xenorat | a90ba5a56422c0d2a41f28da056affd69cc8929e14dcdab1583ec96b50b8e28d

Analysis

max time kernel
447s
max time network
449s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UnamBinder.exe
Size

9.4MB
MD5

70565dbd654937df2eaefc7c79941169
SHA1

5cb8daf1185704a9772f07dcec2e499149517715
SHA256

a90ba5a56422c0d2a41f28da056affd69cc8929e14dcdab1583ec96b50b8e28d
SHA512

64b89f77d6528c838c0288c59203455ea3318028816d4426f818c6b8c3258d8e5e13242b175d7b3402547cfd5a0acddb212b9f9b5bbf5d259cd4befc2d078a4c
SSDEEP

196608:g81oBGyk1BK5Gf01Up2GRlRaNqg4eS+wDjxx1ohqsIOGvuQdaQ:g46GykqGf5sGRT2qFP+GDAqkG2i

Score

10^/10

xenorat execution persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

xenorat

37.120.141.155

Mutex

SteamUDP_FULL4

Attributes

delay
5000
install_path
temp
port
22914
startup_name
SteamUDP

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6536	powershell.exe
880	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	loader_fix.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	SteamUDPUpdater.exe

Executes dropped EXE 11 IoCs

pid	Process
5436	windres.exe
5432	gcc.exe
6976	cc1.exe
8132	tcc.exe
2464	loader_fix.exe
4968	Built.exe
5788	loader.exe
6300	SteamUDPUpdater.exe
6912	Built.exe
6264	SteamUDPUpdater.exe
1924	rar.exe

Loads dropped DLL 26 IoCs

pid	Process
5432	gcc.exe
6976	cc1.exe
6976	cc1.exe
6976	cc1.exe
6976	cc1.exe
6976	cc1.exe
6976	cc1.exe
6976	cc1.exe
8132	tcc.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe
6912	Built.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/6912-1544-0x00007FFCA1950000-0x00007FFCA1DBE000-memory.dmp	upx
behavioral1/memory/6912-1555-0x00007FFCC3AF0000-0x00007FFCC3AFF000-memory.dmp	upx
behavioral1/memory/6912-1554-0x00007FFCBDF00000-0x00007FFCBDF24000-memory.dmp	upx
behavioral1/memory/6912-1562-0x00007FFCBDED0000-0x00007FFCBDEFD000-memory.dmp	upx
behavioral1/memory/6912-1564-0x00007FFCBA130000-0x00007FFCBA14F000-memory.dmp	upx
behavioral1/memory/6912-1563-0x00007FFCBA250000-0x00007FFCBA269000-memory.dmp	upx
behavioral1/memory/6912-1565-0x00007FFCA3830000-0x00007FFCA39A1000-memory.dmp	upx
behavioral1/memory/6912-1570-0x00007FFCA3B50000-0x00007FFCA3C08000-memory.dmp	upx
behavioral1/memory/6912-1569-0x00007FFCA15D0000-0x00007FFCA1945000-memory.dmp	upx
behavioral1/memory/6912-1568-0x00007FFCB9C60000-0x00007FFCB9C8E000-memory.dmp	upx
behavioral1/memory/6912-1567-0x00007FFCC1D60000-0x00007FFCC1D6D000-memory.dmp	upx
behavioral1/memory/6912-1566-0x00007FFCB9C90000-0x00007FFCB9CA9000-memory.dmp	upx
behavioral1/memory/6912-1577-0x00007FFCA3710000-0x00007FFCA3828000-memory.dmp	upx
behavioral1/memory/6912-1576-0x00007FFCBDF00000-0x00007FFCBDF24000-memory.dmp	upx
behavioral1/memory/6912-1573-0x00007FFCC1D30000-0x00007FFCC1D3D000-memory.dmp	upx
behavioral1/memory/6912-1572-0x00007FFCB9B80000-0x00007FFCB9B94000-memory.dmp	upx
behavioral1/memory/6912-1571-0x00007FFCA1950000-0x00007FFCA1DBE000-memory.dmp	upx
behavioral1/memory/6912-1676-0x00007FFCA3830000-0x00007FFCA39A1000-memory.dmp	upx
behavioral1/memory/6912-1675-0x00007FFCBA130000-0x00007FFCBA14F000-memory.dmp	upx
behavioral1/memory/6912-1709-0x00007FFCA1950000-0x00007FFCA1DBE000-memory.dmp	upx
behavioral1/memory/6912-1735-0x00007FFCB9B80000-0x00007FFCB9B94000-memory.dmp	upx
behavioral1/memory/6912-1734-0x00007FFCA3830000-0x00007FFCA39A1000-memory.dmp	upx
behavioral1/memory/6912-1733-0x00007FFCC1D30000-0x00007FFCC1D3D000-memory.dmp	upx
behavioral1/memory/6912-1732-0x00007FFCC1D60000-0x00007FFCC1D6D000-memory.dmp	upx
behavioral1/memory/6912-1731-0x00007FFCB9C90000-0x00007FFCB9CA9000-memory.dmp	upx
behavioral1/memory/6912-1730-0x00007FFCA3B50000-0x00007FFCA3C08000-memory.dmp	upx
behavioral1/memory/6912-1729-0x00007FFCBA130000-0x00007FFCBA14F000-memory.dmp	upx
behavioral1/memory/6912-1728-0x00007FFCBA250000-0x00007FFCBA269000-memory.dmp	upx
behavioral1/memory/6912-1727-0x00007FFCBDED0000-0x00007FFCBDEFD000-memory.dmp	upx
behavioral1/memory/6912-1726-0x00007FFCC3AF0000-0x00007FFCC3AFF000-memory.dmp	upx
behavioral1/memory/6912-1725-0x00007FFCBDF00000-0x00007FFCBDF24000-memory.dmp	upx
behavioral1/memory/6912-1724-0x00007FFCB9C60000-0x00007FFCB9C8E000-memory.dmp	upx
behavioral1/memory/6912-1723-0x00007FFCA3710000-0x00007FFCA3828000-memory.dmp	upx
behavioral1/memory/6912-1719-0x00007FFCA15D0000-0x00007FFCA1945000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
788	discord.com
789	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
785	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5276	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
5412	tasklist.exe
5428	tasklist.exe
7560	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
7572	systeminfo.exe

