Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

setup_x86_...0).exe

windows7_x64

10

setup_x86_...0).exe

windows10_x64

10

setup_x86_...1).exe

windows7_x64

setup_x86_...1).exe

windows10_x64

setup_x86_...2).exe

windows7_x64

setup_x86_...2).exe

windows10_x64

10

setup_x86_...3).exe

windows7_x64

setup_x86_...3).exe

windows10_x64

10

setup_x86_...4).exe

windows7_x64

setup_x86_...4).exe

windows10_x64

10

setup_x86_...5).exe

windows7_x64

setup_x86_...5).exe

windows10_x64

10

setup_x86_...6).exe

windows7_x64

10

setup_x86_...6).exe

windows10_x64

10

setup_x86_...7).exe

windows7_x64

setup_x86_...7).exe

windows10_x64

10

setup_x86_...8).exe

windows7_x64

setup_x86_...8).exe

windows10_x64

10

setup_x86_...9).exe

windows7_x64

10

setup_x86_...9).exe

windows10_x64

10

setup_x86_...2).exe

windows7_x64

10

setup_x86_...2).exe

windows10_x64

10

setup_x86_...0).exe

windows7_x64

10

setup_x86_...0).exe

windows10_x64

10

setup_x86_...1).exe

windows7_x64

setup_x86_...1).exe

windows10_x64

10

setup_x86_...2).exe

windows7_x64

setup_x86_...2).exe

windows10_x64

10

setup_x86_...3).exe

windows7_x64

setup_x86_...3).exe

windows10_x64

10

setup_x86_...3).exe

windows7_x64

10

setup_x86_...3).exe

windows10_x64

Resubmissions

11/07/2024, 05:43

240711-gej4lstgrf 10

06/09/2021, 14:13

210906-rjpvrsedbm 10

08/07/2021, 11:08

210708-4gztl3mwl6 10

08/07/2021, 08:02

210708-klfb4qeda6 10

07/07/2021, 09:39

210707-nem57xyvf2 10

06/07/2021, 17:51

210706-7pcrmjy3fa 10

06/07/2021, 13:45

210706-eybelwcq86 10

Analysis

  • max time kernel
    1800s
  • max time network
    1812s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    02/07/2021, 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install - копия (2).exe

Score
10/10
redlinesmokeloadervidar706865932servaniaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

