Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

Install.exe

windows7_x64

Install.exe

windows10_x64

Install2.exe

windows7_x64

Install2.exe

windows10_x64

keygen-step-4.exe

windows7_x64

keygen-step-4.exe

windows10_x64

keygen-step-4d.exe

windows7_x64

keygen-step-4d.exe

windows10_x64

Resubmissions

12/11/2024, 01:29

241112-bwgrxs1gnf 10

08/07/2021, 12:18

210708-8z6d5h8z2n 10

06/07/2021, 17:53

210706-g6we6sa7sa 10

19/06/2021, 18:17

210619-vr8bj2dzfn 10

17/06/2021, 21:39

210617-a9cvlnmrbx 10

11/06/2021, 17:26

210611-wvab1yw2tj 10

08/06/2021, 06:47

210608-qrbpch3y46 10

08/06/2021, 06:47

210608-64tndgm1ln 10

05/06/2021, 18:40

210605-cd6qpr55sx 10

04/06/2021, 11:56

210604-5c416rs3ns 10

Analysis

  • max time kernel
    80s
  • max time network
    285s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    04/06/2021, 11:56

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    keygen-step-4.exe

  • Size

    4.6MB

  • MD5

    563107b1df2a00f4ec868acd9e08a205

  • SHA1

    9cb9c91d66292f5317aa50d92e38834861e9c9b7

  • SHA256

    bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

  • SHA512

    99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

Score
10/10
djvuelysiumstealerplugxredlinevidardiscoveryevasioninfostealerpersistenceransomwarespywarestealertrojanvmprotect

