discordrat | hxxps://mega[.]nz/file/4K0wWBZZ#YX1lnHLgIRYuZPcNkOANd8JT9mPtFwxtOyFcMphV8_I

Resubmissions

01-12-2024 15:26

241201-svbb7ayrek 10

01-12-2024 15:25

241201-stmntsvkhy 4

01-12-2024 15:20

241201-sqsexayqeq 10

01-12-2024 15:19

241201-sp74zayqdr 3

Analysis

max time kernel
219s
max time network
216s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-12-2024 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/4K0wWBZZ#YX1lnHLgIRYuZPcNkOANd8JT9mPtFwxtOyFcMphV8_I

Score

10^/10

discordrat discovery persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxMjc5OTI3NDI3NDEyNzkyMg.GOuWiR.FNWWDzhiZI-BJlCUAsWOf3Q5avMNCiFtgUWBSQ
server_id
1307914676973076521

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

Client-built.exe

description	pid	Process	procid_target
PID 3132 created 596	3132	Client-built.exe	5
PID 3132 created 596	3132	Client-built.exe	5
PID 3132 created 596	3132	Client-built.exe	5

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

Processes:

Client-built.exe

pid	Process
3132	Client-built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs

Web Service

T1102

Processes:

flow	ioc
160	discord.com
171	raw.githubusercontent.com
172	discord.com
157	discord.com
98	discord.com
159	discord.com
162	raw.githubusercontent.com
163	raw.githubusercontent.com
164	discord.com
166	discord.com
178	discord.com
88	discord.com
177	discord.com
158	discord.com
93	discord.com
173	raw.githubusercontent.com
174	discord.com
175	discord.com
87	discord.com

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Client-built.exe

description	pid	Process	procid_target
PID 3132 set thread context of 5388	3132	Client-built.exe	128
PID 3132 set thread context of 5128	3132	Client-built.exe	134
PID 3132 set thread context of 5340	3132	Client-built.exe	135

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2c95df0f-1723-45d8-97cc-9a34eec76e29.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241201152022.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

builder.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000	svchost.exe

Modifies registry class 3 IoCs

Processes:

msedge.exeRuntimeBroker.exeExplorer.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeClient-built.exedllhost.exe

pid	Process
1136	msedge.exe
1136	msedge.exe
1796	msedge.exe
1796	msedge.exe
3892	identity_helper.exe
3892	identity_helper.exe
4740	msedge.exe
4740	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
3132	Client-built.exe
3132	Client-built.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
3132	Client-built.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
3132	Client-built.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
3132	Client-built.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
3132	Client-built.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
3132	Client-built.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe
5388	dllhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	Process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

AUDIODG.EXEClient-built.exedllhost.exedwm.exeExplorer.EXEDllHost.exetaskmgr.exesvchost.exedllhost.exedllhost.exe

description	pid	Process
Token: 33	1052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1052	AUDIODG.EXE
Token: SeDebugPrivilege	3132	Client-built.exe
Token: SeDebugPrivilege	3132	Client-built.exe
Token: SeDebugPrivilege	5388	dllhost.exe
Token: SeShutdownPrivilege	1032	dwm.exe
Token: SeCreatePagefilePrivilege	1032	dwm.exe
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeManageVolumePrivilege	3492	DllHost.exe
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeDebugPrivilege	5692	taskmgr.exe
Token: SeSystemProfilePrivilege	5692	taskmgr.exe
Token: SeCreateGlobalPrivilege	5692	taskmgr.exe
Token: SeAuditPrivilege	2236	svchost.exe
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeDebugPrivilege	5128	dllhost.exe
Token: SeDebugPrivilege	3132	Client-built.exe
Token: SeDebugPrivilege	5340	dllhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeExplorer.EXEtaskmgr.exe

pid	Process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exeExplorer.EXEtaskmgr.exe

pid	Process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1796 wrote to memory of 444	1796	msedge.exe	80
PID 1796 wrote to memory of 444	1796	msedge.exe	80
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 608	1796	msedge.exe	81
PID 1796 wrote to memory of 1136	1796	msedge.exe	82
PID 1796 wrote to memory of 1136	1796	msedge.exe	82
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83
PID 1796 wrote to memory of 5084	1796	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8de3f227-1e68-4c76-9478-3148abef48ae}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5388
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c993c256-b342-4530-96ca-80c3cb9b1f88}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5128
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c8fe961a-57f8-4cfa-ad6b-3e70dc2b50ff}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5340

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1328
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1612
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1820
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x4a8 0x2d4
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1756