Kills process with taskkill 34 IoCs

evasion

pid	Process
6708	taskkill.exe
3012	taskkill.exe
2420	taskkill.exe
7084	taskkill.exe
2528	taskkill.exe
1128	taskkill.exe
384	taskkill.exe
6760	taskkill.exe
6512	taskkill.exe
2680	taskkill.exe
5416	taskkill.exe
4660	taskkill.exe
7808	taskkill.exe
6820	taskkill.exe
1968	taskkill.exe
5708	taskkill.exe
4628	taskkill.exe
4832	taskkill.exe
5620	taskkill.exe
3088	taskkill.exe
7688	taskkill.exe
960	taskkill.exe
5040	taskkill.exe
7488	taskkill.exe
6020	taskkill.exe
3788	taskkill.exe
6108	taskkill.exe
6168	taskkill.exe
7276	taskkill.exe
1896	taskkill.exe
5020	taskkill.exe
3392	taskkill.exe
7836	taskkill.exe
4592	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 7800310000000000e458d2831100557365727300640009000400efbe874f7748e458f0b32e000000c70500000000010000000000000000003a0000000000505dfc0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	UnamBinder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	UnamBinder.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	UnamBinder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	UnamBinder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	UnamBinder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	UnamBinder.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	UnamBinder.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	UnamBinder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	UnamBinder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000b000977e2fceda01f554965f3bceda01bba116ab62ceda0114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 5000310000000000e458f38e100041646d696e003c0009000400efbee458d283e458f0b32e000000dce101000000010000000000000000000000000000000b740401410064006d0069006e00000014000000	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	UnamBinder.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	UnamBinder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000b000977e2fceda015224254f62ceda015224254f62ceda0114000000	UnamBinder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	UnamBinder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff	UnamBinder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\MRUListEx = 00000000ffffffff	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\NodeSlot = "2"	UnamBinder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	UnamBinder.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	UnamBinder.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "5"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	UnamBinder.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	UnamBinder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	UnamBinder.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	UnamBinder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	UnamBinder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	UnamBinder.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	UnamBinder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	UnamBinder.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
3280	chrome.exe
3280	chrome.exe
1344	powershell.exe
1344	powershell.exe
6536	powershell.exe
6536	powershell.exe
880	powershell.exe
880	powershell.exe
6536	powershell.exe
880	powershell.exe
1344	powershell.exe
1344	powershell.exe
8044	powershell.exe
8044	powershell.exe
8044	powershell.exe
5776	powershell.exe
5776	powershell.exe
5736	powershell.exe
5736	powershell.exe
5804	powershell.exe
5804	powershell.exe
1628	chrome.exe
1628	chrome.exe
6728	chrome.exe
6728	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2644	UnamBinder.exe
860	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
5788	loader.exe
1628	chrome.exe
1628	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
2644	UnamBinder.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1424	1348	chrome.exe	86
PID 1348 wrote to memory of 1424	1348	chrome.exe	86
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 4120	1348	chrome.exe	87
PID 1348 wrote to memory of 1780	1348	chrome.exe	88
PID 1348 wrote to memory of 1780	1348	chrome.exe	88
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89
PID 1348 wrote to memory of 2192	1348	chrome.exe	89

C:\Users\Admin\AppData\Local\Temp\UnamBinder.exe
"C:\Users\Admin\AppData\Local\Temp\UnamBinder.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2644
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" cmd /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe" --input resource.rc --output resource.o -O coff -F pe-i386
  2⤵
  PID:3468
- - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe
    C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe --input resource.rc --output resource.o -O coff -F pe-i386
    3⤵
    - Executes dropped EXE
    PID:5436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc" -E -xc -DRC_INVOKED resource.rc
      4⤵
      PID:3232
    - - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc.exe
        
        C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc -E -xc -DRC_INVOKED resource.rc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5432
      - C:\Users\Admin\Desktop\Compilers\MinGW64\libexec\gcc\x86_64-w64-mingw32\4.9.2\cc1.exe
        
        "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../libexec/gcc/x86_64-w64-mingw32/4.9.2/cc1.exe" "-E" "-quiet" "-iprefix" "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../lib/gcc/x86_64-w64-mingw32/4.9.2/" "-D_REENTRANT" "-D" "RC_INVOKED" "resource.rc" "-mtune=generic" "-march=x86-64"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6976
- C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe
  "C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe" -Wall -Wl,-subsystem=windows "C:\Users\Admin\Desktop\loader_fix.c" resource.o -luser32 -lshell32 -m32
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb95eab58,0x7ffcb95eab68,0x7ffcb95eab78
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:2
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5024 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4524 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5096 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2416 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3416 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3420 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1784 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2104 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2456 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2432 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1788 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4248 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=3460 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4080 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4880 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4936 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3132 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5216 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5372 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5556 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5724 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5888 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=6028 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6112 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6120 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6528 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6872 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=6820 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=7156 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7264 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=7280 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6348 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=7552 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=7568 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=7708 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=8080 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=8088 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=8496 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8632 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:8
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=8816 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=8980 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=9236 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=9200 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=8848 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=6752 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=8244 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=9972 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=9740 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=9168 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=10568 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=5668 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=9760 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=6228 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10436 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:8
  2⤵
  PID:7092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=10104 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=10652 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=9584 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=10872 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=10888 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=10920 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=10892 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:6496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=11776 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=11668 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=10820 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12132 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:8
  2⤵
  PID:7664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=10492 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=12440 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=12312 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=12688 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:8060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --mojo-platform-channel-handle=12864 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:8080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --mojo-platform-channel-handle=12912 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:8128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --mojo-platform-channel-handle=12928 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=13112 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --mojo-platform-channel-handle=13268 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --mojo-platform-channel-handle=8528 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --mojo-platform-channel-handle=13236 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --mojo-platform-channel-handle=8532 --field-trial-handle=1936,i,3916391556419729315,5659594657431179354,131072 /prefetch:1
  2⤵
  PID:7988