Malware Config

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    evasion
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Blocklisted process makes network request 48 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 59 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 64 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 10 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 5 IoCs
  • Drops file in System32 directory 16 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 31 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 33 IoCs
  • Modifies registry class 43 IoCs
  • Modifies system certificate store 2 TTPs 23 IoCs
    evasionspywaretrojan
  • NTFS ADS 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 12 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:868
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:776
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:1360
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:3032
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding B603CFA8B2F8B7181727762922AD5C00 C
          3⤵
          • Loads dropped DLL
          PID:3052
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding C9690F775E40DB380D3CDB5FF727E959
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          PID:2872
          • C:\Windows\SysWOW64\taskkill.exe
            "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
            4⤵
            • Kills process with taskkill
            PID:2848
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 4DBDA653B147F3084EA3C424D42733CE M Global\MSI0000
          3⤵
            PID:2856
      • C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
        "C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
        1⤵
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
          2⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
            3⤵
            • Loads dropped DLL
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1384
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1308
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1608
          • C:\Users\Admin\AppData\Local\Temp\is-A4J0Q.tmp\Install.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-A4J0Q.tmp\Install.tmp" /SL5="$3017E,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:968
            • C:\Users\Admin\AppData\Local\Temp\is-L3NBJ.tmp\Ultra.exe
              "C:\Users\Admin\AppData\Local\Temp\is-L3NBJ.tmp\Ultra.exe" /S /UID=burnerch1
              4⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • Modifies system certificate store
              • Suspicious use of WriteProcessMemory
              PID:1616
              • C:\Program Files\Windows Photo Viewer\OONQKRONJQ\ultramediaburner.exe
                "C:\Program Files\Windows Photo Viewer\OONQKRONJQ\ultramediaburner.exe" /VERYSILENT
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1456
                • C:\Users\Admin\AppData\Local\Temp\is-49010.tmp\ultramediaburner.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-49010.tmp\ultramediaburner.tmp" /SL5="$30186,281924,62464,C:\Program Files\Windows Photo Viewer\OONQKRONJQ\ultramediaburner.exe" /VERYSILENT
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Program Files directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of WriteProcessMemory
                  PID:1464
                  • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                    "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                    7⤵
                    • Executes dropped EXE
                    PID:944
              • C:\Users\Admin\AppData\Local\Temp\28-1fc54-e2f-d15a2-25d734c86ed60\Bymishaevoly.exe
                "C:\Users\Admin\AppData\Local\Temp\28-1fc54-e2f-d15a2-25d734c86ed60\Bymishaevoly.exe"
                5⤵
                • Executes dropped EXE
                PID:764
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                  6⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  PID:788
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:275457 /prefetch:2
                    7⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:1536
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:406532 /prefetch:2
                    7⤵
                    • Modifies Internet Explorer settings
                    • NTFS ADS
                    • Suspicious use of SetWindowsHookEx
                    PID:2152
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:340994 /prefetch:2
                    7⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:1840
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1416
                      8⤵
                      • Program crash
                      PID:3840
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:1455125 /prefetch:2
                    7⤵
                      PID:3760
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:1455132 /prefetch:2
                      7⤵
                        PID:4028
                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:1324062 /prefetch:2
                        7⤵
                          PID:1640
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1440
                            8⤵
                            • Program crash
                            PID:3228
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:799765 /prefetch:2
                          7⤵
                            PID:5076
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:2176019 /prefetch:2
                            7⤵
                              PID:4696
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1476
                                8⤵
                                • Program crash
                                PID:4884
                            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:4142110 /prefetch:2
                              7⤵
                                PID:4836
                              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:1324269 /prefetch:2
                                7⤵
                                  PID:2852
                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:4011027 /prefetch:2
                                  7⤵
                                    PID:4656
                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:3879969 /prefetch:2
                                    7⤵
                                      PID:5200
                                • C:\Users\Admin\AppData\Local\Temp\3d-922ad-2b0-df8a2-76ea8c40c989c\Laebikybawy.exe
                                  "C:\Users\Admin\AppData\Local\Temp\3d-922ad-2b0-df8a2-76ea8c40c989c\Laebikybawy.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  • Modifies system certificate store
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1520
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fyiypign.jpo\001.exe & exit
                                    6⤵
                                      PID:2160
                                      • C:\Users\Admin\AppData\Local\Temp\fyiypign.jpo\001.exe
                                        C:\Users\Admin\AppData\Local\Temp\fyiypign.jpo\001.exe
                                        7⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                        PID:2068
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\csenlbl5.aro\GcleanerEU.exe /eufive & exit
                                      6⤵
                                        PID:2732
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iyvnzej0.l2b\installer.exe /qn CAMPAIGN="654" & exit
                                        6⤵
                                          PID:2160
                                          • C:\Users\Admin\AppData\Local\Temp\iyvnzej0.l2b\installer.exe
                                            C:\Users\Admin\AppData\Local\Temp\iyvnzej0.l2b\installer.exe /qn CAMPAIGN="654"
                                            7⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Enumerates connected drives
                                            • Modifies system certificate store
                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                            • Suspicious use of FindShellTrayWindow
                                            PID:2916
                                            • C:\Windows\SysWOW64\msiexec.exe
                                              "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\iyvnzej0.l2b\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\iyvnzej0.l2b\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1622548351 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                              8⤵
                                                PID:2800
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ldmtvk0b.q1p\gaoou.exe & exit
                                            6⤵
                                              PID:2952
                                              • C:\Users\Admin\AppData\Local\Temp\ldmtvk0b.q1p\gaoou.exe
                                                C:\Users\Admin\AppData\Local\Temp\ldmtvk0b.q1p\gaoou.exe
                                                7⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Adds Run key to start application
                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                PID:2528
                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  8⤵
                                                  • Executes dropped EXE
                                                  PID:2924
                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  8⤵
                                                  • Executes dropped EXE
                                                  PID:2552
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o4ustkct.cwe\Setup3310.exe /Verysilent /subid=623 & exit
                                              6⤵
                                                PID:3040
                                                • C:\Users\Admin\AppData\Local\Temp\o4ustkct.cwe\Setup3310.exe
                                                  C:\Users\Admin\AppData\Local\Temp\o4ustkct.cwe\Setup3310.exe /Verysilent /subid=623
                                                  7⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                  PID:2876
                                                  • C:\Users\Admin\AppData\Local\Temp\is-CPCV8.tmp\Setup3310.tmp
                                                    "C:\Users\Admin\AppData\Local\Temp\is-CPCV8.tmp\Setup3310.tmp" /SL5="$30348,138429,56832,C:\Users\Admin\AppData\Local\Temp\o4ustkct.cwe\Setup3310.exe" /Verysilent /subid=623
                                                    8⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • Suspicious use of FindShellTrayWindow
                                                    PID:2104
                                                    • C:\Users\Admin\AppData\Local\Temp\is-8I968.tmp\Setup.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\is-8I968.tmp\Setup.exe" /Verysilent
                                                      9⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      PID:2764
                                                      • C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
                                                        "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
                                                        10⤵
                                                        • Executes dropped EXE
                                                        • Checks processor information in registry
                                                        • Modifies system certificate store
                                                        PID:1452
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
                                                          11⤵
                                                            PID:3152
                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                              taskkill /im RunWW.exe /f
                                                              12⤵
                                                              • Kills process with taskkill
                                                              PID:3276
                                                            • C:\Windows\SysWOW64\timeout.exe
                                                              timeout /t 6