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2492

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2756

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3452

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/4K0wWBZZ#YX1lnHLgIRYuZPcNkOANd8JT9mPtFwxtOyFcMphV8_I
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb119146f8,0x7ffb11914708,0x7ffb11914718
    3⤵
    PID:444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
    3⤵
    PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
    3⤵
    PID:4420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:3164
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6f4305460,0x7ff6f4305470,0x7ff6f4305480
      4⤵
      PID:2400
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
    3⤵
    PID:1408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
    3⤵
    PID:4352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
    3⤵
    PID:4940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
    3⤵
    PID:1644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4696 /prefetch:8
    3⤵
    PID:872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6384 /prefetch:8
    3⤵
    PID:956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
    3⤵
    PID:792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6676 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
    3⤵
    PID:5636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
    3⤵
    PID:5420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
    3⤵
    PID:6084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,12077906841801526249,7928263718418004587,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6620 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5068
- C:\Users\Admin\Downloads\release - Copy\builder.exe
  "C:\Users\Admin\Downloads\release - Copy\builder.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5996
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\release - Copy\adssadsad.txt
  2⤵
  PID:6120
- C:\Users\Admin\Downloads\release - Copy\Client-built.exe
  "C:\Users\Admin\Downloads\release - Copy\Client-built.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://grabify.link/QPDTJB
    3⤵
    PID:5736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffb119146f8,0x7ffb11914708,0x7ffb11914718
      4⤵
      PID:3192
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4156

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4680

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4512

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2420

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2480

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5156

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5764

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:5948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:6008

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:2600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9d533e1f93a61b94eea29bf4313b0a8e

SHA1
96c1f0811d9e2fbf408e1b7186921b855fc891db

SHA256
ae95a7d192b6dfed1a8a5611850df994c63ba2038018901d59ef4dae64b74ed3

SHA512
b10de657d0cef4255e96daa1b6ad0c99c70b16c13b8e86790ea226e37e9ded1a8f8bed1e137f976d86ebc3ea9a4b5eb67ce2f5b0200025d35dc8e94c947ff3f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
42c2215e4394e3906958d61ded8158cb

SHA1
c3032dc78ff4d32d1ea532d3687ce4d15a23ea5a

SHA256
7af0c570d97a2e83e35cde38e0fb8b03fbd66687321ec9b5c350b87aeb9e6db7

SHA512
a37100a25eac8e19891817b707a46aefdb57ab718374fca294811097781ae12479b0fea826982f535b0a0358e0349d8e9845b17feb196690f54df7b6ff907619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fccab8a2a3330ebd702a08d6cc6c1aee

SHA1
2d0ea7fa697cb1723d240ebf3c0781ce56273cf7

SHA256
fa39b46c6f11977f5a2e6f4cd495db424063320fbac26a2eae7466e82ffeb712

SHA512
5339b52bad5dff926b66044067aa3e1a6147c389a27ebd89b0f16e1267621d7ce7af9810010bee81cba7b08c77a33ede8ef4675fe049b9fb2ed510fcaef93d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dd05cec66406e1a65be5cd0d5cea77f6

SHA1
c9fa36f8d6eab37e656cc388979d618c83f784ec

SHA256
b507f7678e220226004108f858fd33fcafe02256b7f236dc95794c80a8e5b3c4

SHA512
6522fa79ffc36653c90bb2d3f20218d2d6f0b8cd441f3213b42bf98d016a44d95f89ef07a2ae348e609dc252d4c220454b179caa125f4f32aa5768d9859fee63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
a33d4ecc46954ba98c192716e61f9768

SHA1
dfde739fc178b1f58485bd03e4fa74a7aace8d59

SHA256
a84b57c698e454ac6c325907048f989692de26341c7ef21b206ebe32c78c495d

SHA512
f3f82cc39c179c835e4eb433d7222da19a1138507c4c7a27df48cdbdc568a6e5ebec5e9691ad742b3ddb33b43406a78ae15d74c56cf3b3f2ed746c4263bf120e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
47500851f5ae433327b8b71a2998eaed

SHA1
9a5c27c4baf04cacf74916cdb0ccc7155fad2a94

SHA256
aca2bcf755c7bb6946de55adb25fdab2eda1d110055860f5e46306deeccbe857

SHA512
2db3834f5312b84082647f6c595da1429206d6a2489cfb5d8369698db7620b68a367f67db49c29f989affafc8fb6a68305e2bc193188f852b09685df8acc3afa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b8ec54d59d9f717e0e61ff28edd43713