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x504
1⤵
PID:5876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7872

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:7092

C:\Users\Admin\Desktop\loader_fix.exe
"C:\Users\Admin\Desktop\loader_fix.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2464
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
      4⤵
      PID:1448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:5352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'"
      4⤵
      PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6308
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1996
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:6008
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:7344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      PID:7376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:8044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6184
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:7560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:7208
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:8056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      PID:7276
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:6944
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:7572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:7556
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6968
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:8128
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2300
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6256
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1348"
      4⤵
      PID:5812
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1348
        5⤵
        Kills process with taskkill
        
        PID:5040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1424"
      4⤵
      PID:7920
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1424
        5⤵
        Kills process with taskkill
        
        PID:2528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4120"
      4⤵
      PID:3564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4120
        5⤵
        Kills process with taskkill
        
        PID:2680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1780"
      4⤵
      PID:3348
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1780
        5⤵
        Kills process with taskkill
        
        PID:6108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2192"
      4⤵
      PID:1628
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2192
        5⤵
        Kills process with taskkill
        
        PID:6820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3592"
      4⤵
      PID:6676
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3592
        5⤵
        Kills process with taskkill
        
        PID:6708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 760"
      4⤵
      PID:5852
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 760
        5⤵
        Kills process with taskkill
        
        PID:7488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1776"
      4⤵
      PID:4008
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1776
        5⤵
        Kills process with taskkill
        
        PID:5416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1932"
      4⤵
      PID:7348
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1932
        5⤵
        Kills process with taskkill
        
        PID:1128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2240"
      4⤵
      PID:6560
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2240
        5⤵
        Kills process with taskkill
        
        PID:3088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3800"
      4⤵
      PID:7700
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3800
        5⤵
        Kills process with taskkill
        
        PID:7688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 764"
      4⤵
      PID:1616
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 764
        5⤵
        Kills process with taskkill
        
        PID:6168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1740"
      4⤵
      PID:6972
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1740
        5⤵
        Kills process with taskkill
        
        PID:384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3288"
      4⤵
      PID:6180
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3288
        5⤵
        Kills process with taskkill
        
        PID:7276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4828"
      4⤵
      PID:6304
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4828
        5⤵
        Kills process with taskkill
        
        PID:4628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2032"
      4⤵
      PID:7036
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2032
        5⤵
        Kills process with taskkill
        
        PID:6760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3200"
      4⤵
      PID:3016
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3200
        5⤵
        Kills process with taskkill
        
        PID:1968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3216"
      4⤵
      PID:8124
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3216
        5⤵
        Kills process with taskkill
        
        PID:1896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 672"
      4⤵
      PID:6636
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 672
        5⤵
        Kills process with taskkill
        
        PID:4660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5508"
      4⤵
      PID:6356
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5508
        5⤵
        Kills process with taskkill
        
        PID:7808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5552"
      4⤵
      PID:5352
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5552
        5⤵
        Kills process with taskkill
        
        PID:6512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:6672
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:6840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5608"
      4⤵
      PID:5428
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5608
        5⤵
        Kills process with taskkill
        
        PID:5020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6208"
      4⤵
      PID:2656
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6208
        5⤵
        Kills process with taskkill
        
        PID:3012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6624"
      4⤵
      PID:4344
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6624
        5⤵
        Kills process with taskkill
        
        PID:2420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6800"
      4⤵
      PID:5580
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6800
        5⤵
        Kills process with taskkill
        
        PID:3392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6980"
      4⤵
      PID:2788
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6980
        5⤵
        Kills process with taskkill
        
        PID:7836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6232"
      4⤵
      PID:404
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6232
        5⤵
        Kills process with taskkill
        
        PID:4832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7536"
      4⤵
      PID:7744
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7536
        5⤵
        Kills process with taskkill
        
        PID:5620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7748"
      4⤵
      PID:5760
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7748
        5⤵
        Kills process with taskkill
        
        PID:5708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7980"
      4⤵
      PID:1148
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7980
        5⤵
        Kills process with taskkill
        
        PID:4592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 8060"
      4⤵
      PID:4600
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 8060
        5⤵
        Kills process with taskkill
        
        PID:7084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7424"
      4⤵
      PID:6244
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7424
        5⤵
        Kills process with taskkill
        
        PID:6020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7852"
      4⤵
      PID:916
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7852
        5⤵
        Kills process with taskkill
        
        PID:960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7988"
      4⤵
      PID:5332
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7988
        5⤵
        Kills process with taskkill
        
        PID:3788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:3252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:2860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49682\rar.exe a -r -hp"neekeri" "C:\Users\Admin\AppData\Local\Temp\CM7R6.zip" *"
      4⤵
      PID:1144
    - - C:\Users\Admin\AppData\Local\Temp\_MEI49682\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI49682\rar.exe a -r -hp"neekeri" "C:\Users\Admin\AppData\Local\Temp\CM7R6.zip" *
        5⤵
        Executes dropped EXE
        