                                                              12⤵
                                                              • Delays execution with timeout.exe
                                                              PID:3312
                                                        • C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
                                                          "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
                                                          10⤵
                                                          • Executes dropped EXE
                                                          PID:2292
                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                            11⤵
                                                            • Executes dropped EXE
                                                            PID:3208
                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                            11⤵
                                                            • Executes dropped EXE
                                                            PID:3756
                                                        • C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
                                                          "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
                                                          10⤵
                                                          • Executes dropped EXE
                                                          PID:1572
                                                          • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                            "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
                                                            11⤵
                                                            • Modifies registry class
                                                            PID:376
                                                        • C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
                                                          "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
                                                          10⤵
                                                          • Executes dropped EXE
                                                          PID:2264
                                                          • C:\Users\Admin\AppData\Local\Temp\is-07ADR.tmp\lylal220.tmp
                                                            "C:\Users\Admin\AppData\Local\Temp\is-07ADR.tmp\lylal220.tmp" /SL5="$10426,140518,56832,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            PID:2372
                                                            • C:\Users\Admin\AppData\Local\Temp\is-KI3B1.tmp\___________RUb__________y.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\is-KI3B1.tmp\___________RUb__________y.exe" /S /UID=lylal220
                                                              12⤵
                                                              • Drops file in Drivers directory
                                                              • Executes dropped EXE
                                                              • Adds Run key to start application
                                                              • Drops file in Program Files directory
                                                              PID:3296
                                                              • C:\Program Files\Windows Media Player\WACIVWDCDW\irecord.exe
                                                                "C:\Program Files\Windows Media Player\WACIVWDCDW\irecord.exe" /VERYSILENT
                                                                13⤵
                                                                • Executes dropped EXE
                                                                PID:3136
                                                                • C:\Users\Admin\AppData\Local\Temp\is-LV40G.tmp\irecord.tmp
                                                                  "C:\Users\Admin\AppData\Local\Temp\is-LV40G.tmp\irecord.tmp" /SL5="$1050C,6139911,56832,C:\Program Files\Windows Media Player\WACIVWDCDW\irecord.exe" /VERYSILENT
                                                                  14⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in Program Files directory
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  PID:3116
                                                                  • C:\Program Files (x86)\recording\i-record.exe
                                                                    "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
                                                                    15⤵
                                                                      PID:3020
                                                                • C:\Users\Admin\AppData\Local\Temp\33-58537-643-1d7a2-774e22d59cf90\Ciqapemaenu.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\33-58537-643-1d7a2-774e22d59cf90\Ciqapemaenu.exe"
                                                                  13⤵
                                                                  • Executes dropped EXE
                                                                  PID:3240
                                                                  • C:\Program Files\Internet Explorer\iexplore.exe
                                                                    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                                                                    14⤵
                                                                      PID:3956
                                                                  • C:\Users\Admin\AppData\Local\Temp\22-106c0-8ef-e00b9-629897555f825\Cuwobaeqaewy.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\22-106c0-8ef-e00b9-629897555f825\Cuwobaeqaewy.exe"
                                                                    13⤵
                                                                    • Executes dropped EXE
                                                                    PID:3312
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\idebno0e.pzg\001.exe & exit
                                                                      14⤵
                                                                        PID:3684
                                                                        • C:\Users\Admin\AppData\Local\Temp\idebno0e.pzg\001.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\idebno0e.pzg\001.exe
                                                                          15⤵
                                                                            PID:3300
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\srx4nklo.lkg\GcleanerEU.exe /eufive & exit
                                                                          14⤵
                                                                            PID:3316
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z4akjer2.rsp\installer.exe /qn CAMPAIGN="654" & exit
                                                                            14⤵
                                                                              PID:4236
                                                                              • C:\Users\Admin\AppData\Local\Temp\z4akjer2.rsp\installer.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\z4akjer2.rsp\installer.exe /qn CAMPAIGN="654"
                                                                                15⤵
                                                                                  PID:4312
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gxmsriym.1my\gaoou.exe & exit
                                                                                14⤵
                                                                                  PID:4380
                                                                                  • C:\Users\Admin\AppData\Local\Temp\gxmsriym.1my\gaoou.exe
                                                                                    C:\Users\Admin\AppData\Local\Temp\gxmsriym.1my\gaoou.exe
                                                                                    15⤵
                                                                                      PID:4468
                                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                        16⤵
                                                                                          PID:4588
                                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                          16⤵
                                                                                            PID:876
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y45k3wpt.q5n\Setup3310.exe /Verysilent /subid=623 & exit
                                                                                        14⤵
                                                                                          PID:4724
                                                                                          • C:\Users\Admin\AppData\Local\Temp\y45k3wpt.q5n\Setup3310.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\y45k3wpt.q5n\Setup3310.exe /Verysilent /subid=623
                                                                                            15⤵
                                                                                              PID:4792
                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-33LDV.tmp\Setup3310.tmp
                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-33LDV.tmp\Setup3310.tmp" /SL5="$206B6,138429,56832,C:\Users\Admin\AppData\Local\Temp\y45k3wpt.q5n\Setup3310.exe" /Verysilent /subid=623
                                                                                                16⤵
                                                                                                  PID:4828
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-VODL5.tmp\Setup.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-VODL5.tmp\Setup.exe" /Verysilent
                                                                                                    17⤵
                                                                                                      PID:3652
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3hgrvyfw.xq1\google-game.exe & exit
                                                                                                14⤵
                                                                                                  PID:2580
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\3hgrvyfw.xq1\google-game.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\3hgrvyfw.xq1\google-game.exe
                                                                                                    15⤵
                                                                                                      PID:3332
                                                                                                      • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                                                                        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",get
                                                                                                        16⤵
                                                                                                          PID:3300
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\akgk4db1.xxr\GcleanerWW.exe /mixone & exit
                                                                                                      14⤵
                                                                                                        PID:4376
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4e5w2fe5.0x3\005.exe & exit
                                                                                                        14⤵
                                                                                                          PID:2748
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\4e5w2fe5.0x3\005.exe