SHA1
d7e194b1173c327b07cb17a6627047145ea1ed4e

SHA256
b3fe7066c84f644e08c5a908820bf15d67781a195db719b60f5ef4971691ff47

SHA512
c0c187b61fded93b069f89c8c24d5208d4cd69af93e4f5075b7cf725163e4d6cd9bea7a8d8d5ae612de7777573ac3205d7bf96924e589f92ab3f97a96d8be6d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bf6d3c05c1911962fe90e02a98196141

SHA1
49e23423bb0cda9545c70248ae914f55ff712a70

SHA256
41f2ec33632a3de0ecb5a4e12eb287224cecc88b372e83d60e09a6df71974686

SHA512
e2e1fa810e8405820977a25e1d39f95f2d84ad5d4b3cd3520e8c2b1cbbfa1129464a040ff914c198e66c36dafaeac5f49083aa3f61bded01a40a8c6e2b8c714e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f04e2e1801e62d4d1944faea1599bf03

SHA1
90064083ee94a0ef1c37f0ed8e9625fa559b8419

SHA256
2002345ed42ccb6e5c2a4157eb4afcb30e10949dd9268554fc66a9b1a14275bc

SHA512
73b796c45e794b9d486c93a8a6b0733bd9a6eba7aeb7eda6bf5a53ffa2d7a7cf8cb08fdfa403b9205a05304bf9d74e38f72d1c90d38c781f1df68ac3f9a46d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3c4089862be8d8bdac4b173437aa742f

SHA1
6d33c21b22f34a009231ae812561ff0ce0914f90

SHA256
a8dcba32782f19504a3a007d7937b80c5ca3c966f8906a31047b6052780ebe70

SHA512
e3136aa3316ab6a21286c24a8373f432f2aa607cbc92f5a5bcf21eb6623f80e13160dfa78f249c755b03525e74185362a61ba20fe5ba9fdb7d715e03e9eb3835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0226ae579d65d9add3e2d63bf548105a

SHA1
e529658d55f402d6fc105985e68ee4bf4e0affe2

SHA256
d30aaf47dba3ebc0916aad16867ddbe60b9728c785dfd0ac25bbad5fcf897d88

SHA512
e99850d74f9edca79fcf2a7d103ca236eb3edcfd011228dc1825b6d1351e975cd561298fd78f48285713c326672df13196ee8ed25435aad8d49eec1b73a2436e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ed659b1d7a51e558246bd24f62fff931

SHA1
84685d6f04379c290e4261ff04e9e1879d54d42c

SHA256
23fafd9073812d5ff8b523b84bc981e4cb410bebbf3675db2b29cfac0dae9690

SHA512
1c3203328583241895db9fb165fcfd595f642e218ee3a453ab6873cbac10ddab693cd2f913bab15c8bb7b5a12c5768b3dfcb278aad754dec1fbffe66b81843cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7ec09c7cbd7cb0b8a777b3a9e2a1892e

SHA1
3b07979e57b6c93be7d5a6cd8fa954dee91bd8dd

SHA256
a623633f34a241b0dbc9fd26f34446d716955f94e90b2ff9ac8b9df801bdae5e

SHA512
5fff0a38a3b6e4b29d402eef2650011e4d9df514e0624767c84ea31cb73cbba10c7e0b5711cb487976d637f0f60a85c431cf0db54b519411245684c116c07b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9f3d86a60c7500cb31cc294e7034c6f6

SHA1
5789c5f73db0b9f662cc3d7fe7376c3fc87d3e3f

SHA256
3aab3eb5d2d96256e60dcc0bb03155cd5a20deff4f6353780bd44fed65e099af

SHA512
c6245cdc6b11dbea37776c11961cd766856a52284881124279b2a2c3892e94cf8bb2c0f5c43965c4d70721a9b8652e2cbfda5e23e5eab7f214ecbc4302502aaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c880.TMP

Filesize
48B

MD5
4561663a6061c2cdb78cc7354020700b

SHA1
738efffe835acbef222ffc84bbb837f01da68b3b

SHA256
9e04d846d9000508c1b39b29ef433b49bdb3536c314efc5fbf1963a72b678a1b

SHA512
2acd3e377ecce2923c1d6c397c1e6316c0f688cf4823954088afe1d07f04e4b6c2ade13909daf5c967957003f826900757eba6902d473d4e0de7167f21eb69ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f2e4c1b36de18f36213a618759e65e23

SHA1
2aab99b4a05b7346a1f3caa081468ce8308a8199

SHA256
82470dd5311cc1898956f682772476d06ed90d570eafaef60571892963ef1426

SHA512
3400741282c33a1151efee0aa685a43d2005240f7916bf8be5cad26fb24ef70701e715040ab336f54ca97cc26f812320e386908bec01b6e170587bb3043f7ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
19ac4a5f0cafcf25c632ccc0db0083df