        PID:1924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:1908
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:4436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:6032
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2068
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:6368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5448
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:4556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5804
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:5788
- C:\Users\Admin\AppData\Local\Temp\SteamUDPUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\SteamUDPUpdater.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6300
- - C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe"
    3⤵
    - Executes dropped EXE
    PID:6264
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "SteamUDP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1554.tmp" /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb95eab58,0x7ffcb95eab68,0x7ffcb95eab78
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:2
  2⤵
  PID:8072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:8
  2⤵
  PID:8092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:8
  2⤵
  PID:7460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:6176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:7076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:8
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:8
  2⤵
  PID:264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:8
  2⤵
  PID:6828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5028 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:7768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3196 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:7776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3396 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:7032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5016 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5228 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:7500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4900 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:6512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5492 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:6940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5644 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:6840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5504 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5100 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3428 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4972 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5400 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5380 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5912 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:6444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6060 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6240 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6376 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6356 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6748 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=3172 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4092 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=7056 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7144 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7164 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6584 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7400 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=7404 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=5740 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:6392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8112 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:8
  2⤵
  PID:5828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=6592 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:6768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=6740 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:7324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6748 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8380 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=8308 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:8052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=1684 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=4120 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=848 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:1
  2⤵
  PID:7836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5540 --field-trial-handle=1936,i,1163395880018980174,15169308070104724676,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:7380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5fbaf5d7e8be176c8afaaf213e32599a

SHA1
4d532c68b02f4fb1f0e6b4a86b00df3e4c79d84e

SHA256
57ae1529f91981bf65d6ee9ae8c1a21c1400e86a30e169a5083262e14f1d6c93

SHA512
8c8906ec32a48d2f1086cee192d6cc5d713ffae8515ea5c9a0ea73ef0751e2093a4f68f068d15f4bf7adffdb56e61aa3ef8a5d5d257bc534d8acd51fecf6fc9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
1024KB

MD5
d09169ddb8ada93911943e5a7d178271

SHA1
7289998b24f5003af4d9f386b5309b7493580263

SHA256
64449f1e490919a1df0e4c8a6c15d1faccf359adacf88113618dd0f204566835

SHA512
22e944c61adb574bef0058b37f548aa8fbec097824f54925819b9111a25382a000403feb4564c418152bb7cddcf5f5ee266328fb0c91f956405d24b141b915de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
250KB

MD5
7d91cac10b34cfc5b354498d7d3b572b

SHA1
ad1f861161f03a23cab6f8b479ee314b93ea23e4

SHA256
d2c3b66be289dabdc9868596c50e77973518b92e96f014d53b6638c07a0b7a38

SHA512
fd43a050e184c8069342f7d380eb1fcdb6663b42f1433c209b89947896121473cde9e8d2f0176f095351439b8ce01ab4dac92c05433ad23d911c6e6fd8a38597

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004d

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004e

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000063

Filesize
62KB

MD5
1721006aa7e52dafddd68998f1ca9ac0

SHA1
884e3081a1227cd1ed4ec63fb0a98bec572165ba

SHA256
c16e012546b3d1ef206a1ecbbb7bf8b5dfd0c13cfeb3bdc8af8c11eaa9da8b84

SHA512
ff7bfd489dc8c5001eea8f823e5ec7abf134e8ad52ee9544a8f4c20800cb67a724ec157ca8f4c434a94262a8e07c3452b6ad994510b2b9118c78e2f53d75a493

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000065

Filesize
19KB

MD5
3ffbd1e963d6dcce5ddad8916f3d0fd4

SHA1
f9eed0613dc30a8822bdb897914315f5a0e949e6

SHA256
f603aed80eb6a8d8568689c4c735b73eac658e5a402f7d8840bc5fdaeeff9f73

SHA512
f0dba2780a4994a38a400b577229c7dac71e8c175c4c6d73bcd750086b4e45e2f13a1ba43ca139da2998c7fa1d0d8bf39ebfea83b31441aa6ed1df70e8498bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
4d4caa3f5b097c8554af615a3fe3f829

SHA1
3991c6b94976b75762233aeb944e4ee948e66a5e

SHA256
279451c5d9b1fb7b33568eef08c82eea7c171ad57151a461c201c6a8a6c369e3

SHA512
3ac6b0be36c6d46e0b8bbbc2e52342a5d2811b4a79c7fa3b650926e5bb291ef7ac0732184dfd16bafb0a0510535fe37de1d3329d0a7ec313b9c01ae1b2e4be69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
15f1738178742368925b5f774e9e75b0

SHA1
e5439853ec6b716023d96832c0e36a4a9e6644d8

SHA256
7275d10c8ed2dc95565de0583c67e1b84b2e52f2ec867795f8d68116bfaf9a35

SHA512
03d4a6ae488f25cf6d542fe347922d10550dc78a32fa3d88d77d2c0d8df8eaa0cc52d4c4c9c54cfd1a2cafbfdcf8916037153591282a92f435e07927329c28a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e7bdfc5e98c77d9cdeb91e1d0c6b7cbb

SHA1
68ed167850f15b5c357e25240d06c49456895b77

SHA256
c16b8489efe1fdf01d92b4d7aea90c699c22c9a434b470cba21799983a00dbc6

SHA512
c509e33d18a7255a30cd86515cbe9f91cb374210d996c27ac35c9898e9481b7791d5f35a8fb2275426982f1db19f4ca98e343b5c61287467d57e0546094a46df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e03aa40d80e2b2c7a4e329978a50ac33

SHA1
a6e9104656235894487c3bc40458997eea6db275

SHA256
7309261e3dbf06ae0b36b2cc758befbf0599f5ccb024a74ca4f34fea423830cc

SHA512
f89ce93027fa9d6b72bcac8bf0472562991482cd6c21e36538930de1fbb98c6a7e352f9c81e6a9e6cb273361bd350d2f7dd0fd58a505d16575ac57f8c86022c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5a27c707af3fd85ff712c13096f7e7b2

