discordrat | 879434e9b5f6398a3bcc7dbeeccc41a7a8284a6d9029c1fe3db8353e61463783

Analysis

max time kernel
210s
max time network
209s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-01-2025 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

ae435f868dfdec6d306fa6c99e832504
SHA1

a3c32006a91a02a378d5cf46986001a3da127378
SHA256

879434e9b5f6398a3bcc7dbeeccc41a7a8284a6d9029c1fe3db8353e61463783
SHA512

19a2c3a81fad52259464b41cdc5148781ce3e4795b42bf096a1134237c2087a082e0b0fb14366947036fb472178c7373211b09e50085b1ce3928518bfa13bb3d
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+5PIC:5Zv5PDwbjNrmAE+JIC

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxNzk1MTI1OTgxODMzMjI1MQ.G93Qk4.H4mAeTd_60O2WKIyzj2t9Gqxi0w69VeDvI9dT0
server_id
1317948076505169970

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3472 created 636	3472	Client-built.exe	5

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs

Web Service

T1102

flow	ioc
11	discord.com
12	raw.githubusercontent.com
13	discord.com
42	discord.com
3	discord.com
5	discord.com
6	discord.com
10	discord.com
18	discord.com
9	discord.com
16	raw.githubusercontent.com
17	discord.com
8	discord.com
14	discord.com
1	discord.com
1	raw.githubusercontent.com
7	discord.com

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\Diagnostic.log	lsass.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\342cd0df-facd-43aa-a87c-e491c34aee90	lsass.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\Preferred	lsass.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3472 set thread context of 3128	3472	Client-built.exe	78