ServAni

C2

87.251.71.195:82

Extracted

Family

vidar

Version

39.4

Botnet

706

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Version

2020

C2

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

39.4

Botnet

932

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    932

Extracted

Family

vidar

Version

39.4

Botnet

865

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    865

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 6 IoCs
    stealer
  • ASPack v2.12-2.42 8 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 64 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 17 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 10 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • autoit_exe 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 11 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
    1⤵
      PID:1084
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Browser
      1⤵
        PID:2752
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s WpnService
        1⤵
          PID:2384
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2360
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
          1⤵
            PID:2332
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
            1⤵
              PID:2272
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1892
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                1⤵
                  PID:1356
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1288
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1196
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                      1⤵
                      • Drops file in System32 directory
                      PID:932
                      • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                        C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                        2⤵
                          PID:2436
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:4808
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:5396
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:4500
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:5800
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:5172
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:5600
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:5080
                        • C:\Users\Admin\AppData\Roaming\ejvjbva
                          C:\Users\Admin\AppData\Roaming\ejvjbva
                          2⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: MapViewOfSection
                          PID:5168
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:5648
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:5352
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:5780
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:1608
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:5680
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:4748
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:4832
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:4704
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:1000
                        • C:\Users\Admin\AppData\Roaming\ejvjbva
                          C:\Users\Admin\AppData\Roaming\ejvjbva
                          2⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: MapViewOfSection
                          PID:1516
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                          • Executes dropped EXE
                          PID:3956
                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                          2⤵
                            PID:5596
                          • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                            C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                            2⤵
                              PID:4484
                            • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                              C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                              2⤵
                                PID:2100
                              • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                2⤵
                                  PID:5212
                                • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                  C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                  2⤵
                                    PID:5872
                                  • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                    C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                    2⤵
                                      PID:5480
                                    • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                      C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                      2⤵
                                        PID:2424
                                      • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                        C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                        2⤵
                                          PID:4384
                                        • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                          C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                          2⤵
                                            PID:4480
                                          • C:\Users\Admin\AppData\Roaming\ejvjbva
                                            C:\Users\Admin\AppData\Roaming\ejvjbva
                                            2⤵
                                            • Loads dropped DLL
                                            • Checks SCSI registry key(s)
                                            • Suspicious behavior: MapViewOfSection
                                            PID:5136
                                          • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                            C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                            2⤵
                                              PID:5192
                                          • c:\windows\system32\svchost.exe
                                            c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                                            1⤵
                                              PID:68
                                            • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (2).exe
                                              "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (2).exe"
                                              1⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:4060
                                              • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Suspicious use of WriteProcessMemory
                                                PID:1744
                                                • C:\Users\Admin\AppData\Local\Temp\7zS0D638B24\setup_install.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\7zS0D638B24\setup_install.exe"
                                                  3⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2468
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c arnatic_1.exe
                                                    4⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:2936
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0D638B24\arnatic_1.exe
                                                      arnatic_1.exe
                                                      5⤵
                                                      • Executes dropped EXE
                                                      • Modifies system certificate store
                                                      PID:2620
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1728
                                                        6⤵
                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                        • Program crash
                                                        PID:4524
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c arnatic_3.exe
                                                    4⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1280
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0D638B24\arnatic_3.exe
                                                      arnatic_3.exe
                                                      5⤵
                                                      • Executes dropped EXE
                                                      • Checks computer location settings
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:4064
                                                      • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
                                                        6⤵
                                                        • Loads dropped DLL
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:4088
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c arnatic_5.exe
                                                    4⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1580
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0D638B24\arnatic_5.exe
                                                      arnatic_5.exe
                                                      5⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2156
                                                      • C:\Users\Admin\AppData\Roaming\7398983.exe
                                                        "C:\Users\Admin\AppData\Roaming\7398983.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4272
                                                      • C:\Users\Admin\AppData\Roaming\7905267.exe
                                                        "C:\Users\Admin\AppData\Roaming\7905267.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        PID:4440
                                                        • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                          "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                          7⤵
                                                          • Executes dropped EXE
                                                          PID:4564
                                                      • C:\Users\Admin\AppData\Roaming\4460127.exe
                                                        "C:\Users\Admin\AppData\Roaming\4460127.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:4780
                                                      • C:\Users\Admin\AppData\Roaming\3466090.exe
                                                        "C:\Users\Admin\AppData\Roaming\3466090.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        PID:5088
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c arnatic_6.exe
                                                    4⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:3004
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0D638B24\arnatic_6.exe
                                                      arnatic_6.exe
                                                      5⤵
                                                      • Executes dropped EXE
                                                      • Checks computer location settings
                                                      PID:3476
                                                      • C:\Users\Admin\Documents\eL5kVsaYnZs75tUGGXu5BbeB.exe
                                                        "C:\Users\Admin\Documents\eL5kVsaYnZs75tUGGXu5BbeB.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        PID:4504
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --hold https://ezsearch.ru
                                                          7⤵
                                                          • Loads dropped DLL
                                                          • Enumerates system info in registry
                                                          • Suspicious use of FindShellTrayWindow
                                                          PID:4608
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ff95ef74f50,0x7ff95ef74f60,0x7ff95ef74f70
                                                            8⤵
                                                              PID:4624
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1504 /prefetch:2
                                                              8⤵
                                                                PID:4788
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1880 /prefetch:8
                                                                8⤵
                                                                  PID:4964
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 /prefetch:8
                                                                  8⤵
                                                                    PID:4988
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
                                                                    8⤵
                                                                      PID:3696
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
                                                                      8⤵
                                                                        PID:3712
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
                                                                        8⤵
                                                                          PID:4388
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
                                                                          8⤵
                                                                            PID:4536
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
                                                                            8⤵
                                                                              PID:5044
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1824 /prefetch:1
                                                                              8⤵
                                                                                PID:2892
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5760 /prefetch:8
                                                                                8⤵
                                                                                  PID:3080
                                                                                • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
                                                                                  8⤵
                                                                                    PID:4500
                                                                                    • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff720bda890,0x7ff720bda8a0,0x7ff720bda8b0