                                                                                                            C:\Users\Admin\AppData\Local\Temp\4e5w2fe5.0x3\005.exe
                                                                                                            15⤵
                                                                                                              PID:3904
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eosktrdz.wwu\toolspab1.exe & exit
                                                                                                            14⤵
                                                                                                              PID:4372
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\eosktrdz.wwu\toolspab1.exe
                                                                                                                C:\Users\Admin\AppData\Local\Temp\eosktrdz.wwu\toolspab1.exe
                                                                                                                15⤵
                                                                                                                  PID:2928
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\eosktrdz.wwu\toolspab1.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\eosktrdz.wwu\toolspab1.exe
                                                                                                                    16⤵
                                                                                                                      PID:2160
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5rbmehjf.tt4\702564a0.exe & exit
                                                                                                                  14⤵
                                                                                                                    PID:4092
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\5rbmehjf.tt4\702564a0.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\5rbmehjf.tt4\702564a0.exe
                                                                                                                      15⤵
                                                                                                                        PID:3992
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 124
                                                                                                                          16⤵
                                                                                                                          • Program crash
                                                                                                                          PID:3788
                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m2folv5o.1aw\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                      14⤵
                                                                                                                        PID:5032
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\m2folv5o.1aw\installer.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\m2folv5o.1aw\installer.exe /qn CAMPAIGN="654"
                                                                                                                          15⤵
                                                                                                                            PID:2784
                                                                                                                • C:\Program Files (x86)\Data Finder\Versium Research\003.exe
                                                                                                                  "C:\Program Files (x86)\Data Finder\Versium Research\003.exe"
                                                                                                                  10⤵
                                                                                                                    PID:2132
                                                                                                                  • C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
                                                                                                                    "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
                                                                                                                    10⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:2296
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-I995N.tmp\LabPicV3.tmp
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-I995N.tmp\LabPicV3.tmp" /SL5="$30362,140559,56832,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
                                                                                                                      11⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:2132
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-VNP93.tmp\___________23.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-VNP93.tmp\___________23.exe" /S /UID=lab214
                                                                                                                        12⤵
                                                                                                                        • Drops file in Drivers directory
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Adds Run key to start application
                                                                                                                        • Drops file in Program Files directory
                                                                                                                        PID:3496
                                                                                                                        • C:\Program Files\Windows Media Player\OQRVNTXALN\prolab.exe
                                                                                                                          "C:\Program Files\Windows Media Player\OQRVNTXALN\prolab.exe" /VERYSILENT
                                                                                                                          13⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:4004
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-J9UVN.tmp\prolab.tmp
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-J9UVN.tmp\prolab.tmp" /SL5="$30390,575243,216576,C:\Program Files\Windows Media Player\OQRVNTXALN\prolab.exe" /VERYSILENT
                                                                                                                            14⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in Program Files directory
                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                            PID:4036
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\a8-ee438-f30-1a897-a838b47009892\Hywucaedela.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\a8-ee438-f30-1a897-a838b47009892\Hywucaedela.exe"
                                                                                                                          13⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:3100
                                                                                                                          • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                            "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                                                                                                                            14⤵
                                                                                                                              PID:2680
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\31-db964-37b-56ea4-efbd8343650b1\Tybamaekaeji.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\31-db964-37b-56ea4-efbd8343650b1\Tybamaekaeji.exe"
                                                                                                                            13⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:3728
                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\04s2tpv5.htr\001.exe & exit
                                                                                                                              14⤵
                                                                                                                                PID:3880
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\04s2tpv5.htr\001.exe
                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\04s2tpv5.htr\001.exe
                                                                                                                                  15⤵
                                                                                                                                    PID:3348
                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\da32zqha.deb\GcleanerEU.exe /eufive & exit
                                                                                                                                  14⤵
                                                                                                                                    PID:3352
                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\amtk3qpz.ai5\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                    14⤵
                                                                                                                                      PID:4192
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\amtk3qpz.ai5\installer.exe
                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\amtk3qpz.ai5\installer.exe /qn CAMPAIGN="654"
                                                                                                                                        15⤵
                                                                                                                                          PID:4320
                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k2yqbctx.pl2\gaoou.exe & exit
                                                                                                                                        14⤵
                                                                                                                                          PID:4420
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\k2yqbctx.pl2\gaoou.exe
                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\k2yqbctx.pl2\gaoou.exe
                                                                                                                                            15⤵
                                                                                                                                              PID:4460
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                16⤵
                                                                                                                                                  PID:4580
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                  16⤵
                                                                                                                                                    PID:3172
                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wvkmnr0x.aqz\Setup3310.exe /Verysilent /subid=623 & exit
                                                                                                                                                14⤵
                                                                                                                                                  PID:4804
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\wvkmnr0x.aqz\Setup3310.exe
                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\wvkmnr0x.aqz\Setup3310.exe /Verysilent /subid=623
                                                                                                                                                    15⤵
                                                                                                                                                      PID:4864
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-RH9S4.tmp\Setup3310.tmp
