discordrat | af41dbb0c726384d8622cbbb380d1754498b5663b4998993e87c82f2887970c5

Analysis

max time kernel
183s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 16:18

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

ec867ab06b4b2e564b16165f3cc7fe3e
SHA1

48cb3efca2cb8d060d2a5f073a6b91b635d7f9eb
SHA256

af41dbb0c726384d8622cbbb380d1754498b5663b4998993e87c82f2887970c5
SHA512

ea5a0c8ab5b50e6a5ed8f5eac98a0ee25799d3ba26618fb87839418bee802b9161c01ade77ae900d7ae9a90b78df7c77f5fa5fba1e74a3f973ec840c18a49f3b
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+4PIC:5Zv5PDwbjNrmAE+cIC

Score

10^/10

discordrat discovery persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzNDY3OTcxNjc0OTExNTQzMg.GZ-KIp.2xqEJU1ciF3RTvSBH9CVUqiDkwgmUoUm1NpRo8
server_id
1328389800323059743

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3496 created 608	3496	Client-built.exe	5

Downloads MZ/PE file 2 IoCs

flow	pid	Process
54	3496	Client-built.exe
85	3496	Client-built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
8	discord.com
31	discord.com
45	discord.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
58	discord.com
85	raw.githubusercontent.com
7	discord.com
20	discord.com
30	discord.com
46	discord.com
55	discord.com
87	discord.com
86	discord.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3496 set thread context of 2400	3496	Client-built.exe	91