SHA1
baf72e832c67848b5c1931c6a087cb84dc1a5be3

SHA256
36a0e747d056da4aa4fa25a5c6989363003a4cca78e85daf858240678fdef960

SHA512
d425229f08e4174dffde1f0153519e41f6bea3a4308f5316fdce66789d0b0720c3c150841fc1ee6a666f11ee02c686e97d76f42e1ca624a2fb3772402bd3a6bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b32492c1a54785aeabe1c810af59babc

SHA1
3bccc178dea7014605c685db03866b6532a047d1

SHA256
ba2b5101c168d93dc8979a1c8d1a66150add4c0a5dcbf16404646616e49755fb

SHA512
a551ee266e0022905ce027369aabab6c1931b57380867fa951b90c95e961f9a5657931abfe0b1ec0fb2142ace4fd373c808894f61c743208ffdd93f1a81b5ea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593d6d.TMP

Filesize
201B

MD5
34d8e53885cd7be8f7b459cf63b1a0d4

SHA1
86cda5cc437e34eb7e20601622b2c7b56e7a882f

SHA256
4fe283cec5bb6bd3830c8b4d4ba168177d27fe05ab47425936e5f3c62e0858ce

SHA512
511759e2162c9d32676f3e78a65eba3ec38ba8e5f485a1cd3f5bd8ce8d512c10580e5a9f1b36f7850e2af4516a4a4a0666a149b9fb5ecd0e73881d6e6ecd1a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\be52f762-e803-4b6f-973d-988b388e72fa.tmp

Filesize
1KB

MD5
cc3c6318fd010c95ccaca8f8895916c6

SHA1
e03c16e3115ccc132305e6c36ba07aeba5346324

SHA256
0e257a8cf61ee71460c813ac4e2a7dd55a5c7fd5876d83a7e5eb4c08d095376c

SHA512
9ba92594b1bb5f9cc27fed1e13e5e1d296fa45240dab1d00435cecf5208e7f566e1a8711c906bf305114a15ae7b3cd08c8d888a29a5b01c3f8b62085588334a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
758d3a89718baae64862abfc75848cb7

SHA1
42570ec1ffc8b1bc9df1165c55a4bf3ae4ba4c20

SHA256
25f25df2dc34d16e50d6bb71ed234e49e3faa201bb0856359803e5febdaddaa1

SHA512
92adbfcb2350e925f2a2147417ab64319871f6f7dfeed22abb2fe206deb275620c10f1d03c958a704fbd98c88341427151c01ca6e81a42519c08b37ba19de579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b7dd1bf7efa99b6c910cc9b142c93db5

SHA1
1e8c52a506b56a83b4fabf8c831bf6d2cb264a11

SHA256
670669d45deb599399e5defde54851cd661d9d6aab481c6ccaa2cc81296220a3

SHA512
24583f10183980c5529c35fdd8c83a43c68eea5b3732e8c556aff6bd9571cc4597b3d67bf9e03b87739f760f2b0b681631487aaec08e0aa67262259533a35477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b73fe62ede755959d74afea10f1a7132

SHA1
7a63c4a9d567551333d6258c5970424c34a94ef8

SHA256
929a288b449f20d5fb3dfb970b2af55d1a7378e84c4e6f76cf1a7fd74e086776

SHA512
bf0c0baba5c25fd0149251b2160ada35b27f34b129552669b9f16657154ffb2d864287dc22af440c6e68e0b8785bd9c61ebe34c258ad37df4b421e83e3bbaae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e420f333548920364be30cea4ceb70e4

SHA1
176d1eb4b545b9a9a2e89c19b4b754b890a44ca7

SHA256
fa504c44df4c65c3e1c363a32201553460becf6e824d93d7bf9f62b3de9786d1

SHA512
835b1121b0f6fa5a10f4416d7ebc48c6d37b5380c5ce23352a8e4e790d22c3191253d927466fabff005ae8e3ee3e3c076e88d231f717281293572f2674327331

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
0f22fdcd0c680e679855ad5cc8818c4e

SHA1
99ed8773c458281a9bb1594189bf996328a6c825

SHA256
3973464442cf2371b281ab9ae936c99829121ed006c437944f09565f9d0e0e02

SHA512
2a553513ed3f10f2c59de6636c61d3fce79266093c86bb35204956c10afdedef451f150c2194c7cea75cead074ba44c0c0229bbcc7a04df5fdd769fca972a0f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
47081d23579f3b858c49f49e4d74dade