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02tubtehzpogeoic\DeviceId = "<Data LastUpdatedTime=\"1736615293\"><User username=\"02TUBTEHZPOGEOIC\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02tubtehzpogeoic\DeviceId = "<Data LastUpdatedTime=\"1736615293\"><User username=\"02TUBTEHZPOGEOIC\"><HardwareInfo BoundTime=\"1736615293\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02tubtehzpogeoic\DeviceId = "<Data LastUpdatedTime=\"1736615293\"><User username=\"02TUBTEHZPOGEOIC\"><HardwareInfo BoundTime=\"1736615294\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Flags = "8256"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02sozzxcsrmbdgzs\Request Saturday, January 11, 2025 17:08:13 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAvsLpoGmuR06ztpzJq+AfLAAAAAACAAAAAAAQZgAAAAEAACAAAADf6tv4tJQKl+Ye9RNgWy/X0yc7rYroSXb+lrLRX012AwAAAAAOgAAAAAIAACAAAADhcAunsb1kAoITdSVAxODyijd2+XhdyGBb8KJUAGpr8lASAACSSpTZ1SFu9RZtoHadVYkAsgVopr1y3BEJM+u+yelnwWqclFv9k857h3QCYGbQTusWiQPCHka/Yx1h+0BK8EhPAiZdI6eik6oRxm0Fnps2tUPlpoOlRcbdkiJRZ//ZDD7lyFegEsCAVzQ4ANP6xDXSd/IVi02AMmYlz/22RNc1oOwTuBdAxiex41hSdaG+3C/SDPuDTROs4SP7WVF10FECadks2yFHxs1eLveP0mHSUlXf5GqGm80KKd0pIs48AOWC8xDe1i9QXQaHtbFeQzmSvp2wh2/w8tvsjdnCdBY5NFeuwLGgRhwKy01QMrA1KGoScqDtTzvxpPRfG2yNO7gwwRbIrMrXQURn3D8Z/2M5x7wTXLVp89BSUSNnAdmI5usdGyYqQoX3rlBdd9oe+FR7BcYTrSuAcOErMef86QW4r/GmmnthYQP4HfAWL2hGuCdPj+LMxGgb0OGr3lZaz3tYR/NUoPddnXTjVNS5tiwc3WlWwQmkwME2W/gQHAJZVJXkzxJHpRTfpu4QlSOSHRCLhUU1NxAlQMrUEnTIhR9cYhZYIz9J21vhCJJL8M2MYUsBUNPhieN335A83qtTqtusE/RjOpapllxg0PUk98X56GfIdy//6n/GUpeXU0RA65NX2IDFAemVTMKnT873Grh9/sA0ipX7BzYFakMi8yv91anmo4NZEZ8qjs3Q4T4Y3e9K7LYTg+qW7P61IoLE+nkUGPgg9uw6Gn0gCIuDvi0+AY/Pmq8kBlDU9qpZbLErpLugEO5SdLf7z0zGo/LpO5EoKlK7nC4KhqsdMyQumDjxQFydhTpC5jXe0Ovt70gmHlbn+O//ujwNmGB471m/946aQCMAUHI97+Q+4wIRaHUVTiViGb4b3zf5OPCnUUoCpjRK621NS42awCcv2t6UCfRHQGpSRsx8Jihc64BoMDjm6lblDa+aQJeekSvhuYsKxMEdJVddYqOTbcAzC3FiIckyJ5IwmkoIsB3u7OcAZqArDInYsxs/d4YVRTA8tdho/tKR+ic08PPRc0Mmd3nRaF67DVnIiYkzNG0JBEz9Z2lnpFFBr8D9lDk3D0nwWDhiAsVfcvIdrGEZVctWJzI1TbCP0nIxDHyJVMZWo0MUkii+najvtssXMElEsnclCH8Br8VmzssWLOfgAdl0GNwPpHm2Lt986WpFpWH6/L7+NvWHaogJptY38cyijFi1fJBEwDTyODYYql7oUKfkp442hdDen7Ye9Ga4Xq1nvJhpxoNl7YSfbYd15Nb3w2TJG+iEYuP/IBnFrVaCEc+sI/AWBCIz6AXLBgzMY3D1FgIBC4afMo79ACmt1XOMlG5YI7DrcdNxZm5XIqHFdIcsa0xnFZWVpkqcvU5qS4uJagsRu8NYqjEWRbS3tnxto1b1FFiIQagyFmI3gKd3cPccvXunbxsliLvWM6rYf0elq6NxWwrhI9Cf+RTTyAZH1m/hJLXQWMrymK3zqLYqzoZ1dOITyPNnaena1zLKWPksCr/udboSr4U94oVB6SKPrO6K1CyjSWcBgcLT6Y0op1epL7DZf0af50R4LnKHnbf1gMr4TGZJSopRbxLWCd+YoMpSey8HAqsfbuz2lXX0QS4ah/BYc66S2i0tgOv/tAq2BWhb2YArP2GlV1XY0d7O+ObkoVC6dEdpM95yeXbl0FcifFx0H3tBClISQlfsuJhJa4uKuCdd5h8iJStPeIyR7ONhbOPw4UicnQ9Fs/JKLbyMQUHvA5JTuDEK6fwG1bUTFvPCO8a3Wwm6QfAM8H6neeriOkDotM1mdX3ba0UavTObkrs8rS1eWNELZPZRgQPygBXzRaKaKQGZxRricGUzevTDdHtl7KRIxQ/ABQbT+RyTxxmNrSjQ53LnuxqbOPG37eLivQ86ASGzsC/OuXYZGG6C6RdyY5VaZwPkT5tZw96869k//MJzN5RQXFDafcXISRjokNQExDKUuOo5dC/XhKsbO1EO7CRyUS+DNTcIJlaBplfQqP+6PrxEZkZAKOFStOlngzDjnQr5qRv1nVcszoOqNpdUbbcSnyr+8oam+An07eCba9gqgHs1gWiB31Y2+ZVenxC7sXWOxWsmGzhw8z5lKYKHX75m1jWm+NzNTyhmucz6HqWCnoqAoch/r2lJOM5pyxKBb7VbT8dIscYUcw50HfVHlcAZkfxC4WDuERAuxIaJjbxqmrogRdwzb7EtJFDe63MVOPD4ru/bGq6YKamAA8k04XUTmwOAY/YlQV58ZKJH7NNeQ0Ll/uwvXkr6uJvrX1Ew9y5jPXjNVbnvK47B0DejHE0Bvc2dbu3xO/m+5YOLhHfGnz+6JUo1lu8qr2QXk27ZGKzG2+8vcK2RAPJEpf72uAgNBx+a4IZZ8TU/dviY0CBmo/WU7N5FmOWcMojdr6qBKDy/XlAJhN6Pfs8lYJo/KpTJTSRGK6Iojc4vB//xyzSkg1n2wGbO5257ud7nJzlkSWtoIk+XwQdaLcpwuH6kV0D7i0COFstaDM1qLgsu8t302C3KPFEo3vBnDVpWyFJIk5yJ0aJlI7mMObJVah6PXX3y1Xv0BbdyNqd3LV9xI3ruE61C+WylVja8t3kVJYaQm/Yh0uCh9bWmqpVTbPfIN+oEjmwlyXNsJKkzj/INBHxQxB0L5JLZ+wYU8aou4RBbaTcbuDnFrQYJvdy/7esk/B4xelgvZiYiAw9ZvKnvkJAJ0GccJOEsSigvHmY9QlF/b/Iws4Bv8RHM71U2cQdKWHy7saUc3fo5z9bwTrCx0UkIoB+8LO6vsKLkCa3VMoDrfbcNJQs+zMsk7x+1CPqEAQqG4qvrIwPA7NAIdzGO9YqlulXMEIlaDBTHnQDOkBk8Ml8zhByZSEda3P3vnruQ1DZFVjkMPqkHwrHV8N/GrQ5ojxr9ytiz6miKYqFTGW+SG2DnqmHuAqM+q1hltrL4hzF718b9GrZZntBR2uV+IixMOPO+kv+6ocm1CI8mpdn2GoNsGTwIFqDna3L5mnF5/u++BjAQZiSiCyCkB4nzNAtWpo/ZYJZsAOD2OOMksDYjbHPe8n5dtsc15lWeUyX7Rwwd6Y66UHXqldhSfWcQ9RiUUIbCwo8LNb75MF5aVxk6bCB+iGgats5q1psIcjsJL191GnrMLTzs18xuE3XrfMGKVPfoHOZBLCb6aYQ+eOK8mtMPGsXUFd/zy/YgxrsTHUS6PY7KxmzQXEqlfUj/NZ59NAl5rHBAX80S22UNZg8Tw4PKAMiTelQU0KWJRa+lYMGO0TRIH+0PS1JXovvF2OzflblhnsiKpkjkvctiXHkq5Rx6v0AC/jaFK/3LttVuzi6VtOJtBAoF0NcJcDm+Gw3GlGErnTsel7Ag0ZwmeUAS4J2x8jrWG06wVSH2l3USX9FTZ0le9useQOVRiYza7O3/U2IdJ55YF9m2vRG8M8JIvqujuAVwYU/9fz+01LhANKc7XKY7q5CAV/9x6JS8OFoeKa+igv3YsG1Xi24VwHc5I576F9ydEIPRgDIjAWHNiCDOr8Wd7NSapDehVP2bYnlOexIXjne3vX+R/2bK4tzU4xfomvTf/WbfEA3gMZPq9gBLnf1axM8EsYzlpzC0a135v3WQZ9Sq7U9qYfz/SctVtiUM0U96MiWhsBJIGx4Kv1mTbwedj0pWnvwAqsRX9ws46rYoFH1w8v5yCKEpNgl16ntL1riXDl3g6On421NqGdBNwe0cb98BsyVpK5CPzHmo5hMG1/NwO3ZfAUgslff6ZiZgO8xFjL9RP3gX/iE2W+yw/IXFXhj9iyD6Wux/jKSv18bpxuUcoqfJC8FNbrbShkDgUxjcLDFLdAANLRVZ/TUD1f0u5EMF6u8DH4vTSS5t7sYaYWYcFBTTVMtNqLKirWZAb/Z3gbIoq6rsBH2vjT8ro4LpItDB6M2GNvwj83ZnhQgx0wTp0/seIcsI919kxUMatM/PYyfUERF3IQu3tJWIMVfId6fVLjInAk1xCsD4BAjdCoG4QF23cu+UQHHABHxGfEz45BMTzKwePu3WTNJqL9RKR/Fk1bmKhrnpQY8fzPc0bGOmCN29KnqhXtHmNqU2KHftHQMnEX1CATF0/mWkFeB4tF2SqMaw0b20ukX+x8VUfUuQvPdXT7Dw4AWyIS8dAEBR4IgcEmpGPNMyzKn3ncxr1Ww7QyvBJx6sJKS5Z7j6VzFbNXv1QAT7GNmEPHLf0lPrh57VAjrbeUf3oMxaAJ0hCFOhahDrxqocjkOKKCmUzfaIL4YSjiitAV9N8KTT1p/UkGIm7b7k+erhxq2Egf6M0y7z01Ro2aA6fw89X0zgZExm+7+39LK1o0mwZggpLHBx/iuBAQjdJeu7Y3tRYS936xzTs9ObDjihUd+bcvY/N4X0+dCnErq46+yCTau6MNlWanEgTBFb1KnXFLBCG0UuSSz2j74/u0sR6GSTgz5on+UodNgLXrZAJaM+OPwywg6N584UOHteWUdi4tbpqhF/d4ni1s6RdvaDAu15DMQ9oUO53Dcb7jt4qmVc6YefysuNJLjkl4/GpOs7rVCkegPd9o7whgdo5NThZ2ymmVKL0i3UpxQOvaBxnm6Co+UMWcm7A0HCgksT8Jw+9GDTeVmUIGBSZjIKsSZMclp/Bn2rRiILyLa2vlqBwGGyYITicLGxf2wlkfjE8iNv4tpSi/34rYw5k3+ui3P+oHecUzfZEgrsRROsumIT9DCsRZQBwc63LZLhZBan51i3LmgbHd1t/YEkAT45loCRgy6zik3avXCcMwmnMskR+b9B+mWhAcOgwyLEbyb4Ie41A+jSGY4RdUnSBIVUjQPetCTuKsIg9SqED6LthBbolcYTBpTSv7HEkNGfjfAB6xm73reMLz1eWBQ2vAIHSTMWTVrmhYdQpHq8dhb7zB2GMLeSI00LAmUFP0ET8W7G5kBhat3y6u2dUwkaenjG/QW4U60lc4hg/66Az1VWCtPgt2yftDN2cLTlOnNrUuHDJoZBXfWa7BYNFNea6oGTYKSjPEFH1B/gD9csKoGa8yZ2rmfcrnBsvCwl+YwODmyEd3s34lrMxVlLi7qS/4r6x2+oYtCAd/xGF46QqF+0zevAL+aSRhKXI44n9uGRcrF/GvjmqctvKztqvgXFlwt1sGWsD1lcmguEunbflCzmphK1YjnbrCiobntyMTM2YGek3uF0hBXNatP1+1zmISpieXJJnUqw1RtYvDYoWH00CuZhnf03tSTZfBRNqcJIxC+wgw3uKN9rR6bmfDvsIJ8vi98fGsjvOnePOwJ99AtjVgCdoJiwbQOoI5Mzmb3EAibMhod/XBpSeGZuXO29ipKRQmBMfgi44budo7oItpHaFyhQXrX6uSST8KCj1ySL1dWRmzPsCvn9essOsG7bw/5c/9yWEAxAlWNCjLE9G2h9NeOXwVu8GeQzwW5toR+pVO71dB3JpIX4z4/fhm2eBAePU7SkCbf/K45QMRTMefXYn2OC/QHra2RksVg5zvw8f41AXSiaVFMWLZQfyApC5wyeyTMYD2LHFpMEYJ5MKxsB3f9ttStk5eXmYYVZK53qZ/cVBRfFFV3vz6VzrWQDP+Ug+yQJ3QumvYTdLa07bl+ib52E8cgZXzTh2BizapC4zKQ1vCzmH1ndw40evNSVdUvkkYQLdnPOjlXf5Eo6ielAVggG6bT0b1dYDZUS2S+6bQOsivGVp2O+4BVPVEj5mO8DnKxqvRObWFOQRYZ1uW/zKYOonVZPn6Ex/03o7xZIG6cQL5g+1gWPKjY0v52VoGEfvzC1INgSOWKD2EZM74MyeOhvvvHHm7V/77Z3qv55t7NLFQKUiahKwNuCrVJ3Tu4JNpLXx1NyV5pEVJZZo8o+S1fmh3jIT6EjE0/PEOihBdtySthgLCmdQuAdsGkRMVNXSLvLzkvSkQFfZ6cOLPOzGwruD3kA0pAbagyn0PeVNMEfnRnmy19nyGOfUafSVwyroETjiq/mlCZG2lXTlZo93adLyAOUzZ/sjnROYmbASEOlYs7RuHU2Jv/rttkl1hqMSQRml/gd8/ekIuxvlRair1FIXmya8gwAWwO074w7GUXYQhYn3rF0/yGyCMw5d3BkItPRNVYd34W8SXdFXdiEiD98tXaZ152BFOSpoLqkp83NMFo2yaX10AVOOlfP32qXXl5Te6Uj1LFB4Y28MIz/CZuPJXCegkWHqo2mYnzAsVKXRS6UjSIBrfPOEU8Amq48pntObGQz5IiyEj8qY3xV65azJbyz5kAAAAAKoE+8SMwjYqRMWhB+f2F2rsd40k3AZfESsF5qWkm6p78rSMCPDOysT8J9siDsR5czxja+J/B8JkL68KLiT1zD"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02bhksqhuphqkoea\AppIdList	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02sozzxcsrmbdgzs\Response Saturday, January 11, 2025 17:08:13 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAvsLpoGmuR06ztpzJq+AfLAAAAAACAAAAAAAQZgAAAAEAACAAAAB7isht/kYCQjdvDVMuO5AfWOPT0vPpvQ3vVA0weMODKAAAAAAOgAAAAAIAACAAAABkWgUPBJHPtVDl67ODCjIjIaRK7YeKzCN9MGrgtwFwFIAHAABnrrIZvKbAseBTpdFz2po+wQCDKeUleEAhkgl0TORTPEhJl/OD+nLEGi7qzT0uEB/4JiVuCCCiS5rmgfW5h/Tmz652becnpHgtrB+pdwqL216Jtab5qRlf5F3Ua+8QEXGmOAUeOYaJ1rF/D9TQbrimZGAp/k+Rkf0WUKIAtH408cTOfQiRFDAhmXJZlD4Zj9fBkjgywDkeekbml39YyyfkhwuHR0eivOu2HdSbH2qTgB5hwNag/8BN9c59CEbWCDHBaPtwXh/HR6CGblbX7G7yn+Gu3wMmg0EPU3CgcBUePMq12uFDUXGbiadqUPh86Jonbi0VNtcKlWnxyix0LCS7RHIrSYyHjAPabyFIN3pjRZxMZQs3R6AvHWVFmhsmwCAJfzqT7bOlXa+4dc5bR+zfkF374BtofE080qeZOJPZwrR3+cWz39mVnF3/1ND6Q+YAKHjQFmhfq8AzyE06cCtAas3X6kOtJRJ6aLEaUh6frjVa+UG9cZ6uGoRsU+VZyO582gJ93JcqPQCp+RVmQNfvNza7iipd0DToUC8folGyZnepnNTcMKP6gTdRPWXjp+xNBZpmQsqfHAOy8+G5Z/wKq2CiwMgDhp2P+RR1+nklBjVEy4s6wWQTk+G8QxOg9x4EI26MxO8Uj0DzkOM++Dl+Agw8BI0HA74+ypdvmlANIM+vAbPEql92l4ZWCa+Y7H0YDuD96H+X7Iz73QBI2jqQpITRRfbZ1MKsUfS/lGvZhOuYmnVLBwnB+ufjfftyQAg8CUyB84ioCeLZu+QeznSn4CXHr3etNTUvgsMa9kzHV31XlAtGiOZg9f/sH4HSU3QOaa52gQjDrrjWixvKq3zoKeEQ/b1xQkWbCS2KNPvVxLBHpAp9e+KKi0iilkYGq9TLbdzSMoQxarc3tsojSXKJgGxEbgHcNIwEhAS57mvPBBJUQ0nIPOKtMs+cLDRPRKyXc3nowd0NC4GdE3m27MqNinafmPOSyiGy0GqO7fAwYGvSz49nopdjTMddoBIw0w1BiGE5DFninEePx89oMhzLmR538Up/ebW0FGLDhTgd49xCeNg00BG/MbGrG3Vhfem9hV6J2GVK29GOfxH0Zw/ywcfQbzqPM/3S97aYM5EcGKEmCnu6q7b5cIuISstDEuqTWWflY+5Sx/B8/lJhjgI5W7iW8xQkJCsrttv0/pDAKZJXm8FGI3CwLoE973sVaMsMhDvnjbIWm2zs6F74JzAQUcYRIVk/uQPmpj085rB40EuXYiXD0KI5vAXJ9XQH13WDrdQL4lrxVZP4v9gi/WirzX5dElPBl93/4xVV6+d+UndXJQc5I/F6F156k01p3RO1X3Op7lFZCng+AUcsslzJRSai+dpQs6KBUnMFZ0jUsYKTajujR3GHC/n3k/HP0pGpvtjtiNbNXuppEi8SB/0KJhEYjPBV2loXewrAN6bJuP9y6Eu5zAkwCmbOMFZWcGxemQzJTiNsuYXnn5+vd+1RWjgIzwS/XnETM/xj4WNOE+hWGBHE3ZZfDb4649buvzbYza3GislD31dnhFIbV8xj6yFUWfM9YOnu2Npjg+3b0I4SsOgSSe+FmIr5FXAY95uN2qi611JIu3SssBbjHDon2Dq0EX8/tEV3zND1zHxmi4Ph8WATqRh6E3dHAjHTJZTl9MBkBfr6dMXe9MasmFinI2SG9Xk7j5NJ0W3K3zDf40EV1FnuwN2k5sF/MiRJW9e4YFzEXKROXrV3e1dH78+Vg79SmBhooDp0M5PT94Ne0EJ7Q8167LXk6cQEAiyj++ql/ADr/16Y5/1hwFClDM6J2As1dHLtQkvEjpWxtROE9isjTO1XTWz7oefT+sMosShY4V/4T4imvVyaOw1vBKw3ukeu1obwye/BlMbMOgLM2BLK/kL6Mqqcwu064OPrqkfu+jW75foHZnpVm5x5sDsqoDXeYFSBuptyP0zsVSPFzx2vgwVTiy219mSx84990wsXv/T4i+0+zMrWAU8wMwJVJVxHl5HL48aqrI+zruhWViV8l29UPifU9SkVf+iHxPOgCa8IVArdcEBu99ZxFTXwGe7kuAXu0d85Hs1+rcHUKiCroQvXvJ7/nE/+a5uJJ/nwDW/dirSl6nhTf3ATg+1p+mwtmVgsoyZfWibyuzepPbwJ04wES+79esipGVjSj7QxRhYJqfiwi6/+/nVCHPmixkBLl53BFWfmwnOAUmJKbIYNTEs3u4DJsnk+Yn1ZUBTmCLCCRV+CVCT1hKTzWnZ9UjqwNe8eKiXzuDx2EXZWBXHWYztGvbfV1ufKu9+oK40WNmSYWMk3I1SuWkZ0gEMzYwIbq7BUmCGpljiQ5NCW4GTdc8Yb8o5tXc1qHhESyjvgcT/Rr7ctgne7uZyiMsgIbtdvpnf5J7leyJG5JEZRY6+LZdwBP7X3voTHNbQKanALJmxy1zicV1ImPARTeCtVLk88SzpDMCbprTK/LZXIHJ0adpt1OY7/ME+9Cy7ag7J47t1GNrD7clZ+arVki6ogcxgRgypfUA7EhWq+HxHZiLCQKcdvFEWnJaMmZ/xmACBAAAAAhWr2RzX0wSU5gCgYOWi33Wbs6jFjvC4GQctDjxJTVfI/bnNoRZGHlwKaqQGDVW0Ufk4zFcMCXJEKc5eRexfo0Q=="	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2253712635-4068079004-3870069674-1000\02itxkmgapihccnx\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02sozzxcsrmbdgzs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2253712635-4068079004-3870069674-1000\02itxkmgapihccnx\DeviceId = "<Data><User username=\"02ITXKMGAPIHCCNX\"><HardwareInfo BoundTime=\"1736615296\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.Default\Software\Microsoft\IdentityCRL\WnfLastTimeStamps	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02tubtehzpogeoic	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Data = "ct%3D1736615294%26hashalg%3DSHA256%26bver%3D40%26appid%3DDefault%26da%3D%253CEncryptedData%2520xmlns%253D%2522http://www.w3.org/2001/04/xmlenc%2523%2522%2520Id%253D%2522devicesoftware%2522%2520Type%253D%2522http://www.w3.org/2001/04/xmlenc%2523Element%2522%253E%253CEncryptionMethod%2520Algorithm%253D%2522http://www.w3.org/2001/04/xmlenc%2523tripledes-cbc%2522%253E%253C/EncryptionMethod%253E%253Cds:KeyInfo%2520xmlns:ds%253D%2522http://www.w3.org/2000/09/xmldsig%2523%2522%253E%253Cds:KeyName%253Ehttp://Passport.NET/STS%253C/ds:KeyName%253E%253C/ds:KeyInfo%253E%253CCipherData%253E%253CCipherValue%253EM.C528_BAY.0.D.Ch7cbTKivFyawQhb5Be207eXggVWxkQ0mxGT6DK/L72Y6UcxMkcWIGAECjNqCEyurmYBw/lQSaLNl/g/hLNZ0r/nmD7EvsUEpjg4ono92qgQJZDjmx5hb%252B/4eq2nfEgrl7uwKRD/tezkpCgzGvdLiy3oHrwSy5EaH8A768RDPeudA1CEJMogY2t1tsPkYbQS6dEoP3nWr8A6c192ZidmID7YxizfQ5u6Hb/MPHe8Kqf9YAJbv5PF31uBVrcOlMqsSMB9wsKLkBx4JjMFmpHCaXEKjNZTqmpf/qjqpfIHj83hw%252BEGYr9tiNZROBNKEOyVw/boEohXjz6vv3O7KXnvoo6FiZ3uLb5KUdRYHMIFmjIYQlmgTcZFEmZLLGVRSudmKJ2AqtCd6pQqv2cAk8RCHnLuMT8ZdeB9nGKrAsaYK9y47CL8FSSEVgummNYDfoMqUSqKn9yo8nMDnTMJt36j0ie8eHyyMOXzFxh0d6nsK/X/qPmNkEJorlOBbqWgWdH5lAxo%252BqA8XLkMulvhJkVZuOc%253D%253C/CipherValue%253E%253C/CipherData%253E%253C/EncryptedData%253E%26nonce%3DebxYxPOfnj9KFH8vtM0rHgaTKdkdHuxD%26hash%3DOxVZtdn9nXcTx%252BYEvbBhOxoxMFF22V%252FxDskj2VQ2PCY%253D%26dd%3D1; path=/; domain=login.live.com; secure; httponly"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\P3P = "CP=\"CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOCi CNT\""	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2253712635-4068079004-3870069674-1000\02sozzxcsrmbdgzs\Reason = "2147780641"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02tubtehzpogeoic"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2253712635-4068079004-3870069674-1000\ValidDeviceId = "02itxkmgapihccnx"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02tubtehzpogeoic\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02tubtehzpogeoic\Provision Saturday, January 11, 2025 17:08:12 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA39AsNM36qkOofOSRw0rukAAAAAACAAAAAAAQZgAAAAEAACAAAAClfvoWc4sgFnlvdh4gVqVyvi3cj7gGrOgUCzBF0IBgeAAAAAAOgAAAAAIAACAAAABWQCeNsbyvdaFI3Qj9DOwsFjyiVoQ6g5f78tML3muQHSAAAABMBYDe/SRnufBBX6URhKH05QlWf/vVyvvzA6OupqBtlkAAAACFZm19a1YPU4k0ko4zUATAiiqtB7oSGJ3g3AHjp3g0guRqlTxY63hsm3YblZhkQo84XNOzrzDzf1CWQggs2g8N"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2253712635-4068079004-3870069674-1000\ValidDeviceId	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3472	Client-built.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3472	Client-built.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3472	Client-built.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3472	Client-built.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3472	Client-built.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3472	Client-built.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe
3128	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3276	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	Client-built.exe
Token: SeDebugPrivilege	3472	Client-built.exe
Token: SeDebugPrivilege	3128	dllhost.exe
Token: SeAuditPrivilege	2236	svchost.exe
Token: SeShutdownPrivilege	3276	Explorer.EXE
Token: SeCreatePagefilePrivilege	3276	Explorer.EXE
Token: SeShutdownPrivilege	3276	Explorer.EXE
Token: SeCreatePagefilePrivilege	3276	Explorer.EXE
Token: SeShutdownPrivilege	3276	Explorer.EXE
Token: SeCreatePagefilePrivilege	3276	Explorer.EXE
Token: SeAuditPrivilege	2236	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 3128	3472	Client-built.exe	78
PID 3472 wrote to memory of 3128	3472	Client-built.exe	78
PID 3472 wrote to memory of 3128	3472	Client-built.exe	78
PID 3472 wrote to memory of 3128	3472	Client-built.exe	78
PID 3472 wrote to memory of 3128	3472	Client-built.exe	78
PID 3472 wrote to memory of 3128	3472	Client-built.exe	78
PID 3472 wrote to memory of 3128	3472	Client-built.exe	78
PID 3472 wrote to memory of 3128	3472	Client-built.exe	78
PID 3472 wrote to memory of 3128	3472	Client-built.exe	78
PID 3472 wrote to memory of 3128	3472	Client-built.exe	78
PID 3472 wrote to memory of 3128	3472	Client-built.exe	78
PID 3128 wrote to memory of 636	3128	dllhost.exe	5
PID 3128 wrote to memory of 688	3128	dllhost.exe	7
PID 3128 wrote to memory of 984	3128	dllhost.exe	12
PID 3128 wrote to memory of 388	3128	dllhost.exe	13
PID 3128 wrote to memory of 768	3128	dllhost.exe	14
PID 3128 wrote to memory of 1028	3128	dllhost.exe	15
PID 3128 wrote to memory of 1052	3128	dllhost.exe	16
PID 3128 wrote to memory of 1124	3128	dllhost.exe	18
PID 3128 wrote to memory of 1140	3128	dllhost.exe	19
PID 3128 wrote to memory of 1152	3128	dllhost.exe	20
PID 3128 wrote to memory of 1240	3128	dllhost.exe	21
PID 3128 wrote to memory of 1276	3128	dllhost.exe	22
PID 3128 wrote to memory of 1344	3128	dllhost.exe	23
PID 3128 wrote to memory of 1452	3128	dllhost.exe	24
PID 3128 wrote to memory of 1508	3128	dllhost.exe	25
PID 3128 wrote to memory of 1600	3128	dllhost.exe	26
PID 3128 wrote to memory of 1608	3128	dllhost.exe	27
PID 3128 wrote to memory of 1712	3128	dllhost.exe	28
PID 3128 wrote to memory of 1732	3128	dllhost.exe	29
PID 3128 wrote to memory of 1740	3128	dllhost.exe	30
PID 3128 wrote to memory of 1824	3128	dllhost.exe	31
PID 3128 wrote to memory of 1924	3128	dllhost.exe	32
PID 3128 wrote to memory of 1992	3128	dllhost.exe	33
PID 3128 wrote to memory of 2000	3128	dllhost.exe	34
PID 3128 wrote to memory of 1968	3128	dllhost.exe	35
PID 3128 wrote to memory of 2052	3128	dllhost.exe	36
PID 3128 wrote to memory of 2132	3128	dllhost.exe	37
PID 3128 wrote to memory of 2236	3128	dllhost.exe	39
PID 3128 wrote to memory of 2292	3128	dllhost.exe	40
PID 3128 wrote to memory of 2540	3128	dllhost.exe	41
PID 3128 wrote to memory of 2564	3128	dllhost.exe	42
PID 3128 wrote to memory of 2580	3128	dllhost.exe	43
PID 3128 wrote to memory of 2584	3128	dllhost.exe	44
PID 3128 wrote to memory of 2652	3128	dllhost.exe	45
PID 3128 wrote to memory of 2736	3128	dllhost.exe	46
PID 3128 wrote to memory of 2748	3128	dllhost.exe	47
PID 3128 wrote to memory of 2776	3128	dllhost.exe	48
PID 3128 wrote to memory of 2784	3128	dllhost.exe	49
PID 3128 wrote to memory of 2792	3128	dllhost.exe	50
PID 3128 wrote to memory of 780	3128	dllhost.exe	52
PID 3128 wrote to memory of 3276	3128	dllhost.exe	53
PID 3128 wrote to memory of 3428	3128	dllhost.exe	54
PID 3128 wrote to memory of 3488	3128	dllhost.exe	55
PID 3128 wrote to memory of 3808	3128	dllhost.exe	58
PID 3128 wrote to memory of 3880	3128	dllhost.exe	59
PID 3128 wrote to memory of 3892	3128	dllhost.exe	60
PID 3128 wrote to memory of 4028	3128	dllhost.exe	61
PID 3128 wrote to memory of 4296	3128	dllhost.exe	62
PID 3128 wrote to memory of 4404	3128	dllhost.exe	63
PID 3128 wrote to memory of 4700	3128	dllhost.exe	66
PID 3128 wrote to memory of 4852	3128	dllhost.exe	67
PID 3128 wrote to memory of 4424	3128	dllhost.exe	69
PID 3128 wrote to memory of 3468	3128	dllhost.exe	70