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\ValidDeviceId	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02ifbuzhraljzjqu\DeviceId = "<Data><User username=\"02IFBUZHRALJZJQU\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02ifbuzhraljzjqu\DeviceId = "<Data><User username=\"02IFBUZHRALJZJQU\"><HardwareInfo BoundTime=\"1738340427\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\ValidDeviceId = "02ifbuzhraljzjqu"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02ygmmrhejyrygsu	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02ygmmrhejyrygsu\Request Friday, January 31, 2025 16:20:27 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAADPCtF0LLCk+R3WtqRmRvEgAAAAACAAAAAAAQZgAAAAEAACAAAAAIMH6TUClgjY5dMPgfSMyGn6EKKws/XY2PgcyYESas0AAAAAAOgAAAAAIAACAAAACr7PPEEQPZ83KE33XufG7hIJLY9CDj8wZFWouSlzNTrLASAABvIWOs/Vo7cTaOE1txl2ee1nWuPyhm1dBlsMBcluby3fdZBnrdzJxFzzuhVzA9KSLpm9UNaEGDt6X/lVyrthxXiYq4ljmFQtukPFQOqEapp8ARx9/zyuA5828pU75TLNKeFHj/sfh9h618dYdQ8aCz29jvPOz8lfNU5ETiR5fpqOO9imAReJmebbSlnXuvX6Fl4tMdcvqCuBJmh8HColSLyrIBtz63J0BW3Oh6jbqGoc9w/A3D4L0ERKrzXtJewjDfk3uPqb5UURXdkq1ghugsqe4FzLucGG75HU1lBawfgn0Yp6DQz7tmZP8i8Lm5iAdm5NW2Ds+D/QOf7yfIwuhPWPMvDUfEnxZf/nramma8DVAW6v5ynHPyIOT+V+DUVtF+YVz6rwgM+27jvtQ7D80Hxoy0KPZiOB8JJn+pJAcAqdAx0HTBLbAbIRSZDt55ubNHs3W/0qEoXHrg7l7Zs5nwdcteK3UKdG+PbgdqzSU8BB/FKbv6xvnxdH9y70FB6xsDoPsUt8sGbV+T6iIhnjsiLWnkhMpb5/2Cygv5nhFxCHmq9gyDgPdo62FtsgaP9exrFwO5FbZyYdROjQwwcqepzizVJuqkr8YAtG0JS+uEjIc3FW0/ub1JipNlUKP8E3yt50VZy4BV4yKqLAGSmmV4kmJnt2bucDDMHk/cjTlvoqUvbWvH/R8ZOl51L3Y8aXhm0KJodvAhHQ7340UZBl1Gz4vPmU8dYm49uW1OrmFe2i1FsEuLAhPojG8ww2qKkjpP2IOzkYhXp5lVwLAYl0zMM55tA7fR2M9OFb1tJgfGbR/lGv/lc5QFECYJxNs2m4y3Nul65bjhD2pvZab5y3qo1Viy2U8JHQpkqP3O5W9Fje4tSGhuK148cmvJweLLoqDioXSaRqYdZNgKOiH5i8y5IpM3RRVvGyYVtcWCnbNzOg28v0Iz8yK1SaDh+crQEpvN0L+dJcwbE99fTgzXZ0jqm/40vc8U05Jr0sQQXlDHGTedb4NMaZGHst1bLFAlGXyBC/vyPZYhlj9DdHmu1V0KY73m832ivTvse5IyS8tpWdFtR9nhQMChp5r/VnWdj5VMM4+YRX3uV3fCYClfaQZtWC2AfezTQF1PkCcZcrvIlc1VkrxuXaHc+TaiABZHAc3m7OudhmZIzeJBwFoDHvWW/bN6dhYldUp0XBaAjhpLMpstaNnu3YbcKAWn875w2ZuJvHjJKNr/0e06rpOBX1hfpGy/hD1Dujj9vtc8cmvcJwRW1r9q2v1E23rprGhRK3DGWV0zAqIvWq7PtBPMRSj6f0eL5gAqxmdE3g+eGs4s1k690uCI4blHtARxaTVAZm9Z3fz+O9uuH7GJKlucxip5Rhu96o4ZQbW1eIVv66XmZ9iLR8r9P8Upic2Va2XaVkFdGOCbQD7aeQaSME38Sc2AA3ECNORZGgrAfQNf9K1FbUx8zKoI6x3QQL4+Qz6epIu37I1GJrL94lzMSiwFUp0+662vC1kXm0nXitAxOknyfzY4g2PKWzXVMzP5mmsq9mQHH5sxsLbpTyxL83XS/bGnqyMIYavRzGNm07MOvQeb6vrCzBu9uiLtJjFxIjTJZRfHHz9/KLGYbYLwCyCC0iy47wQx+vejWb13AVl67gP5bSpk9HKvVFAB9NVmR38u6p6Z2GOfpMfib+S0nxDID33L7JHSGXxAvNjHTRhs0gp08bfXGNtrS4zKnQLKRdJbaiBxSAMCn7lz8/8TrssZKeY9R9X/SJf6BBlekvVAgXUqvFPm+TY9c6aUiY62MwoZDhZj+gww7rIUew0S/puDNRzziEhpW0o/h4a54zic8rE+1VA7ZsZ8V6uoOR+xdD2MaVumk3ApquBdxVQI7MCVtzYUEmRgJ57g8jcIW/Dnc34kal8nDXETKXsZSfEORIGP0fb3L5I9sRqWK8LSzDMNLTPqdJZX/eMCRcBnLn13OK8jZmLM2kNRvcW4Ol21mtpFK1pjOJaeq9VbTO1drkQ+23eDGdwySv4xT3Xef967g7qS8Y7e38ADiiZ71N1Nd6bp5a/7m4Qvd+otc70OwFxCGqk3UXJYMEBkxPdkzQmiS3U/RZ+yhxMuNe0AOIvEWIeHswGA873mgVkrQLx4UEvsGu3h+J+cAvjvslIx1Msau++ZHNXqUrCzRDbLObIVSUu/CQUVOUJ+g8yaLFr3xvuQD9B1bt6M28srfh8e1cxKOT3tiERM4dDJomY5DuaUmRoUe0DuRUXiVMuPnVC3Z88SYHLAKS2fH4eRmpnOCUAjJ2myN9SzmDEOgblJsUgMvYMrnWOY8emj1Vh8F9de+zIg32CjA070x1K3ks2ovDxeT2AETBIgM2rLvDkQdKjBEF1ORceZSHxIyl+IWeTrJK+vRJffHDAbBFiPkaSwiRqtEzQe/JjRjef5EkTpWcZtFizPS8p1shgHYIs7Bdp03VkbKDLxf/KYsUo+FcDxHC2/KN0X5YsExk6QBmOOEO0+6VtbVja8nYjStOwZy/V3m3Vc9JpssawEwTWuf1i1dKfr7gKHyz/pHhFz/j6PFAlT0nU39Tx+MASuIBTz5CphEO9YFW6JOB6Fd/+DGr1KA0SjlwPgEacP1lpk6P5UVnYcHxKCG0ZOtNApfn9sPBRc9IOPUB5+HXlfWRtvlwdRmOtwT/CLbZQe/tH+ur83Bdr46YdL83GOp+O3tMm4kY2OPrHrCidr0BgjZmryNHVnzgo9i1vJUczTWzd+4ZKIWBNbvZN0bHMQQF0RIdsY2Mqytj9HG9sJS66+Vxx+7m6yMDg+Xj3a1CvyjuOCZEYnX0YJc+E6S8twUKffdLu297MOVHWV+Zc0Had9Zk1SnWUGOgzYJjPNR2dn6xm/RsTbtiJ0fXQtxgKLwSW1whQvWtuGBopegKVJvHbZoL0KcMRDtlfbVr3CZ0B35mKUy4VLyGU0Fyv2UleSfCHnr4at+HPiBJ+UEt8WEADgLVkidoeg1qTXtHH0QNBWD1dZHJ5a9jvybAQGvBppk2HPS/vI8DfWWnfj1/gUZK/0LEW2hHorawe6r92WkhSmZ1vPEUb3AU8v/t1YulYpQmZkHXQiSEZTMm1Vhpx952C5Eia3kkKqEuajx95Q++blMtEynRY5svOqy1JvrpCkVdrt1qYPUtbwYaLpW/2YlkzGPED7QI9Yz9kBTQ+JX04Nj0fLCkZz/huyPqB4Tu53cnIJVnz6Qb17AoZD2TQId2DTtOtz1y7RhvW6gbsdSHEJggmQOweNCmq/l08DbqE6wBpZ01f3zVJiUfEKKNEsCCo+3JnO7Q8IHqJcS5WBh2sXO7wbLznbN9EAusRLQpRvmNp8CdSQTbuw0unfG2a8+0y57hpG5QBHO2YdBtE4HN0Fqq2bvR7T+lIdsFQiDbVYVmWBqZ1a+oonLb+XdaXuEkQrsVPgJbCDlu8wk1iYmU5ijgG9/lcMnA4QBZIdJ9NRnyeXpnRmuxw32A7NRIHyAirqXDQw81sd1QVQZMMt8owCtXcFGSvHRbsV95OuBYg9lIHqPBcwmOCfgqOPix+EISmF14JjxVP1Pu7xNnBdkGTYxfNr3Nd3KUdBKWVGsJVzbWWr7cSUltI1U4+G+xouzWZzXa3WAOLV4xCfJoOgNTH8N6cNW9wz4W9cT7zNTNG3GKoEK4w8caBgwFESTMJ0dCmRQsTD08GpxPJHk4VX4eoGHKjDzXRuI/Pv6IM+BFa1FbmjPFQz6AW8yBAOdTOtyQ/8TYKzQzknCj/3sulypBkLYleqv0PlDmyHayAnN3N+DX14yGyfKvL2VRZbvZmCvl9QO2LjU4Y2g0TyOvJEaePBhWb83+XLfnCB8/DP+PB4OZUDSW6ArBQ3HnEJAYi+cBlDQWrLLE9SnFlcbFOEYvkzp2vSpI4XPIUYa2vCaAYHS+XFwuRGT395EbDkYYT+7cVFZfJQTr5uGveSzYIaU57jwHxSpeuS+4xe+FHBu/Mnv9Tz2B4IxShWnAN6JGND1bdAinLlhQxkmlqu2ImSSUTBoAIqDH6T/pfjI