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-RH9S4.tmp\Setup3310.tmp" /SL5="$206CE,138429,56832,C:\Users\Admin\AppData\Local\Temp\wvkmnr0x.aqz\Setup3310.exe" /Verysilent /subid=623
                                                                                                                                                        16⤵
                                                                                                                                                          PID:4880
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-MIIAU.tmp\Setup.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-MIIAU.tmp\Setup.exe" /Verysilent
                                                                                                                                                            17⤵
                                                                                                                                                              PID:4848
                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bi2fzrz1.0go\google-game.exe & exit
                                                                                                                                                        14⤵
                                                                                                                                                          PID:2280
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\bi2fzrz1.0go\google-game.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\bi2fzrz1.0go\google-game.exe
                                                                                                                                                            15⤵
                                                                                                                                                              PID:3212
                                                                                                                                                              • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                                                                                                                                "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",get
                                                                                                                                                                16⤵
                                                                                                                                                                  PID:3524
                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dsqo4dup.b2q\GcleanerWW.exe /mixone & exit
                                                                                                                                                              14⤵
                                                                                                                                                                PID:4140
                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ioplv2gn.c3z\005.exe & exit
                                                                                                                                                                14⤵
                                                                                                                                                                  PID:5012
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\ioplv2gn.c3z\005.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\ioplv2gn.c3z\005.exe
                                                                                                                                                                    15⤵
                                                                                                                                                                      PID:4836
                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\30ov02fe.fpy\toolspab1.exe & exit
                                                                                                                                                                    14⤵
                                                                                                                                                                      PID:4816
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\30ov02fe.fpy\toolspab1.exe
                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\30ov02fe.fpy\toolspab1.exe
                                                                                                                                                                        15⤵
                                                                                                                                                                          PID:4612
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\30ov02fe.fpy\toolspab1.exe
                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\30ov02fe.fpy\toolspab1.exe
                                                                                                                                                                            16⤵
                                                                                                                                                                              PID:2608
                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\354tsdnl.bum\702564a0.exe & exit
                                                                                                                                                                          14⤵
                                                                                                                                                                            PID:1680
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\354tsdnl.bum\702564a0.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\354tsdnl.bum\702564a0.exe
                                                                                                                                                                              15⤵
                                                                                                                                                                                PID:4684
                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qlifrcgw.qpi\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                              14⤵
                                                                                                                                                                                PID:2828
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\qlifrcgw.qpi\installer.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\qlifrcgw.qpi\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                  15⤵
                                                                                                                                                                                    PID:5056
                                                                                                                                                                        • C:\Program Files (x86)\Data Finder\Versium Research\ask.exe
                                                                                                                                                                          "C:\Program Files (x86)\Data Finder\Versium Research\ask.exe"
                                                                                                                                                                          10⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Modifies system certificate store
                                                                                                                                                                          PID:2860
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                            11⤵
                                                                                                                                                                              PID:3564
                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                taskkill /f /im chrome.exe
                                                                                                                                                                                12⤵
                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                PID:3628
                                                                                                                                                                          • C:\Program Files (x86)\Data Finder\Versium Research\Browser.exe
                                                                                                                                                                            "C:\Program Files (x86)\Data Finder\Versium Research\Browser.exe"
                                                                                                                                                                            10⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                            PID:1800
                                                                                                                                                                            • C:\Program Files (x86)\Browzar\yRVGeBTYzVxq.exe
                                                                                                                                                                              "C:\Program Files (x86)\Browzar\yRVGeBTYzVxq.exe"
                                                                                                                                                                              11⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                              PID:2212
                                                                                                                                                                              • C:\Program Files (x86)\Browzar\yRVGeBTYzVxq.exe
                                                                                                                                                                                "C:\Program Files (x86)\Browzar\yRVGeBTYzVxq.exe"
                                                                                                                                                                                12⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                PID:3936
                                                                                                                                                                            • C:\Program Files (x86)\Browzar\Browzar.exe
                                                                                                                                                                              "C:\Program Files (x86)\Browzar\Browzar.exe"
                                                                                                                                                                              11⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                              • Modifies Internet Explorer settings
                                                                                                                                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                              PID:3076
                                                                                                                                                                          • C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
                                                                                                                                                                            "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
                                                                                                                                                                            10⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Modifies system certificate store