                                                                                      9⤵
                                                                                        PID:4584
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5736 /prefetch:8
                                                                                      8⤵
                                                                                        PID:3464
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 /prefetch:8
                                                                                        8⤵
                                                                                          PID:4812
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5600 /prefetch:8
                                                                                          8⤵
                                                                                            PID:4800
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3552 /prefetch:8
                                                                                            8⤵
                                                                                              PID:4808
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3720 /prefetch:8
                                                                                              8⤵
                                                                                                PID:2440
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
                                                                                                8⤵
                                                                                                  PID:4540
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3744 /prefetch:8
                                                                                                  8⤵
                                                                                                    PID:4544
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3552 /prefetch:8
                                                                                                    8⤵
                                                                                                      PID:3948
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3492 /prefetch:8
                                                                                                      8⤵
                                                                                                        PID:4032
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5640 /prefetch:8
                                                                                                        8⤵
                                                                                                          PID:1696
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:8
                                                                                                          8⤵
                                                                                                            PID:4312
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5404 /prefetch:8
                                                                                                            8⤵
                                                                                                              PID:4828
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:8
                                                                                                              8⤵
                                                                                                                PID:4952
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
                                                                                                                8⤵
                                                                                                                  PID:732
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1412 /prefetch:1
                                                                                                                  8⤵
                                                                                                                    PID:2452
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5492 /prefetch:8
                                                                                                                    8⤵
                                                                                                                      PID:3948
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:8
                                                                                                                      8⤵
                                                                                                                        PID:3152
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
                                                                                                                        8⤵
                                                                                                                          PID:4584
                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1840 /prefetch:8
                                                                                                                          8⤵
                                                                                                                            PID:4844
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 /prefetch:8
                                                                                                                            8⤵
                                                                                                                              PID:5672
                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5124 /prefetch:8
                                                                                                                              8⤵
                                                                                                                                PID:4816
                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5612 /prefetch:8
                                                                                                                                8⤵
                                                                                                                                  PID:2348
                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1448 /prefetch:8
                                                                                                                                  8⤵
                                                                                                                                    PID:4292
                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 /prefetch:8
                                                                                                                                    8⤵
                                                                                                                                      PID:5368
                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5168 /prefetch:8
                                                                                                                                      8⤵
                                                                                                                                        PID:5436
                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
                                                                                                                                        8⤵
                                                                                                                                          PID:5808
                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:8
                                                                                                                                          8⤵
                                                                                                                                            PID:6108
                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4156 /prefetch:8
                                                                                                                                            8⤵
                                                                                                                                              PID:5272
                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 /prefetch:8
                                                                                                                                              8⤵
                                                                                                                                                PID:5220
                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4300 /prefetch:8
                                                                                                                                                8⤵
                                                                                                                                                  PID:5228
                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
                                                                                                                                                  8⤵
                                                                                                                                                    PID:6140
                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5428 /prefetch:8
                                                                                                                                                    8⤵
                                                                                                                                                      PID:6112
                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
                                                                                                                                                      8⤵
                                                                                                                                                        PID:4680
                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 /prefetch:8
                                                                                                                                                        8⤵
                                                                                                                                                          PID:5252
                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:8
                                                                                                                                                          8⤵
                                                                                                                                                            PID:5868
                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 /prefetch:8
                                                                                                                                                            8⤵
                                                                                                                                                              PID:4468
                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4220 /prefetch:8
                                                                                                                                                              8⤵
                                                                                                                                                                PID:4364
                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:8
                                                                                                                                                                8⤵
                                                                                                                                                                  PID:2412
                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3716 /prefetch:8
                                                                                                                                                                  8⤵
                                                                                                                                                                    PID:4252
                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3536 /prefetch:8
                                                                                                                                                                    8⤵
                                                                                                                                                                      PID:5596
                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5180 /prefetch:8
                                                                                                                                                                      8⤵
                                                                                                                                                                        PID:3084
                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 /prefetch:8
                                                                                                                                                                        8⤵
                                                                                                                                                                          PID:5260
                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
                                                                                                                                                                          8⤵
                                                                                                                                                                            PID:4808
                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
                                                                                                                                                                            8⤵
                                                                                                                                                                              PID:1280