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:388
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f74aafd1-762b-4339-b748-ff2c03fac089}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3128

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1452
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2052

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2736

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2792

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:780

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3276
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff70093cb8,0x7fff70093cc8,0x7fff70093cd8
      4⤵
      PID:3116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
      4⤵
      PID:2252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
      4⤵
      PID:2528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
      4⤵
      PID:3168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
      4⤵
      PID:4740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      PID:1468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
      4⤵
      PID:1896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
      4⤵
      PID:4920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
      4⤵
      PID:4444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
      4⤵
      PID:3356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
      4⤵
      PID:704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
      4⤵
      PID:4988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
      4⤵
      PID:396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
      4⤵
      PID:2092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15102335431301368913,16631419366385286489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
      4⤵
      PID:3580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.e621.net/
    3⤵
    PID:4512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff70093cb8,0x7fff70093cc8,0x7fff70093cd8
      4⤵
      PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3488

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4424

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3468

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
c977c8da0cd0287fbb56b09daec6c88a

SHA1
09a332f63256766455ec0256379d98a2f83451cf

SHA256
a9990592d974dd3c0c36cb8d65c51d3a8ca4301c8d32329f4948bbdde861024c

SHA512
130b5ef3d14d3d97a01f5c8b4156af6e01a62551ece3c49dce01d4013729d485267cac4bedfc10d792dfa8555357505584fb8c503b5d7efad218255d42b8758d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
82f5da32fbd4f965574334ccd3123ae6

SHA1
c73c7c59771dfb71717483e7d5b4bb8775d73d67

SHA256
943b95a25b31e8c8924a96c630e38098daa67e2015ab1e7aa0afad2804d1682d

SHA512
be48c7c6472ec896f4ca6ff0772cf7267a7e872b53d5bc45c45e14097e5477209b9f0cb4baf5f780571d13d8635af6a3dd30af01d73d1a6c8ea79b16dfb777f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6f5da27d617f34190651f809d8a65a34

SHA1
3e8a27eb69a10d5d31d1be5b038d72cf11c146a2

SHA256
a691819db45b555cf8f6a0603fd69fb130747108edd5abef3207e162e1822e52

SHA512
333e0a1022cef88eee1ff30a7783cb3310d45f2b280971cc46fcb26368e960fdcbc66077104fd3804a155ea19f8644e47138c0bf69cab15bae7f3100ea430f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d80b8bc6206f1c69d74c5d4ca13d0377