                                                                                                                                                                            PID:2308
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\6050855.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\6050855.exe"
                                                                                                                                                                              11⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              PID:3508
                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1580
                                                                                                                                                                                12⤵
                                                                                                                                                                                • Program crash
                                                                                                                                                                                PID:4076
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\2682457.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\2682457.exe"
                                                                                                                                                                              11⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                              PID:3600
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                                                12⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                PID:3736
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\5341571.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\5341571.exe"
                                                                                                                                                                              11⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              PID:3856
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\5341571.exe
                                                                                                                                                                                "{path}"
                                                                                                                                                                                12⤵
                                                                                                                                                                                  PID:3712
                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\izcdaab5.rfi\google-game.exe & exit
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:2744
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\izcdaab5.rfi\google-game.exe
                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\izcdaab5.rfi\google-game.exe
                                                                                                                                                                          7⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                          PID:2740
                                                                                                                                                                          • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                                                                                                                                            "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",get
                                                                                                                                                                            8⤵
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            PID:2084
                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pyegm20t.tcv\GcleanerWW.exe /mixone & exit
                                                                                                                                                                        6⤵
                                                                                                                                                                          PID:1352
                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kxes2zxm.xqh\005.exe & exit
                                                                                                                                                                          6⤵
                                                                                                                                                                            PID:2016
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\kxes2zxm.xqh\005.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\kxes2zxm.xqh\005.exe
                                                                                                                                                                              7⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                              PID:2568
                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3f4mw43t.jij\toolspab1.exe & exit
                                                                                                                                                                            6⤵
                                                                                                                                                                              PID:1996
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\3f4mw43t.jij\toolspab1.exe
                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\3f4mw43t.jij\toolspab1.exe
                                                                                                                                                                                7⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                                PID:1232
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\3f4mw43t.jij\toolspab1.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\3f4mw43t.jij\toolspab1.exe
                                                                                                                                                                                  8⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                  PID:3836
                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gtuwdc2v.vh2\702564a0.exe & exit
                                                                                                                                                                              6⤵
                                                                                                                                                                                PID:3572
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\gtuwdc2v.vh2\702564a0.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\gtuwdc2v.vh2\702564a0.exe
                                                                                                                                                                                  7⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                  PID:3672
                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ei10h5tq.x0p\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                6⤵
                                                                                                                                                                                  PID:3564
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\ei10h5tq.x0p\installer.exe
                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\ei10h5tq.x0p\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                    7⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                                    PID:3732
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Modifies system certificate store
                                                                                                                                                                          PID:272
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe" >> NUL
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:1836
                                                                                                                                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                ping 127.0.0.1
                                                                                                                                                                                4⤵
                                                                                                                                                                                • Runs ping.exe
                                                                                                                                                                                PID:2096
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:2388
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                            PID:2076
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              PID:2568
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              PID:2188
                                                                                                                                                                        • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                          C:\Windows\system32\AUDIODG.EXE 0x5b0
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:4156
                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:4588
                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef1724f50,0x7fef1724f60,0x7fef1724f70
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:4292
                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1224 /prefetch:8
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:296
                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1784 /prefetch:8
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:4504
                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=752 /prefetch:2
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:4800
                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:2760
                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:4812
                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:4756
                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:1
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:4980
                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:1
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:2664
                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1780 /prefetch:1
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:5108
                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3480 /prefetch:8
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:4768
                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2444 /prefetch:2
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:4992
                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:8
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:4988
                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:4740
                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2548 /prefetch:1
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:2464
                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:3464
                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:1
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:4332
                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:2680
                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:4172
                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:4644
                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:5092
                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:3552
                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:1076
                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:1168