SHA1
9d5b659261626e67a042d5ad231a5a4a253c88ca

SHA256
ff275e135095a4400808e6d7f223716d4b81719a56a0da6714fbf2fdf67e0ece

SHA512
06bb3533e0c145636d57d810fed19ac75ec3b725060cfc69793e8c371eaef27add3468db0df7e3d82f294bc8216f64511a6accfd19038f16a8f4f500b229e83c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
de42c352176dbddfe19d0661817c7ff7

SHA1
577bf700c784fb2c2a612403b6deabe53cb0c5ee

SHA256
6abc1a8bec6beb01ed679bd051aa516452f4a5c14ee34f9e3963be82f9c7e46c

SHA512
af82384e5326c52e0240774bd050fe244a92c3ec34eb0c2dcc18a90169389b72bb68dc8fbf3d9d384a6c1683b7fe7924ba2c08db4fd8740752e689b53bf87354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
28KB

MD5
6cef2dda04cb57c9c48e56e55707e346

SHA1
5d59280bcdeb024d8acdba7f2713a1cd1f9fc1d6

SHA256
803edd8916ab1fb6bd64f7616f97da9b06617f99ca484608953124961d89b31a

SHA512
49d4303dc304a2e21220514a6662a586683534fe01f981451e9365cc834879599c67f1d782a7cd2f0ce02d1577042d07ba3c213995b0b8335dfda23fad34df2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
29KB

MD5
bea12ca875d2c2aa98a474bf3d53b6a2

SHA1
d69b2f1373203ace795b0c7f7533d59035e61da0

SHA256
7e9802b99eed68c27c5267b7b26d9182f3dc6a93eeaabe624963a5c4a2785e9c

SHA512
81d99611833f7c4f93697e8276203e25d0f61f9e26e041ce53c2ab8388f96a09a9c0988b8373aa3702b36500b9e0401cb18b65dcfc2a5cfa0dccf52fc9cb9b64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
21KB

MD5
5d89e77e76e04aa3884b05a799e0a770

SHA1
69d4b437551468931035f1e40a18400ab5822d88

SHA256
482681b715e7639a6036bff94bed4af7ffb8e14e090cb34672983aa313e1d404

SHA512
e0e1871eb7e167df13f3332b39b8cdb4b16587a42952c1e9c3af4ec6049b49b800f575ea7308ed5f1092c1d76ca16a9fe2276fdee535aee26e85f385b037bd1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
3867e86d88674fef5f5d9b356626014c

SHA1
a757f508b162497ec139ad5f6583e36cf589066d

SHA256
6d5c6e941c09f2bf7a9136caca2c2040086f9ecfd6e65edbd4f29ef7bb179263

SHA512
2567e4f564ba5e9e23054018de60ab9e632ffe8cefcaf368c9f999aeed2d6e1877c3cd7acbfaf787531d448d26e4e685033e0922f3453e57db092978d71115a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
abaa24ffa3a709afa6b93e4453f388d2

SHA1
4aa182f8c2a9f681141fec5d6377dcad4befdd71

SHA256
a3ba11cdcae5ceb9dbf4b3b1645980c6ce41ddd03b57aaae75e6da85c6725b19

SHA512
f9fc231d933681e476ef23818e0221407dd451267881506f1665ee240ea59ab693dc223ab52c0cb849ca80849e5f67aa97ea2207f11957ad830720364a3a4ba5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
961913177103ee83d374e3e66ef19347

SHA1
bf7174dfabd8376e03f06db1c91d8c16cc992cef

SHA256
13e23535e8b4769d773322e3842ec2d3ec4c9e7c9eda68c8eedded7aa41f5aea

SHA512
400707e397c824fca636db38e2248b4e0e51c5c4c03f689f88f7eb9b13bb814e3a0cf5784a5a9b34e8260434722a80ff82e674337a21b11ddd813bef1cf8b253

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
31203bd19901d4c7d202fd5b44204d34

SHA1
75250201a88d4c285529ea9c401174772396972c

SHA256
616f3856aba802fdf367a98560eeb9cc8c456db313f38080611bca17d7c384c3

SHA512
d6cf7259d3be927efaf561207a365c0da7a95f778a6782e4a29b53fae1b860684ba89200152e4fa06854eb8fa8b2929a21f828c6ad3099442c6f2b336b2d1ac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
52cbf2162ef4d79680e00a88cd276f0c

SHA1
bc329828964b0b16eefb3be2ac6ce67a0d23a6df

SHA256
9adec56b34a4d3ebcb0996e01d6d8dfdf5b9410eacf83d3463d08ae20ebe0d27

SHA512
b6208c28bdb5690c6baad2767167279a2015abfb04cbcc44fef7661ca5d16d182ef0105dce05f2d3e9c2e5187a12d7510864628c0df7cec88154f1b341fc5be8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
96038dfe52ad0c07b36704d5ec8c3a4d

SHA1
4ceb12254af7c21d518806eeec30d451867bb2e3

SHA256
a54d0eedc1c971abcf9458ea39fdcd145c965b9808163076b7f8ae44ca287c45

SHA512
108f8cde0fe67923edaf93bd2514603bcdaf0af8301b318853e356bc5c57f4499beec97ea953a33ae977c4d8bf02a13c58d900c14ad11d070d108576f6c0d77e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
8464e20eb712ace33d7e0605126cb04b

SHA1
5b260aa6675e46e2946ee35f88b1d9aaab107074

SHA256
1a62a88af8251e664e372823825602bff9e57606145b8de5c6da4a4ef609a338

SHA512
18929984df03a41e0d9862b0b9e27bf16708d778df0fa3f65a28a1d3cd3944bda016cda087bf8b78d6afddc210e56b50ecf54c3cb3c7378af12f25c20a9791fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
44962d7962422c7f41217999a3b06ba6