SHA1
603245aab2d3bb2e7d1bcd9c602f45b70bb2f8ce

SHA256
bca09bb5f2985b8efe7bb4bb819b1495e24f0b82c2be0146c91202ce471fa78a

SHA512
735478863a74a75ba6c1b90e8ad545fb8567f4c32e742ad85124304758f0dea09e053733d2cdca3ff1809c0c9b8ecd56e8ea4169063a94075e4622832b8f4c79

Download Submit
C:\Users\Admin\Downloads\release - Copy.zip

Filesize
473KB

MD5
bcd68b7e0afd9a4145c97c77b7e27e95

SHA1
a129a5e722d84fb264de89f4079a3898bcc0c5db

SHA256
5a6e90c8a58dc280b1dde688e2c2a342774027ecae6d7176d101c12227be2c7d

SHA512
54566b84fabdce9c92ad8352b7d213bf9c9545fbeb9c93e949c1b6af3992db2b0816fb0f1294d9098a02b09feab1f541dba0dade59eda67bf1cf71f64a4d6f32

Download Submit
C:\Users\Admin\Downloads\release - Copy\Client-built.exe

Filesize
78KB

MD5
e8ff8d278de10cc2f7255b156ae2d252

SHA1
c91554ef849852360499b82579ca0c41c9dfde21

SHA256
08d4d8a882d74fa4d9525a5c78351bb3eba95f1c7d78f75c2f5d606715059e90

SHA512
c9eb226331c00b915c5ff5b2b407aa6f31536b671bff1cf11aa512d3cd4a60d0c9db14e5e4aee554e74259fcd755e9d835a960838d679e389943be0f20f65952

Download Submit
\??\pipe\LOCAL\crashpad_1796_QYRQUAMFVGKBDYUY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/596-646-0x00007FFAE1910000-0x00007FFAE1920000-memory.dmp

Filesize
64KB

Download
memory/596-645-0x000002198ABB0000-0x000002198ABDA000-memory.dmp

Filesize
168KB

Download
memory/596-643-0x000002198AB80000-0x000002198ABA3000-memory.dmp

Filesize
140KB

Download
memory/676-650-0x0000027ABE5D0000-0x0000027ABE5FA000-memory.dmp

Filesize
168KB

Download
memory/676-652-0x00007FFAE1910000-0x00007FFAE1920000-memory.dmp

Filesize
64KB

Download
memory/1032-658-0x00007FFAE1910000-0x00007FFAE1920000-memory.dmp

Filesize
64KB

Download
memory/1032-657-0x000002469F060000-0x000002469F08A000-memory.dmp

Filesize
168KB

Download
memory/3132-390-0x0000018349770000-0x0000018349932000-memory.dmp

Filesize
1.8MB

Download
memory/3132-636-0x00007FFB1FB90000-0x00007FFB1FC4D000-memory.dmp

Filesize
756KB

Download
memory/3132-1011-0x000001834A910000-0x000001834AC68000-memory.dmp

Filesize
3.3MB

Download
memory/3132-389-0x000001832F130000-0x000001832F148000-memory.dmp

Filesize
96KB

Download
memory/3132-391-0x000001834A070000-0x000001834A598000-memory.dmp

Filesize
5.2MB

Download
memory/3132-597-0x0000018349CE0000-0x0000018349FAA000-memory.dmp

Filesize
2.8MB

Download
memory/3132-634-0x0000018349AA0000-0x0000018349ADE000-memory.dmp

Filesize
248KB

Download
memory/3132-635-0x00007FFB21890000-0x00007FFB21A88000-memory.dmp

Filesize
2.0MB

Download
memory/3536-696-0x0000000002DE0000-0x0000000002E0A000-memory.dmp

Filesize
168KB

Download
memory/3536-697-0x00007FFAE1910000-0x00007FFAE1920000-memory.dmp

Filesize
64KB

Download
memory/5388-641-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5388-640-0x00007FFB1FB90000-0x00007FFB1FC4D000-memory.dmp

Filesize
756KB

Download
memory/5388-639-0x00007FFB21890000-0x00007FFB21A88000-memory.dmp

Filesize
2.0MB

Download
memory/5388-637-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5388-638-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5996-357-0x0000000007240000-0x0000000007362000-memory.dmp

Filesize
1.1MB

Download
memory/5996-354-0x0000000005540000-0x000000000554A000-memory.dmp

Filesize
40KB

Download
memory/5996-353-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/5996-352-0x0000000005B60000-0x0000000006106000-memory.dmp

Filesize
5.6MB

Download
memory/5996-351-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download