                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
                                                                                                                                                                              8⤵
                                                                                                                                                                                PID:6132
                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
                                                                                                                                                                                8⤵
                                                                                                                                                                                  PID:5968
                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15227695844126246498,7405956202695477216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5292 /prefetch:8
                                                                                                                                                                                  8⤵
                                                                                                                                                                                    PID:5712
                                                                                                                                                                              • C:\Users\Admin\Documents\f63HbxfV2WYcYU58wgLyTehf.exe
                                                                                                                                                                                "C:\Users\Admin\Documents\f63HbxfV2WYcYU58wgLyTehf.exe"
                                                                                                                                                                                6⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                PID:516
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1326211188.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\1326211188.exe
                                                                                                                                                                                  7⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                  PID:4424
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1326211188.exe
                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\1326211188.exe
                                                                                                                                                                                    8⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:5004
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1200473737.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\1200473737.exe
                                                                                                                                                                                  7⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                  PID:3152
                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                    8⤵
                                                                                                                                                                                      PID:732
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1200473737.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\1200473737.exe
                                                                                                                                                                                      8⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      PID:2100
                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 24
                                                                                                                                                                                        9⤵
                                                                                                                                                                                        • Program crash
                                                                                                                                                                                        PID:5292
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\Documents\f63HbxfV2WYcYU58wgLyTehf.exe & exit
                                                                                                                                                                                    7⤵
                                                                                                                                                                                      PID:6108
                                                                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                        ping 0
                                                                                                                                                                                        8⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Runs ping.exe
                                                                                                                                                                                        PID:2436
                                                                                                                                                                                  • C:\Users\Admin\Documents\dbQ3iIm0h1LDkWoDgn5v_vH9.exe
                                                                                                                                                                                    "C:\Users\Admin\Documents\dbQ3iIm0h1LDkWoDgn5v_vH9.exe"
                                                                                                                                                                                    6⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    PID:1256
                                                                                                                                                                                    • C:\Users\Admin\Documents\dbQ3iIm0h1LDkWoDgn5v_vH9.exe
                                                                                                                                                                                      "{path}"
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      PID:4984
                                                                                                                                                                                  • C:\Users\Admin\Documents\2aNJWnHICffmGqno89GuHbVV.exe
                                                                                                                                                                                    "C:\Users\Admin\Documents\2aNJWnHICffmGqno89GuHbVV.exe"
                                                                                                                                                                                    6⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:4224
                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 656
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Program crash
                                                                                                                                                                                      PID:1608
                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 668
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Program crash
                                                                                                                                                                                      PID:4552
                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 768
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Program crash
                                                                                                                                                                                      PID:2416
                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 804
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Program crash
                                                                                                                                                                                      PID:4156
                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1076
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Program crash
                                                                                                                                                                                      PID:64
                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1276
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Program crash
                                                                                                                                                                                      PID:4024
                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1252
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Program crash
                                                                                                                                                                                      PID:760
                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1252
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                      • Program crash
                                                                                                                                                                                      PID:4196
                                                                                                                                                                                  • C:\Users\Admin\Documents\rwI3a3wTWh88dBrQa1ud4qdg.exe
                                                                                                                                                                                    "C:\Users\Admin\Documents\rwI3a3wTWh88dBrQa1ud4qdg.exe"
                                                                                                                                                                                    6⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    PID:4584
                                                                                                                                                                                    • C:\Users\Admin\Documents\rwI3a3wTWh88dBrQa1ud4qdg.exe
                                                                                                                                                                                      C:\Users\Admin\Documents\rwI3a3wTWh88dBrQa1ud4qdg.exe
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      PID:3644
                                                                                                                                                                                  • C:\Users\Admin\Documents\BN2v6gd1v89066wDB6eRa3Rp.exe
                                                                                                                                                                                    "C:\Users\Admin\Documents\BN2v6gd1v89066wDB6eRa3Rp.exe"
                                                                                                                                                                                    6⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    PID:4168
                                                                                                                                                                                    • C:\Users\Admin\Documents\BN2v6gd1v89066wDB6eRa3Rp.exe
                                                                                                                                                                                      C:\Users\Admin\Documents\BN2v6gd1v89066wDB6eRa3Rp.exe
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                      PID:5164
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im BN2v6gd1v89066wDB6eRa3Rp.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\BN2v6gd1v89066wDB6eRa3Rp.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                        8⤵
                                                                                                                                                                                          PID:4108
                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                            taskkill /im BN2v6gd1v89066wDB6eRa3Rp.exe /f
                                                                                                                                                                                            9⤵
                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                            PID:5432
                                                                                                                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                            timeout /t 6
                                                                                                                                                                                            9⤵
                                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                                            PID:5260
                                                                                                                                                                                    • C:\Users\Admin\Documents\VpYfqWTsvrvmk4DESisFXHov.exe
                                                                                                                                                                                      "C:\Users\Admin\Documents\VpYfqWTsvrvmk4DESisFXHov.exe"
                                                                                                                                                                                      6⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                      PID:4188
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im VpYfqWTsvrvmk4DESisFXHov.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\VpYfqWTsvrvmk4DESisFXHov.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                        7⤵