SHA1
86e95006d86b78828505b46e943f79937425a105

SHA256
040a2aafef05e49c586df071c5b00854aae60ee7eae1f2070488bc2d50177253

SHA512
25a98dbb9889aa7e53bac16d6253398d7d2efab55ea59c257fc76de7ec3087660c78ee9adcd38d30cc382fdaac18f05e22344e586d722cc744a556c66423a33f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e879d8d28811a6e3db4c5221ed04fb5a

SHA1
ee4e12b41493c67ac8e09594e67420a7b170e62b

SHA256
dfe6d1831dc3b0c1e9845bfd761a1af053109b2e5230a798dfb8df0b4421b829

SHA512
5850eb89c69c588d5ef4b5ef79c19e80c6a8b2c272e42e327f254584cb3551823f91192a3651c37e27e6079946c43430290a9d27ee6fc45f5d001c28cb51ea66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d9fc3abf3ab6ddd50f061ea1de489624

SHA1
38cbdbfa99a026e9e6de29594d5dd4a89a3e0d67

SHA256
d71f191d17a671003ff8f7cdb105c66a2d50f908c8960e428109ab5c022bdc72

SHA512
487e1ab5d11709770a6718e6cb9dcff7590607a1cd085ddc6f4421eb9dfa4ac0e45362e0ce776a9fd9858b3ab0190207a79c8c2df03218306b4bb0e8b356f413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c50a985b5ff3d2775edefa0dd77f348a

SHA1
1b64e9fed4bb8bd0faa9a9d5d1ef879e2dd74e73

SHA256
1bc2b3ce16f886a5fe5b2d5a4985908fd913830cc4e7577bdd25e905aaa100ff

SHA512
302783fb3d85e607b049b9ff1abb22d0280668787f5381e2b856979b5a4371f7891d6118f1ccad4d9f5cd0480aa1ce75b78929768c0c2c63683d6ac20457a68d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f50ee61e-553f-4b31-9ed0-dc9903640935.tmp

Filesize
37B

MD5
661760f65468e15dd28c1fd21fb55e6d

SHA1
207638003735c9b113b1f47bb043cdcdbf4b0b5f

SHA256
0a5f22651f8fe6179e924a10a444b7c394c56e1ed6015d3fc336198252984c0e

SHA512
6454c5f69a2d7d7f0df4f066f539561c365bb6b14c466f282a99bf1116b72d757bef0bf03a0e0c68a7538a02a993fc070c52133ca2162c8496017053194f441c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
44388305a9c3a51a2151575450baaf8d

SHA1
c504181ccdb10ac74d0d99036568b9eefbcb4c1c

SHA256
de8eb8cacee086fd5052f3b146c619a6604bcd8cf33ec9d5d30fd8ec7a136b1b

SHA512
65e7af367d5cd1e76dc7f0fc8c2d5dc2221f58859f1129ce68f79d58b4d8dc0733074ba36e3080f40fb80e5b4be8337091e0045b93b7be35eefe19b9b3438244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c4d92b6af6e06c4c0a5d875ffc5497cf

SHA1
d3db7a2227c148b7dc272287cdb973956eb31a8e

SHA256
2eb2f1c8da0a95e998a9b676fdb19469a7eede6a3d710ca084a56bb838bf3061

SHA512
1ded17f915e10f03b20efd35a738cbb075b212176377fe35057c8bd86ace52800930442fd599a0f3fa401174e2f355a02956330c327b1019dc3d6010a72656d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-2253712635-4068079004-3870069674-1000\Preferred

Filesize
24B

MD5
5a56567286000523fc0893f367165ca2

SHA1
78e7e2d8d1bc8d53d147d1763803fbbf26a825ae

SHA256
6d395ebd0b9ad14b8ba0b562d15345571b226b5ea0e0f4595df45a493a2ad420

SHA512
b677634c696bc4e1d414e2dc5b1171d3bb7903eecf06436b83eb58107a26b476d08182b575313d99402c2229183c3c3fecbca2c9e2adf0f451c7301736941f5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

Filesize
24B

MD5
4a189d6aa85906347e5b5d6e9fe5b0a4

SHA1
259c230b97735532cbfdc0b9fe910a0a724191a9

SHA256
e1cc9cb35f61a0a5196b25484a343d55e39971cfccbf8988dddd3d7b6125fbbe

SHA512
821ef0484061c05a641c0489d0688ef65e7a3f09b74e7fbf8d59887d2d1fdec3a2d02d6f5d2fe3cd01b798b07e93046b7234c78126066e87547a878a9d8a9e8b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
1c0b94244f3514d87666f05ba2a61426

SHA1
527abad9c147d7ad90807889b7dd0500d7d1017b

SHA256
fa84b215230ac00522a66593fedc7622f13216577b9a992fb50b87fed918cea6

SHA512
9a974a186513eaa0d0c672851fba74749cad00e711b08fc2ef2ad49a00d5d2aeaead37ff8e4cd53a16700e534400acd88b2f610d2855fb701b159a77aced5008

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
58023107e94530b9a6afc9f3026d5b2b

SHA1
2e667a3bce41c927cede1ab868050dd20bd13164

SHA256
8b9517bbcf6c04c3d9a0d91bbcad25c3358bee9871488f076b9b0a4c56b16acb

SHA512
12a1bf84c906bf3fcb41b63e531c5fff0a2bccc364827c31273acb2944013567d21e950151e29ad5ff07fd871b3967557bba81de45b3f3c3f87449d17c069a7a