                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:4276
                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:3568
                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:3856
                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:3400
                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:3640
                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:1
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:1308
                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:2348
                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:4752
                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:4192
                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:1
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:4544
                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7456 /prefetch:8
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:5700
                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5820 /prefetch:8
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:2956
                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5688 /prefetch:8
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:1768
                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:5020
                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5608 /prefetch:8
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:2980
                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:5420
                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 /prefetch:8
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:5824
                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6252 /prefetch:8
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:6016
                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:4764
                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:3252
                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x14006a890,0x14006a8a0,0x14006a8b0
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:5316
                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6196 /prefetch:8
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:3420
                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7316 /prefetch:8
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:4276
                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                PID:4972
                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9012 /prefetch:8
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:3832
                                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8228 /prefetch:8
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                    PID:3976
                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8292 /prefetch:8
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                      PID:4408
                                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8584 /prefetch:8
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:4892
                                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8484 /prefetch:8
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:2136
                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8804 /prefetch:8
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:2084
                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8056 /prefetch:8
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:2256
                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9104 /prefetch:8
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:4528
                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:3960
                                                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7876 /prefetch:8
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                    PID:4340
                                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                      PID:1768
                                                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7256 /prefetch:8
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:5032
                                                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9280 /prefetch:8
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                          PID:3248
                                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8924 /prefetch:8
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                            PID:1792
                                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8868 /prefetch:8
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                              PID:4252
                                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9084 /prefetch:8
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                PID:5512
                                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7332 /prefetch:8
                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                  PID:5580
                                                                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6308 /prefetch:8
                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                    PID:5516
                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7116 /prefetch:8
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                      PID:5532
                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6996 /prefetch:8
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                        PID:5484
                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8288 /prefetch:8
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:5644
                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:8
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                            PID:5680
                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8036 /prefetch:8
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                              PID:2848
                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8060 /prefetch:8
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:4136
                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8880 /prefetch:8
                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                  PID:6128
                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9284 /prefetch:8
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                    PID:2724
                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8916 /prefetch:8
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                      PID:6104
                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=808,15653099337359031122,16308852577508390395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=492 /prefetch:8
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                        PID:1076
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\BDC3.exe
                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\BDC3.exe
                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                        PID:5520
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\BDC3.exe
                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\BDC3.exe
                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                            PID:4288
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                              icacls "C:\Users\Admin\AppData\Local\c2604237-de4f-4239-8a64-176e6f292201" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                              PID:3556
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\BDC3.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\BDC3.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                PID:3712
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\BDC3.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\BDC3.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                    PID:1820
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\ccf34a1e-88fe-4590-b3c6-f509e36635a0\updatewin1.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\ccf34a1e-88fe-4590-b3c6-f509e36635a0\updatewin1.exe"
                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                        PID:5500
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\ccf34a1e-88fe-4590-b3c6-f509e36635a0\updatewin1.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\ccf34a1e-88fe-4590-b3c6-f509e36635a0\updatewin1.exe" --Admin
                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                            PID:5756
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                              powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                PID:5824
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:5068
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:2856
                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Windows Defender\mpcmdrun.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                    • Deletes Windows Defender Definitions
                                                                                                                                                                                                                                                                                                                                                                    PID:2924
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:3992
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\ccf34a1e-88fe-4590-b3c6-f509e36635a0\updatewin2.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\ccf34a1e-88fe-4590-b3c6-f509e36635a0\updatewin2.exe"
                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:6016
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\ccf34a1e-88fe-4590-b3c6-f509e36635a0\5.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\ccf34a1e-88fe-4590-b3c6-f509e36635a0\5.exe"
                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:2628
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\D5A8.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\D5A8.exe
                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                PID:1696
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c taskkill /im D5A8.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\D5A8.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:4252
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                      taskkill /im D5A8.exe /f
                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                      PID:5636
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                      timeout /t 6
                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                      PID:5632
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\F71D.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\F71D.exe
                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:3588
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\DD9.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\DD9.exe
                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:5768
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\127C.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\127C.exe
                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:5772
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2D2E.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\2D2E.exe
                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:4796
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2D1E.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\2D1E.exe
                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:2160
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\4561.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\4561.exe
                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:3876
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:4592