                                                                                                                                                                                          PID:4276
                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                            taskkill /im VpYfqWTsvrvmk4DESisFXHov.exe /f
                                                                                                                                                                                            8⤵
                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                            PID:3084
                                                                                                                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                            timeout /t 6
                                                                                                                                                                                            8⤵
                                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                                            PID:4352
                                                                                                                                                                                      • C:\Users\Admin\Documents\vt_ASiQuT3fR9eoJIz5PVk6E.exe
                                                                                                                                                                                        "C:\Users\Admin\Documents\vt_ASiQuT3fR9eoJIz5PVk6E.exe"
                                                                                                                                                                                        6⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        PID:4852
                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 920
                                                                                                                                                                                          7⤵
                                                                                                                                                                                          • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                          • Program crash
                                                                                                                                                                                          PID:4408
                                                                                                                                                                                      • C:\Users\Admin\Documents\1um0tg3NcHdOWZT14jfQXEXD.exe
                                                                                                                                                                                        "C:\Users\Admin\Documents\1um0tg3NcHdOWZT14jfQXEXD.exe"
                                                                                                                                                                                        6⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                        PID:4848
                                                                                                                                                                                      • C:\Users\Admin\Documents\6y5Asuc92ZuzKRh2hOocPm4U.exe
                                                                                                                                                                                        "C:\Users\Admin\Documents\6y5Asuc92ZuzKRh2hOocPm4U.exe"
                                                                                                                                                                                        6⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                        PID:4720
                                                                                                                                                                                        • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                                                                                                                                                                          "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
                                                                                                                                                                                          7⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          PID:5148
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                            8⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:5640
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                            8⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:2348
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                            8⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:4220
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                            8⤵
                                                                                                                                                                                              PID:4136
                                                                                                                                                                                          • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                                                                                                            "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                                                                                                                                                                                            7⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                            PID:5172
                                                                                                                                                                                          • C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
                                                                                                                                                                                            "C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
                                                                                                                                                                                            7⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                            PID:5156
                                                                                                                                                                                            • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                                                                                                                                                              "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
                                                                                                                                                                                              8⤵
                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                              PID:5364
                                                                                                                                                                                          • C:\Program Files (x86)\Company\NewProduct\file4.exe
                                                                                                                                                                                            "C:\Program Files (x86)\Company\NewProduct\file4.exe"
                                                                                                                                                                                            7⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:5140
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c arnatic_7.exe
                                                                                                                                                                                      4⤵
                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                      PID:1300
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0D638B24\arnatic_7.exe
                                                                                                                                                                                        arnatic_7.exe
                                                                                                                                                                                        5⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                                                                        PID:848
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS0D638B24\arnatic_7.exe
                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7zS0D638B24\arnatic_7.exe
                                                                                                                                                                                          6⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                          PID:184
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c arnatic_4.exe
                                                                                                                                                                                      4⤵
                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                      PID:2288
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0D638B24\arnatic_4.exe
                                                                                                                                                                                        arnatic_4.exe
                                                                                                                                                                                        5⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                                                                        PID:728
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                          6⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          PID:2452
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                          6⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                          PID:4620
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                          6⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          PID:5360
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                          6⤵
                                                                                                                                                                                            PID:2420
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c arnatic_2.exe
                                                                                                                                                                                        4⤵
                                                                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                                                                        PID:2016
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS0D638B24\arnatic_2.exe
                                                                                                                                                                                          arnatic_2.exe
                                                                                                                                                                                          5⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                          PID:988
                                                                                                                                                                                • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                  PID:4000
                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                    PID:2084
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\8936.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\8936.exe
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  PID:584
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:4308
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:4872
                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:3112
                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nrbux.exe /TR "C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe" /F
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                          PID:4572
                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                          "C:\Windows\System32\rundll32.exe" C:\ProgramData\f1a6a48e76c1fd\cred.dll, Main
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                          PID:5716
                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                      • Modifies Internet Explorer settings
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                      PID:5820
                                                                                                                                                                                    • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                      C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Modifies Internet Explorer settings
                                                                                                                                                                                      PID:5896
                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                      PID:4572
                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Modifies Internet Explorer settings
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      PID:4340
                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:5700
                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                        1⤵
                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                        PID:1920
                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                        1⤵
                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                        PID:5748

