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-470-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-469-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-468-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-467-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-466-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-465-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-464-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-463-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-462-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-460-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-461-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-459-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-457-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-458-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-456-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-455-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-454-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-438-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-452-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-451-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-450-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-449-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-448-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-439-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-447-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-446-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-440-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-445-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-444-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-443-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-442-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2208-441-0x0000020428880000-0x00000204288800F8-memory.dmp

Filesize
248B

Download
memory/2252-247-0x0000000000000000-mapping.dmp

Download
memory/2268-271-0x0000000000000000-mapping.dmp

Download
memory/2272-269-0x0000000000000000-mapping.dmp

Download
memory/2308-659-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2308-653-0x0000000000D00000-0x0000000000D0D000-memory.dmp

Filesize
52KB

Download
memory/2356-985-0x0000000000440000-0x000000000044D000-memory.dmp

Filesize
52KB

Download
memory/2356-1009-0x0000000003840000-0x000000000388A000-memory.dmp

Filesize
296KB

Download
memory/2428-506-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-490-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-520-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-517-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-512-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-510-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-507-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-505-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-503-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-502-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-500-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-499-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-498-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-497-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-525-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-524-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-496-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-495-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-523-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-494-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-493-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-492-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-491-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-522-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-521-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-519-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-518-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-516-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-501-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-504-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-526-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-508-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-509-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-511-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-513-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-515-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2428-514-0x000001FA8BA00000-0x000001FA8BA000F8-memory.dmp

Filesize
248B

Download
memory/2464-1415-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2576-1306-0x0000000005A90000-0x0000000008FEC000-memory.dmp

Filesize
53.4MB

Download
memory/2652-931-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-945-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2780-5-0x0000000000000000-mapping.dmp

Download
memory/2828-7-0x0000000000000000-mapping.dmp

Download
memory/2912-893-0x0000000000FF0000-0x0000000000FFD000-memory.dmp

Filesize
52KB

Download
memory/3152-915-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/3152-903-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/3152-916-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/3180-1330-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3280-15-0x0000000000000000-mapping.dmp

Download
memory/3280-25-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-45-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-50-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-47-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-44-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-43-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-51-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-42-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-52-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-41-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-54-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-40-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-56-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-58-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-39-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-38-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-37-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-36-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-35-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-34-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-33-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-32-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-31-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-29-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-30-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-28-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-27-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-26-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-46-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-24-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-49-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-60-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-61-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-59-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-48-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-57-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-55-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3280-53-0x00000238F2E90000-0x00000238F2E900F8-memory.dmp

Filesize
248B

Download
memory/3284-1022-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/3284-998-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/3284-1021-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3348-770-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/3348-772-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/3348-768-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3348-767-0x00007FFE1D9D0000-0x00007FFE1E3BC000-memory.dmp

Filesize
9.9MB

Download
memory/3348-773-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/3348-771-0x0000000000850000-0x0000000000871000-memory.dmp

Filesize
132KB

Download
memory/3464-11-0x0000000000000000-mapping.dmp

Download
memory/3504-1317-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3504-1316-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/3504-1301-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/3704-338-0x0000000000000000-mapping.dmp

Download
memory/3708-1157-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/3708-1148-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/3764-4-0x0000000000000000-mapping.dmp

Download
memory/3764-6-0x00007FFE3C4D0000-0x00007FFE3C4D1000-memory.dmp

Filesize
4KB

Download
memory/3768-1097-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1064-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1115-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1114-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1113-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1112-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1110-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1111-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1109-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1108-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1106-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1078-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1083-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1085-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1086-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1089-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1094-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1103-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1104-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1102-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1101-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1100-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1099-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1054-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1098-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1096-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1092-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1091-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1090-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1088-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1087-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1084-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1080-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1082-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1081-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1077-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1076-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1045-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1048-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1050-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1046-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1057-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1037-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1038-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1041-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1043-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1044-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1039-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1036-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1035-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1034-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1032-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1033-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1031-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1026-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1030-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1029-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1027-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1025-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1024-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1056-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1059-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1117-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1061-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1065-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1066-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1067-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1068-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1060-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1071-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1072-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1073-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1074-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1069-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1070-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3768-1075-0x000002FB51300000-0x000002FB51301000-memory.dmp