                                                                                                                                                                                                                                                                                                                                                                              Network

                                                                                                                                                                                                                                                                                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                              Downloads

                                                                                                                                                                                                                                                                                                                                                                              • memory/272-168-0x0000000000090000-0x000000000009D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                52KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/376-297-0x0000000000AA0000-0x0000000000BA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                1.0MB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/376-295-0x0000000010000000-0x0000000010002000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/376-298-0x0000000000260000-0x00000000002BC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                368KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/764-159-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/776-97-0x0000000000230000-0x00000000002A0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                448KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/868-258-0x00000000015B0000-0x0000000001620000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                448KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/868-300-0x0000000002470000-0x00000000024E0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                448KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/868-94-0x0000000000840000-0x000000000088B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                300KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/868-299-0x0000000000960000-0x00000000009AB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                300KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/868-95-0x0000000000A50000-0x0000000000AC0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                448KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/868-257-0x0000000000890000-0x00000000008DB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                300KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/944-187-0x00000000022B0000-0x00000000022C9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                100KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/944-185-0x0000000000BE6000-0x0000000000C05000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                124KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/944-149-0x000007FEF23A0000-0x000007FEF3436000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                16.6MB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/944-186-0x0000000000C05000-0x0000000000C06000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/944-158-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/968-116-0x00000000002C0000-0x00000000002C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1160-59-0x0000000075551000-0x0000000075553000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1308-98-0x000000001ACB0000-0x000000001ACB2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1308-85-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1308-88-0x0000000000370000-0x0000000000371000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1308-89-0x0000000000520000-0x000000000053C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                112KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1308-90-0x0000000000380000-0x0000000000381000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1360-119-0x00000000004A0000-0x0000000000510000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                448KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1360-200-0x0000000000370000-0x000000000038B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                108KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1360-189-0x00000000025F0000-0x00000000026F5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                1.0MB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1360-118-0x0000000000060000-0x00000000000AB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                300KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1384-93-0x0000000000370000-0x00000000003CC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                368KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1384-91-0x0000000010000000-0x0000000010002000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1384-92-0x0000000000840000-0x0000000000941000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                1.0MB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1452-311-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                672KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1452-309-0x0000000000330000-0x00000000003C7000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                604KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1456-131-0x0000000000400000-0x0000000000416000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                88KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1464-141-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1464-138-0x0000000073F21000-0x0000000073F23000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1520-160-0x0000000000A90000-0x0000000000A92000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1520-181-0x0000000000A96000-0x0000000000AB5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                124KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1520-161-0x000007FEF23A0000-0x000007FEF3436000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                16.6MB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1608-106-0x0000000000400000-0x000000000042B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                172KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/1616-124-0x0000000002210000-0x0000000002212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2068-193-0x0000000000240000-0x0000000000250000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2068-194-0x0000000000270000-0x0000000000282000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                72KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2084-256-0x0000000000850000-0x00000000008AC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                368KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2084-255-0x0000000002070000-0x0000000002171000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                1.0MB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-242-0x0000000003990000-0x0000000003991000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-243-0x00000000039A0000-0x00000000039A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-226-0x0000000002060000-0x0000000002061000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-223-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-230-0x0000000002090000-0x0000000002091000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-231-0x00000000037D0000-0x0000000003827000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                348KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-232-0x00000000037D0000-0x0000000003827000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                348KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-233-0x00000000037D0000-0x0000000003827000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                348KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-234-0x00000000037D0000-0x0000000003827000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                348KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-244-0x00000000039B0000-0x00000000039B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-236-0x00000000037D0000-0x0000000003827000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                348KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-228-0x0000000002080000-0x0000000002081000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-237-0x0000000003940000-0x0000000003941000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-238-0x0000000003950000-0x0000000003951000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-227-0x0000000002070000-0x0000000002071000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-239-0x0000000003960000-0x0000000003961000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-240-0x0000000003970000-0x0000000003971000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-241-0x0000000003980000-0x0000000003981000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2104-235-0x00000000037D0000-0x0000000003827000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                348KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2212-306-0x0000000004270000-0x0000000004271000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2212-294-0x0000000000270000-0x0000000000271000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2264-271-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                80KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2292-268-0x0000000001350000-0x00000000019AF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                6.4MB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2296-283-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                80KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2308-286-0x0000000000570000-0x000000000058B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                108KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2308-277-0x0000000000A80000-0x0000000000A81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2308-290-0x000000001B150000-0x000000001B152000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2372-287-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2876-218-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                80KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/2916-199-0x0000000000240000-0x00000000002DD000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                628KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/3032-206-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/3296-307-0x0000000000330000-0x0000000000332000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                              • memory/3508-314-0x0000000000B20000-0x0000000000B21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                Download