SHA1
84fa63980ec98e27a572083a3425cc5558254cef

SHA256
6362b4a77b9ae82767fb5d6c512a2adde5b43de7e21860db59318b3c4807e1cf

SHA512
a76fe66b3382b220a3f605007823aba758e3afcfa20f843438673571818716ab71cc1ab4bee19d39fe99c2d7941a76a282709e238dcc9944f0a064a9580a9498

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
6cc73f4459f4522f656bf11aedbf6c44

SHA1
f3fe85dafa029b00f622e43f77074dcedb7b512e

SHA256
d748641ec45f69f54370c5e2ea49c8e4192c7ab7bb263d867fa0996d1d9a1450

SHA512
f361eb9124fd6c8bfa1327ec53f6599d767751b4c2c3daee3d10c806776250b66e159f0e855876f415ea74fbcf0d0ca14e2ef3ac25a0a54356cbbe1779ed770f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
b50e4248bfa053a772b79f152f94aba8

SHA1
97aceea3f4f5c0c765265a40ae8b5f91a4a6e9bc

SHA256
1e7425a8b538438c1c7f948eac8f9696ef674c1a3b137bd7b163a33f79e0fda6

SHA512
2e4d03e17a82efe7b1f0f4fade30727db32163e86e3010d30873d23c2317d44c1bae079b93669342a3e266999649ef9d3ec52313e20a02d37fc291022bbdbce4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
276e0100fc8cb91705cd75a64a52502b

SHA1
ef27fc2fd5d114e28c8a2144841e5ca225a5e4e9

SHA256
627fa546013e9488fc5e08413ec06f3c6986929033c8ef0bef91d70c10a4dd7f

SHA512
3b14a67e2d4b3dee380ee4da917f3ee417fcbe5253ae441312c4fa20bbe4f289af187ee3332633cbfae790f1bd3d21258d192d44f4d16e33c43bb234eb610b74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d808066f-a1a1-4747-a053-427058bb17a8.tmp

Filesize
8KB

MD5
ec9c165bb1f83d4ebeea1e3fec12700b

SHA1
106f317f256571f91cd86f7eda019f28f25780e5

SHA256
da7f97b475e3a6257d47658a9ecb8ab3e661393ad4b9012f45e2ad73100dc1f9

SHA512
d527a71491b5f0e4bcc8b3c87d54f8e37efb6cd61025234126ff599f6bac5265104938c5a5c67ad1232e4823d4d50fac29cd63c0ba4517e1bcb9111a6ad4d07d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
58d0842cef7ea77c61adb48e137063bb

SHA1
4d07498cda478fdc384f5c80553313a5fd626c4e

SHA256
c495c09ef625a91b0e13894f543161f398776d3751148119b696254c79bc4c98

SHA512
16072c4c00437ff377702e6cd3c4975bda5c29f66e9bce023c89b989d627f8ddebcf56db477271d4a100088c31429a7bc772f986daa763637855693200947ddf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1779ea8c62aba986a5dc5b9ec4beb767

SHA1
15bf9c2de0e1ccbf921ab34de5384e1cdb1fd5d9

SHA256
2bc79686926b53c433ff0483f4700eb515d293923d9a116523fdf41e0acbcb00

SHA512
e7b921e0eae176d1d7255547165a91ab2293178045b5b8ea194f98ff6f0205dc3e5196dbef412fa33f3af47606677d53372622d64dfcb2ab759fe9efd3002f13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
edce84cf8b93cb5bab7f65920a54274b

SHA1
1829c210affa1001a1e277a6b36d4571e8769dd0

SHA256
6af3c547bea8eb3100a881beb6b716f28b79d888b8f04721f86906b59ca683ef

SHA512
2bb988a231683bbacec3bc948ade8b71230d2bbe52efcacd38ddcea01a409f8a80c51ac7f897e7c62ff2d8fc3316efd8b831597e8981e32a64984b45622004fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
70dc53129d61173a7298ab59042f6d95

SHA1
6ead4f424cde565f5b334977e0922375d30bd7bd

SHA256
03bd77dc17d4e481b70111c49232f86a2610f7ba63fe31c4ec1cc83b4c6b3b09

SHA512
c51b32e12e73bac4f57739e17195e7902aab4f9525880cdc046ee7e7e335df9413138ee3478ac65dc5e9eeb3ed7ae3651029096ccaa230d520256d4a17684d67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d84fabee0fe7ff28a31a34515839df6a

SHA1
3f7c5cdc31225dc878e0bd8b02f4ef9d292085db

SHA256
016eebd5012a284290308569b15dda77437abb69aa5aa932bee44d651cf3c323

SHA512
a48e3e00fe6f654e20b5661feef6d230fe1751f8b9b5d8ea604645325e9357a1f0b558e46c2a05746469eb1818c7347b2862563f895acd85854478f1113a22a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
867a33cbec960497e635eb5aabc0e603

SHA1
a725e6fa2904d352370746d16b1d64755293ef22

SHA256
71997e9d9da8583106e90f7ecb59772bc1918a455b4b8da17722e1baff0218d6

SHA512
f9df91e01fc066aae67c024849a188a8b54327332adf018e343bd05cc10dfb3781d7f0cb854d292704ce24b23778bcbe69de70ebb57c67f07e3a9165777a11c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
69dd941df84033a486789cc8267b66fb

SHA1
f9437434cf99b7d733544fa93a8fffeee0daecd9

SHA256
439a51841aaca80e8923e8eea2011ed81b72243307552051bb93500a7d4d43b9

SHA512
de3cee03c82531ff34cde02aeb151716735ba16f629aa3f2a482087e7691ee883e4719e3fb0e5b3192a45765ae47ee8f106f5b0ee08a935f3e60a4430255aeff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
cd67bcc22cdf9ca9e2ec3a8e8e893a83