Filesize
4KB

Download
memory/3800-160-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-174-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-158-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-172-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-177-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-176-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-175-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-159-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-173-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-171-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-170-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-169-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-140-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-167-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-166-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-141-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-165-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-164-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-163-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-162-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-168-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-150-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-161-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-157-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-156-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-155-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-154-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-153-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-152-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-151-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-149-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-148-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-142-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-147-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-19-0x0000000000000000-mapping.dmp

Download
memory/3800-143-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-146-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-145-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3800-144-0x0000022B855E0000-0x0000022B855E00F8-memory.dmp

Filesize
248B

Download
memory/3884-1012-0x0000000005980000-0x0000000008EDC000-memory.dmp

Filesize
53.4MB

Download
memory/3888-660-0x0000000005A00000-0x0000000008F5C000-memory.dmp

Filesize
53.4MB

Download
memory/3888-664-0x0000000000400000-0x000000000395C000-memory.dmp

Filesize
53.4MB

Download
memory/3892-554-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-533-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-556-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-555-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-553-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-552-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-551-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-558-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-550-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-549-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-548-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-547-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-546-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-545-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-544-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-543-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-542-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-541-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-539-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-538-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-537-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-536-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-534-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-557-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-532-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-531-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-530-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-529-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-528-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-559-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-560-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-561-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-562-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-535-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-563-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-564-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-565-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3892-540-0x000001D704A50000-0x000001D704A500F8-memory.dmp

Filesize
248B

Download
memory/3956-879-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/3956-881-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4108-1000-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/4108-1011-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/4180-1372-0x0000000002DE0000-0x0000000002F7C000-memory.dmp

Filesize
1.6MB

Download
memory/4196-677-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/4212-681-0x00000000037C0000-0x0000000003C6F000-memory.dmp

Filesize
4.7MB

Download
memory/4228-983-0x0000000000DE0000-0x0000000000DED000-memory.dmp

Filesize
52KB

Download
memory/4244-384-0x0000000000000000-mapping.dmp

Download
memory/4268-1166-0x00007FFE1D9D0000-0x00007FFE1E3BC000-memory.dmp

Filesize
9.9MB

Download
memory/4268-1172-0x000000001CA80000-0x000000001CA82000-memory.dmp

Filesize
8KB

Download
memory/4292-22-0x0000000000000000-mapping.dmp

Download
memory/4304-1186-0x000000001C700000-0x000000001C702000-memory.dmp

Filesize
8KB

Download
memory/4304-1173-0x00007FFE1D9D0000-0x00007FFE1E3BC000-memory.dmp

Filesize
9.9MB

Download
memory/4328-235-0x0000000000000000-mapping.dmp

Download
memory/4348-1250-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4348-1240-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/4348-1236-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/4352-1400-0x0000000005A30000-0x0000000008F8C000-memory.dmp

Filesize
53.4MB

Download
memory/4360-1225-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/4360-1243-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/4388-241-0x0000000000000000-mapping.dmp

Download
memory/4432-837-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/4432-838-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/4432-843-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/4432-847-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/4444-682-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/4444-683-0x0000028632DD0000-0x0000028632DD1000-memory.dmp

Filesize
4KB

Download
memory/4452-1047-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4456-382-0x0000000000000000-mapping.dmp

Download
memory/4476-336-0x0000000000000000-mapping.dmp

Download
memory/4484-1371-0x00000000007E0000-0x00000000007ED000-memory.dmp

Filesize
52KB

Download
memory/4484-644-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-614-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-612-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-611-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-608-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-326-0x0000000000000000-mapping.dmp

Download
memory/4484-635-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-634-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-633-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-615-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-609-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-616-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-618-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-617-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-632-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-631-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-620-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-622-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-625-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-627-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-636-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-645-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-613-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-643-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-642-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-641-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-640-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-639-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-638-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-630-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-610-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-637-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-619-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-621-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-623-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-624-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-626-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-628-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4484-629-0x00000125E7880000-0x00000125E78800F8-memory.dmp

Filesize
248B

Download
memory/4496-239-0x0000000000000000-mapping.dmp

Download
memory/4508-1138-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/4520-670-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/4520-673-0x0000000003050000-0x0000000003095000-memory.dmp