                                                                                                                                                                                      Network

                                                                                                                                                                                      MITRE ATT&CK Enterprise v6

                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                      Downloads

                                                                                                                                                                                      • memory/68-198-0x0000015A8A740000-0x0000015A8A7B1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/68-191-0x0000015A89CA0000-0x0000015A89CEC000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        304KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/184-232-0x0000000005120000-0x0000000005121000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/184-217-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/184-210-0x0000000004E10000-0x0000000004E11000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/184-207-0x0000000004F50000-0x0000000004F51000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/184-190-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        120KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/184-206-0x0000000005570000-0x0000000005571000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/184-212-0x0000000004E70000-0x0000000004E71000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/848-168-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/932-227-0x0000017366760000-0x00000173667D1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/988-284-0x0000000000900000-0x00000000009AE000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        696KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/988-285-0x0000000000400000-0x00000000008F4000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        5.0MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1084-221-0x0000025C2FB40000-0x0000025C2FBB1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1196-255-0x000001A02C240000-0x000001A02C2B1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1256-323-0x0000000005710000-0x0000000005711000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1288-257-0x00000202F2340000-0x00000202F23B1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1356-241-0x0000023DC6E00000-0x0000023DC6E71000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1892-251-0x00000243BD940000-0x00000243BD9B1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2084-295-0x000001C20D190000-0x000001C20D296000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        1.0MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2084-294-0x000001C20C2F0000-0x000001C20C30B000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        108KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2084-226-0x000001C20A980000-0x000001C20A9F1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2156-165-0x00000000008C0000-0x00000000008C1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2156-170-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2156-176-0x000000001B4D0000-0x000000001B4D2000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        8KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2156-172-0x0000000001020000-0x0000000001021000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2156-171-0x0000000001000000-0x000000000101F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        124KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2272-204-0x00000152B4A70000-0x00000152B4AE1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2332-213-0x0000018A666C0000-0x0000018A66731000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2360-242-0x000002A307730000-0x000002A3077A1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2384-252-0x0000018BDBF60000-0x0000018BDBFD1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2468-132-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        152KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2468-135-0x0000000000400000-0x000000000051E000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        1.1MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2468-133-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        100KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2468-136-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        100KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2468-134-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        100KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2468-137-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        100KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2468-131-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        1.5MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2468-130-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        572KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2620-287-0x0000000002590000-0x000000000262D000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        628KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2620-288-0x0000000000400000-0x0000000000949000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        5.3MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2752-222-0x0000022D02070000-0x0000022D020E1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/3120-296-0x00000000010A0000-0x00000000010B6000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        88KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/3644-335-0x0000000005430000-0x0000000005A36000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        6.0MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4000-214-0x000001C0F6F70000-0x000001C0F6FE1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        452KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4088-188-0x0000000002FF8000-0x00000000030F9000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        1.0MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4088-194-0x0000000004940000-0x000000000499D000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        372KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4168-346-0x0000000005310000-0x0000000005311000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4188-349-0x00000000049A0000-0x0000000004A3D000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        628KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4188-348-0x0000000004830000-0x0000000004894000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        400KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4188-350-0x0000000000400000-0x000000000442B000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        64.2MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4224-331-0x0000000000400000-0x00000000043D1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        63.8MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4224-330-0x0000000004420000-0x000000000444F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        188KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4272-259-0x0000000007190000-0x00000000071BE000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        184KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4272-260-0x0000000007260000-0x0000000007261000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4272-253-0x0000000004A50000-0x0000000004A51000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4272-245-0x00000000002A0000-0x00000000002A1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4424-358-0x0000000004C90000-0x0000000004C91000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4440-264-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4440-268-0x000000000E1E0000-0x000000000E1E1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4440-266-0x0000000005350000-0x0000000005351000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4440-267-0x0000000005360000-0x0000000005370000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        64KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4440-270-0x00000000013B0000-0x00000000013B1000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4564-286-0x0000000004A80000-0x0000000004A81000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4608-317-0x00007FF96A480000-0x00007FF96A779000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        3.0MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4780-293-0x000000001AF40000-0x000000001AF42000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        8KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4848-359-0x0000000077DD0000-0x0000000077F5E000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        1.6MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4848-360-0x0000000005120000-0x0000000005121000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4852-352-0x0000000004950000-0x00000000049ED000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        628KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4852-353-0x0000000000400000-0x0000000004429000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        64.2MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4852-351-0x00000000047A0000-0x0000000004804000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        400KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/4984-361-0x0000000004C40000-0x0000000005246000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        6.0MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/5004-362-0x00000000053E0000-0x00000000059E6000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        6.0MB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/5088-300-0x0000000004E10000-0x0000000004E11000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download