Download Submit
memory/388-42-0x0000020CFF500000-0x0000020CFF52A000-memory.dmp

Filesize
168KB

Download
memory/388-37-0x00007FFF3F7D0000-0x00007FFF3F7E0000-memory.dmp

Filesize
64KB

Download
memory/388-36-0x0000020CFF500000-0x0000020CFF52A000-memory.dmp

Filesize
168KB

Download
memory/636-25-0x00007FFF3F7D0000-0x00007FFF3F7E0000-memory.dmp

Filesize
64KB

Download
memory/636-24-0x000001A173A30000-0x000001A173A5A000-memory.dmp

Filesize
168KB

Download
memory/636-32-0x00007FFF7F7E4000-0x00007FFF7F7E5000-memory.dmp

Filesize
4KB

Download
memory/636-31-0x000001A173A30000-0x000001A173A5A000-memory.dmp

Filesize
168KB

Download
memory/636-23-0x000001A173A00000-0x000001A173A23000-memory.dmp

Filesize
140KB

Download
memory/688-29-0x00007FFF3F7D0000-0x00007FFF3F7E0000-memory.dmp

Filesize
64KB

Download
memory/688-33-0x0000020DD65B0000-0x0000020DD65DA000-memory.dmp

Filesize
168KB

Download
memory/688-28-0x0000020DD65B0000-0x0000020DD65DA000-memory.dmp

Filesize
168KB

Download
memory/768-267-0x0000024931140000-0x000002493116A000-memory.dmp

Filesize
168KB

Download
memory/768-46-0x00007FFF3F7D0000-0x00007FFF3F7E0000-memory.dmp

Filesize
64KB

Download
memory/768-48-0x0000024931140000-0x000002493116A000-memory.dmp

Filesize
168KB

Download
memory/768-45-0x0000024931140000-0x000002493116A000-memory.dmp

Filesize
168KB

Download
memory/984-39-0x0000017415DB0000-0x0000017415DDA000-memory.dmp

Filesize
168KB

Download
memory/984-266-0x0000017415DB0000-0x0000017415DDA000-memory.dmp

Filesize
168KB

Download
memory/984-43-0x0000017415DB0000-0x0000017415DDA000-memory.dmp

Filesize
168KB

Download
memory/984-40-0x00007FFF3F7D0000-0x00007FFF3F7E0000-memory.dmp

Filesize
64KB

Download
memory/1028-54-0x000001EA66800000-0x000001EA6682A000-memory.dmp

Filesize
168KB

Download
memory/1028-268-0x000001EA66800000-0x000001EA6682A000-memory.dmp

Filesize
168KB

Download
memory/1028-51-0x000001EA66800000-0x000001EA6682A000-memory.dmp

Filesize
168KB

Download
memory/1028-52-0x00007FFF3F7D0000-0x00007FFF3F7E0000-memory.dmp

Filesize
64KB

Download
memory/1052-61-0x00007FFF3F7D0000-0x00007FFF3F7E0000-memory.dmp

Filesize
64KB

Download
memory/1052-60-0x000001BB01260000-0x000001BB0128A000-memory.dmp

Filesize
168KB

Download
memory/1124-63-0x0000011186320000-0x000001118634A000-memory.dmp

Filesize
168KB

Download
memory/1124-64-0x00007FFF3F7D0000-0x00007FFF3F7E0000-memory.dmp

Filesize
64KB

Download
memory/1140-66-0x0000024B2DA60000-0x0000024B2DA8A000-memory.dmp

Filesize
168KB

Download
memory/1140-67-0x00007FFF3F7D0000-0x00007FFF3F7E0000-memory.dmp

Filesize
64KB

Download
memory/1152-69-0x0000025A38160000-0x0000025A3818A000-memory.dmp

Filesize
168KB

Download
memory/1152-70-0x00007FFF3F7D0000-0x00007FFF3F7E0000-memory.dmp

Filesize
64KB

Download
memory/1240-73-0x00007FFF3F7D0000-0x00007FFF3F7E0000-memory.dmp

Filesize
64KB

Download
memory/1240-72-0x000001902D200000-0x000001902D22A000-memory.dmp

Filesize
168KB

Download
memory/1276-76-0x0000015DE2860000-0x0000015DE288A000-memory.dmp

Filesize
168KB

Download
memory/1276-77-0x00007FFF3F7D0000-0x00007FFF3F7E0000-memory.dmp

Filesize
64KB

Download
memory/3128-16-0x00007FFF7F740000-0x00007FFF7F949000-memory.dmp

Filesize
2.0MB

Download
memory/3128-13-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3128-265-0x00007FFF7F740000-0x00007FFF7F949000-memory.dmp

Filesize
2.0MB

Download
memory/3128-14-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3128-15-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3128-17-0x00007FFF7E4B0000-0x00007FFF7E56D000-memory.dmp

Filesize
756KB

Download
memory/3128-18-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3128-19-0x00007FFF7F741000-0x00007FFF7F86A000-memory.dmp

Filesize
1.2MB

Download
memory/3128-20-0x00007FFF7F740000-0x00007FFF7F949000-memory.dmp

Filesize
2.0MB

Download
memory/3472-8-0x000001D5BAB20000-0x000001D5BAB5E000-memory.dmp

Filesize
248KB

Download
memory/3472-49-0x00007FFF5E8F0000-0x00007FFF5F3B2000-memory.dmp

Filesize
10.8MB

Download
memory/3472-0-0x00007FFF5E8F3000-0x00007FFF5E8F5000-memory.dmp

Filesize
8KB

Download
memory/3472-11-0x00007FFF5E8F0000-0x00007FFF5F3B2000-memory.dmp

Filesize
10.8MB

Download
memory/3472-10-0x00007FFF7E4B0000-0x00007FFF7E56D000-memory.dmp

Filesize
756KB

Download
memory/3472-9-0x00007FFF7F740000-0x00007FFF7F949000-memory.dmp

Filesize
2.0MB

Download
memory/3472-12-0x00007FFF5E8F0000-0x00007FFF5F3B2000-memory.dmp

Filesize
10.8MB

Download
memory/3472-7-0x000001D5B93B0000-0x000001D5B93BE000-memory.dmp

Filesize
56KB

Download
memory/3472-4-0x000001D5D4730000-0x000001D5D4C58000-memory.dmp

Filesize
5.2MB

Download
memory/3472-5-0x00007FFF5E8F3000-0x00007FFF5E8F5000-memory.dmp

Filesize
8KB

Download
memory/3472-6-0x00007FFF5E8F0000-0x00007FFF5F3B2000-memory.dmp

Filesize
10.8MB

Download
memory/3472-3-0x00007FFF5E8F0000-0x00007FFF5F3B2000-memory.dmp

Filesize
10.8MB

Download
memory/3472-2-0x000001D5D3460000-0x000001D5D3622000-memory.dmp

Filesize
1.8MB

Download
memory/3472-1-0x000001D5B8CE0000-0x000001D5B8CF8000-memory.dmp

Filesize
96KB

Download