Filesize
276KB

Download
memory/4524-237-0x0000000000000000-mapping.dmp

Download
memory/4528-282-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-318-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-265-0x0000000000000000-mapping.dmp

Download
memory/4528-288-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-281-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-283-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-285-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-284-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-286-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-287-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-289-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-290-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-292-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-293-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-291-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-295-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-298-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-300-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-303-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-307-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-312-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-294-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-317-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-316-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-315-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-314-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-313-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-311-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-310-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-309-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-308-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-306-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-305-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-304-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-302-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-301-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-299-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-297-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4528-296-0x000001903F6A0000-0x000001903F6A00F8-memory.dmp

Filesize
248B

Download
memory/4536-266-0x0000000000000000-mapping.dmp

Download
memory/4560-385-0x0000000000000000-mapping.dmp

Download
memory/4600-323-0x0000000000000000-mapping.dmp

Download
memory/4620-351-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-322-0x0000000000000000-mapping.dmp

Download
memory/4620-350-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-342-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-343-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-344-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-345-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-346-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-352-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-354-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-355-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-347-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-356-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-358-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-359-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-348-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-360-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-349-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-353-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-361-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-362-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-363-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-364-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-357-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-371-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-379-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-378-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-377-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-376-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-375-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-365-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-366-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-367-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-374-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-368-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-373-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-369-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-370-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4620-372-0x000001F1E5910000-0x000001F1E59100F8-memory.dmp

Filesize
248B

Download
memory/4640-875-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/4640-578-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-595-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-569-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-590-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-583-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-576-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-575-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-584-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-585-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-586-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-587-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-581-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-588-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-579-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-604-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-605-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-596-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-597-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-592-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-591-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-580-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-574-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-593-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-573-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-577-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-594-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-582-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-603-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-570-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-602-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-601-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-598-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-568-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-589-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-571-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-599-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-572-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4640-600-0x000001F0CBA00000-0x000001F0CBA000F8-memory.dmp

Filesize
248B

Download
memory/4644-219-0x0000000000000000-mapping.dmp

Download
memory/4656-249-0x0000000000000000-mapping.dmp

Download
memory/4668-273-0x0000000000000000-mapping.dmp

Download
memory/4684-388-0x0000000000000000-mapping.dmp

Download
memory/4692-320-0x0000000000000000-mapping.dmp

Download
memory/4704-1402-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/4704-1403-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/4704-1418-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4704-220-0x0000000000000000-mapping.dmp

Download
memory/4712-275-0x0000000000000000-mapping.dmp

Download
memory/4716-251-0x0000000000000000-mapping.dmp

Download
memory/4744-222-0x0000000000000000-mapping.dmp

Download
memory/4756-253-0x0000000000000000-mapping.dmp

Download
memory/4760-332-0x0000000000000000-mapping.dmp

Download
memory/4760-224-0x0000000000000000-mapping.dmp

Download
memory/4780-654-0x0000000003150000-0x00000000032EC000-memory.dmp

Filesize
1.6MB

Download
memory/4792-330-0x0000000000000000-mapping.dmp

Download
memory/4804-655-0x0000000000B30000-0x0000000000B3D000-memory.dmp

Filesize
52KB

Download
memory/4812-225-0x0000000000000000-mapping.dmp

Download
memory/4828-259-0x0000000000000000-mapping.dmp

Download
memory/4828-227-0x0000000000000000-mapping.dmp

Download
memory/4832-1381-0x0000000000E60000-0x0000000000E6D000-memory.dmp

Filesize
52KB

Download
memory/4836-390-0x0000000000000000-mapping.dmp

Download
memory/4836-1397-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/4844-433-0x0000000000000000-mapping.dmp

Download
memory/4848-255-0x0000000000000000-mapping.dmp

Download
memory/4852-277-0x0000000000000000-mapping.dmp

Download
memory/4852-381-0x0000000000000000-mapping.dmp

Download
memory/4856-802-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/4856-815-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/4860-228-0x0000000000000000-mapping.dmp

Download
memory/4892-789-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/4892-796-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/4892-793-0x0000000005320000-0x000000000532B000-memory.dmp