SHA1
fd9e26f86b1b3f87383c158df7ab69550d84bf6e

SHA256
ceaa6b074407bc4e451410a90af3f2208448c40995317982572fae0c8395651d

SHA512
924ef51339d976a58788153afa813bcee3bcf3d291d7f15306cbc756f2a765b9eb81b4221107c06f72baf7a8fb08172b3ad4cb503057c3c5c02b1fe7b610ffcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
58a6d3a63a751b959c23df04a732431d

SHA1
c6547b18b124db9f3a49665e762dd08a546d131e

SHA256
02c363db3cc7eca72d9fa917ccdb3e653e546e258cac7291c07167eb9cf6b960

SHA512
96087fb15a03c1c4a65eca80cb2066899a8de97da9e523e05cd5434068f57cd0fcf122c37d15e622aa50ebb03d60250e4b0d99eb06f248c29aa7c1407ee0894b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a6217.TMP

Filesize
89KB

MD5
d206d59060d72523168f00fa137141fe

SHA1
4eb77ba6b779205b9e2552afde9715554ce5e5c5

SHA256
52fa54ca1347b8064ec4e46581bd4012a8bc82da54211a6b059cc435752787ae

SHA512
0bb43307dde646bd144643b9a81716ff63ed14a6090326d5371bf46f35520e6ee028010d23a6358e124cdb78fe884f6d8dadac7b2c8ac09b448faa037e6eb581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
c1501ac4c5535c538fea72fa7098b82e

SHA1
9fad034f706f5840d5834916ef3139f50deba03a

SHA256
6daadd9ebe7aac0ac71e1b881e2f205264babb45fc6934674955ffd9a3dc42d0

SHA512
4140360de253c5a270e84e570e721ceb47993de84b618426f446256a6d7aed571c1298aa2351f417d47aa1ab8bf5641028c48aa21c9846b075f4ac5578b307be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
6.7MB

MD5
4f086a444f0ded6ee6941f4d18b1f97b

SHA1
bfeb3cb27791b5dd40bd155bbd7bedda521b424d

SHA256
971d6aa712e01902cecba5e8405896375a3474da6b155a1dde599482ba2f95b7

SHA512
171b8ecebaefbe92e09a38abc8f619bceacc060c1c0addc6d3b907e1adaa7232188141deada97fbb72fd37631b67e288c9af24108f1ab4b8c57a48f5d19eb325

Download Submit
C:\Users\Admin\AppData\Local\Temp\SteamUDPUpdater.exe

Filesize
112KB

MD5
4c01b103a0f2e3a2c4d35ac3bc5d4f82

SHA1
98e42c7a9b23bbdc76196b49e16e1ecd8aba2cd4

SHA256
f5f504cf3ad6273df4f6dec566dfce3059258c250e1f01f2d2797fee7a088615

SHA512
4e88a92f531d9301b6854fdf0bdac038558df1170dd253ff2aa8b2f4ebd7eb42f40e4e946015eaabc966580131b7f74cb355f8ecf05a260203aa300f49dba3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_di1dzzod.jwd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
592KB

MD5
72fc61d5b7df87af6ca5d1b4014c35c8

SHA1
18acd24bf7b5d1d605d2697b969c4e48b5b4112d

SHA256
e5426f45e242240955128a5de96e1440531836fe72cc2c0cfade8f3b8026f446

SHA512
1f789eaedb85036c8347cfe23ad220bd6aac5009086b634eba03d70d57292d4a792b9ab45ff9b46341dbd3bb7a9d900d0994a0bba8cf55bed60bd0a332290e37

Download Submit
C:\Users\Admin\Downloads\mfw.zip.crdownload

Filesize
7.1MB

MD5
60dfc8b9b5c3600d36b5b3328e830cfe

SHA1
843d45f8180ae62cf7bb61ce8bfdfefb4b6f0b7f

SHA256
e069ab243175befb9ca586dfe4a5b8229aae465175038c86bb66dfda9fbcb474

SHA512
5fb74dd8d0217b9f517eae6caa8b6decb2ece9a32312237e083e5d8763803554942474555a8aa027a9dc6877e932d422ff1a33fc5994c4b3352e2f9d1ac21759

Download Submit
memory/1344-1583-0x0000023041B40000-0x0000023041B62000-memory.dmp

Filesize
136KB

Download
memory/2644-520-0x000001FF28410000-0x000001FF2841A000-memory.dmp

Filesize
40KB

Download
memory/2644-517-0x00007FFCAAC20000-0x00007FFCAB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2644-1444-0x000001FF2D860000-0x000001FF2D8D6000-memory.dmp

Filesize
472KB

Download
memory/2644-33-0x00007FFCAAC23000-0x00007FFCAAC25000-memory.dmp

Filesize
8KB

Download
memory/2644-2-0x00007FFCAAC20000-0x00007FFCAB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2644-1737-0x00007FFCAAC20000-0x00007FFCAB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2644-1-0x000001FF0C7E0000-0x000001FF0D142000-memory.dmp

Filesize
9.4MB

Download
memory/2644-0-0x00007FFCAAC23000-0x00007FFCAAC25000-memory.dmp

Filesize
8KB

Download
memory/2644-507-0x00007FFCAAC20000-0x00007FFCAB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2644-519-0x000001FF2B5B0000-0x000001FF2B5C2000-memory.dmp

Filesize
72KB

Download
memory/2644-1445-0x000001FF2CDF0000-0x000001FF2CE0E000-memory.dmp

Filesize
120KB

Download
memory/2644-3-0x00007FFCAAC20000-0x00007FFCAB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2644-44-0x00007FFCAAC20000-0x00007FFCAB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/5432-1440-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/5432-1441-0x0000000066200000-0x00000000662EB000-memory.dmp

Filesize
940KB

Download
memory/5436-1443-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/5788-1542-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/5788-1541-0x0000000000C80000-0x0000000000D1A000-memory.dmp

Filesize
616KB

Download
memory/5788-1546-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/5788-1543-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/6300-1540-0x0000000000970000-0x0000000000992000-memory.dmp