Filesize
44KB

Download
memory/4892-786-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/4896-1198-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4896-1197-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/4896-1207-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/4896-257-0x0000000000000000-mapping.dmp

Download
memory/4912-1322-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/4916-261-0x0000000000000000-mapping.dmp

Download
memory/4940-279-0x0000000000000000-mapping.dmp

Download
memory/4952-230-0x0000000000000000-mapping.dmp

Download
memory/4968-671-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4968-676-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4980-333-0x0000000000000000-mapping.dmp

Download
memory/4988-753-0x000002BC9EC30000-0x000002BC9EC31000-memory.dmp

Filesize
4KB

Download
memory/4992-263-0x0000000000000000-mapping.dmp

Download
memory/5004-1340-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/5004-1347-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/5004-233-0x0000000000000000-mapping.dmp

Download
memory/5084-232-0x0000000000000000-mapping.dmp

Download
memory/5104-929-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/5108-805-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/5108-814-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/5108-801-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/5108-804-0x00000000778B4000-0x00000000778B5000-memory.dmp

Filesize
4KB

Download
memory/5112-1383-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/5116-787-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/5116-790-0x00000000016E0000-0x00000000016E1000-memory.dmp

Filesize
4KB

Download
memory/5116-803-0x0000000001780000-0x0000000001781000-memory.dmp

Filesize
4KB

Download
memory/5116-795-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/5116-785-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/5116-799-0x0000000002FF0000-0x0000000003025000-memory.dmp

Filesize
212KB

Download
memory/5136-849-0x0000000000720000-0x000000000072D000-memory.dmp

Filesize
52KB

Download
memory/5136-861-0x0000000003430000-0x000000000347A000-memory.dmp

Filesize
296KB

Download
memory/5188-1391-0x0000000004C10000-0x0000000004C14000-memory.dmp

Filesize
16KB

Download
memory/5256-1339-0x000000001C9B0000-0x000000001C9B2000-memory.dmp

Filesize
8KB

Download
memory/5256-1333-0x00007FFE1D9D0000-0x00007FFE1E3BC000-memory.dmp

Filesize
9.9MB

Download
memory/5276-1042-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/5276-1049-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/5276-1053-0x0000000001180000-0x00000000011C9000-memory.dmp

Filesize
292KB

Download
memory/5304-887-0x0000000006E60000-0x0000000006E64000-memory.dmp

Filesize
16KB

Download
memory/5392-1222-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/5392-1204-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/5392-1206-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/5400-889-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/5436-1137-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/5436-1124-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/5444-892-0x0000000000620000-0x000000000062D000-memory.dmp

Filesize
52KB

Download
memory/5444-909-0x0000000003690000-0x00000000036DA000-memory.dmp

Filesize
296KB

Download
memory/5464-1178-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/5464-1187-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/5488-1247-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/5488-1267-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/5488-1251-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5504-918-0x00007FFE1D9D0000-0x00007FFE1E3BC000-memory.dmp

Filesize
9.9MB

Download
memory/5504-928-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

Filesize
8KB

Download
memory/5560-948-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/5560-963-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/5560-951-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/5568-1298-0x00000000025A0000-0x000000000273C000-memory.dmp

Filesize
1.6MB

Download
memory/5572-1305-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5572-1290-0x0000000000580000-0x000000000058D000-memory.dmp

Filesize
52KB

Download
memory/5600-1291-0x0000000000A90000-0x0000000000A9D000-memory.dmp

Filesize
52KB

Download
memory/5668-965-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

Filesize
4KB

Download
memory/5668-956-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/5668-955-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/5676-1327-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/5676-1324-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/5768-851-0x0000000000BD0000-0x0000000000BDD000-memory.dmp

Filesize
52KB

Download
memory/5776-1364-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/5776-1360-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/5776-1358-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/5828-1181-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/5828-1189-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/5852-1062-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/5872-1318-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5928-1423-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/5928-1384-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/5928-1426-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/6020-1320-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/6024-1341-0x0000000071970000-0x000000007205E000-memory.dmp

Filesize
6.9MB

Download
memory/6024-1350-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/6060-1451-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/6136-850-0x00000000026B0000-0x000000000284C000-memory.dmp

Filesize
1.6MB

Download