Filesize
136KB

Download
memory/6912-1555-0x00007FFCC3AF0000-0x00007FFCC3AFF000-memory.dmp

Filesize
60KB

Download
memory/6912-1576-0x00007FFCBDF00000-0x00007FFCBDF24000-memory.dmp

Filesize
144KB

Download
memory/6912-1572-0x00007FFCB9B80000-0x00007FFCB9B94000-memory.dmp

Filesize
80KB

Download
memory/6912-1573-0x00007FFCC1D30000-0x00007FFCC1D3D000-memory.dmp

Filesize
52KB

Download
memory/6912-1676-0x00007FFCA3830000-0x00007FFCA39A1000-memory.dmp

Filesize
1.4MB

Download
memory/6912-1675-0x00007FFCBA130000-0x00007FFCBA14F000-memory.dmp

Filesize
124KB

Download
memory/6912-1709-0x00007FFCA1950000-0x00007FFCA1DBE000-memory.dmp

Filesize
4.4MB

Download
memory/6912-1735-0x00007FFCB9B80000-0x00007FFCB9B94000-memory.dmp

Filesize
80KB

Download
memory/6912-1734-0x00007FFCA3830000-0x00007FFCA39A1000-memory.dmp

Filesize
1.4MB

Download
memory/6912-1733-0x00007FFCC1D30000-0x00007FFCC1D3D000-memory.dmp

Filesize
52KB

Download
memory/6912-1732-0x00007FFCC1D60000-0x00007FFCC1D6D000-memory.dmp

Filesize
52KB

Download
memory/6912-1731-0x00007FFCB9C90000-0x00007FFCB9CA9000-memory.dmp

Filesize
100KB

Download
memory/6912-1730-0x00007FFCA3B50000-0x00007FFCA3C08000-memory.dmp

Filesize
736KB

Download
memory/6912-1729-0x00007FFCBA130000-0x00007FFCBA14F000-memory.dmp

Filesize
124KB

Download
memory/6912-1728-0x00007FFCBA250000-0x00007FFCBA269000-memory.dmp

Filesize
100KB

Download
memory/6912-1727-0x00007FFCBDED0000-0x00007FFCBDEFD000-memory.dmp

Filesize
180KB

Download
memory/6912-1726-0x00007FFCC3AF0000-0x00007FFCC3AFF000-memory.dmp

Filesize
60KB

Download
memory/6912-1725-0x00007FFCBDF00000-0x00007FFCBDF24000-memory.dmp

Filesize
144KB

Download
memory/6912-1724-0x00007FFCB9C60000-0x00007FFCB9C8E000-memory.dmp

Filesize
184KB

Download
memory/6912-1723-0x00007FFCA3710000-0x00007FFCA3828000-memory.dmp

Filesize
1.1MB

Download
memory/6912-1719-0x00007FFCA15D0000-0x00007FFCA1945000-memory.dmp

Filesize
3.5MB

Download
memory/6912-1571-0x00007FFCA1950000-0x00007FFCA1DBE000-memory.dmp

Filesize
4.4MB

Download
memory/6912-1577-0x00007FFCA3710000-0x00007FFCA3828000-memory.dmp

Filesize
1.1MB

Download
memory/6912-1566-0x00007FFCB9C90000-0x00007FFCB9CA9000-memory.dmp

Filesize
100KB

Download
memory/6912-1567-0x00007FFCC1D60000-0x00007FFCC1D6D000-memory.dmp

Filesize
52KB

Download
memory/6912-1568-0x00007FFCB9C60000-0x00007FFCB9C8E000-memory.dmp

Filesize
184KB

Download
memory/6912-1569-0x00007FFCA15D0000-0x00007FFCA1945000-memory.dmp

Filesize
3.5MB

Download
memory/6912-1570-0x00007FFCA3B50000-0x00007FFCA3C08000-memory.dmp

Filesize
736KB

Download
memory/6912-1565-0x00007FFCA3830000-0x00007FFCA39A1000-memory.dmp

Filesize
1.4MB

Download
memory/6912-1563-0x00007FFCBA250000-0x00007FFCBA269000-memory.dmp

Filesize
100KB

Download
memory/6912-1564-0x00007FFCBA130000-0x00007FFCBA14F000-memory.dmp

Filesize
124KB

Download
memory/6912-1562-0x00007FFCBDED0000-0x00007FFCBDEFD000-memory.dmp

Filesize
180KB

Download
memory/6912-1554-0x00007FFCBDF00000-0x00007FFCBDF24000-memory.dmp

Filesize
144KB

Download
memory/6912-1544-0x00007FFCA1950000-0x00007FFCA1DBE000-memory.dmp

Filesize
4.4MB

Download
memory/6976-1433-0x0000000000400000-0x0000000001149000-memory.dmp

Filesize
13.3MB

Download
memory/6976-1434-0x0000000070F00000-0x0000000070F24000-memory.dmp

Filesize
144KB

Download
memory/6976-1435-0x0000000065600000-0x0000000065619000-memory.dmp

Filesize
100KB

Download
memory/6976-1436-0x0000000068C80000-0x0000000068CEF000-memory.dmp

Filesize
444KB

Download
memory/6976-1439-0x000000006A780000-0x000000006A86A000-memory.dmp

Filesize
936KB

Download
memory/6976-1438-0x0000000066200000-0x00000000662EB000-memory.dmp

Filesize
940KB

Download
memory/6976-1437-0x000000006FE80000-0x000000006FED7000-memory.dmp

Filesize
348KB

Download
memory/8132-1450-0x00007FFCB5E30000-0x00007FFCB5E95000-memory.dmp

Filesize
404KB

Download
memory/8132-1449-0x00007FF7101E0000-0x00007FF7101F6000-memory.dmp

Filesize
88KB

Download