8cs+sBXO5u1X4YMfYb0of78KIHeemGwZFz2Ce9NMfNbwuq+SKoS7t1T4DmT49yop4/6DTkG5cv75XYkwp8oOKbV9ySQr2Eii60M5DvCJvOKDONmBnjKOYdjvSYXDkGGShABdzNaVF8TsjUtG8C/Gxa6xOvQcVlBtvgQM6aVPGvmObKC/yQ8ahgF5Css20utOXKYWTDWG5rpKgHVeoC5x+G5weRHyN6zXdjcwcl7fdHveKOH/h2bNhGxFKbB3NoPnqwHOnptYKIiusVLPx2PnYul5NVQHC1rgwn5GROLP1WrHjmu6nsgiS1ouUAXaP8NB/KXpc9n6jPwL6T3rwwR9n6nw/QzshDLaI1DR2JBtu0pcBnRepZJWPW/lmUkKYrQ0L3tvEeFGi9jFivR0tfXWuHYFJhPVCuw9lS1XB4NBHuhZijcau//fwLXUN2fR2Dr6RBq5B04WoERn8tnDJmKBDGPHStf898Kds6nb4Yq2oByz/lM1m2n9tQoKH2crIyFmOnDnfydjnTWzW4NLKHwja2nB7RsEAEeAo9TkCjKzBeM7AtLoghvc3As0MdWeNLOaurCOEGjm/srAtNuM4Jxx+ncuFeTxS91Pw2bZ73NPHr8lCwib5kwXBwEiDEG37NjDuSC2M6TSGyC8GXVhkR8oA1Ditdhg3X2LZsa7sjXPjGNZ+gJh5TgFLiwE2GjjJ6dIjzVOsnEOfyPiGNoZdKI3HbB0GB3kN4/zw7ib9iUA134kNk3u1w3nTIgACL5lSNcDF5j97YWEtmjUFGvmxzEq+3zkKzKqqD5x8VFqSdSSGQOcdg9Qa2/zNtvL0PAPxRlLnd4lJDtrcjA8+zfvXRx3g/fn4AUdnprts86cA/VewBXCgqq48c7waFKtlghzqrhB88Tk0Cv9W6U/5LJXAfMn6eLdon8uII8CeR2yMEcWp1KsuQQ/b2QrTm0CRaY6TPOkL3jXJeV89ttJYmhLctVhTvl8rwFbtOR5LCoQznZaDWKLWSLWuM4/RGQjioR09llWPH4/XUKq9JxRGOu6Lk0KUQBELpZPeEufp3x2UXGKl/yxsrv+d2K0bdJ3zImljLb1iifG6MpFZBqdpPz1uO1ybU4VMcaCNXpfo3kFiXOjJGi7SXdGbsrh2pEum/NF7RMuEIC0+uN4ySnYE3EfLzTgmmmQyN6q+nq0IpkoHNgNfBuifzi4lpw5dd2slnwbI5pMRmOn9MdrmhJFh/2Br0gcuIQLBMoMw3ml9AftvQWUDIX9JAUfzDO+N72c9Yk2eotASiQRCuYCMVW6gx5LDoX6tJplOPUBktZMolorbgGzs+lFbLq/5Rb3ksEqDVvpky2Mn8lIbVAp6yYhsIW8n/VUfErEAt8U0UaEZccyzJx33Ohac9xKNLWbiJeDZNK4TcsBo/fiQbaA0vkb4OaH0C1hWOLoN16xg5kAiLdIEx6D0dYqhBdhaLP2QaRHwhKlxxJVwc62yy97riNmxy4O/2RZzqvLnS6OMIZkHdwqXpf/aa4HOVPyUchinjtsPqk338BOrYS+nuCS2KjJuwCjtLDS2SPjdPKf616A3nYHsfK7W8+EpTSKv+ZDboCB1MJH30v37IBE8KJO6HTtyCEKQKfmH/EtuL9f9VF5wEbzNz14rDBhQmdtsimbtwD4D+wMVULTse3QQl6BfUq9k9hewIV+T5RQcnMjwb5lv7+K5+xYb92ayP+eVL44SIEofXQMKsztPPj7B0Z1NcxtLwQgutNhq7anbL5l3WFSIr+aPIfjbCZ5REPfmRxhWFKycl4Vi1u9gVKgk+9Bb0PgQnNGqmbYoCqNuwpwKINX54SqajrH2z15DSOWptMQYFVzN8G5GHr8Ufevy+pvvIZT3/acGyxdM/89rPbBlf9xJxC/+fZCUfO8gq0soxcp5z8C2VZMOQAqmeH9UmtCz8WWoWODPzoXg1oTjAOW5HptO5gqlrYJIltDYW23lUbGrWVQgSDfL0o6qnOcVn8XMuxub9nbIbz60Yl6gqwtF8rBhBbOAZmoD5vUU0S40pcHsmsBRyrPOsmlP1JUtK7XVmYOZ+AEhPix+ID4jVpJ3FSulpyABAfOlnIIRLK5a3t52KMyFfl4jOCtIyO2qilq2g2S2bOefZWGmkSPhE+k1psgkZklKihEVrfl5eMk7j6ItBxgi0r7yw+4GchLz7BAFTA/MosYo0IXbtFtMRSN3I5lxGeXN9NOXNv3RiY3YkLPB7wLVQVH3zeyi7ePsIUv99YvTVbFlf8U2kQFs0XKlclRgC8ZH2pcu21UgiJ+DfkYFtOJmgbiniDV4qCYJIqj+Uw7noagl1F9e5+8OJnQiSbb2K4h3HSgzrcXJS/lkAAAACIXj+7k8UcqxT1jKQjdSR2b/bAmLS7mBPpERnTKZ2EBkudCeZRJMr2B1LUwTHzXzFcLURP5BmFRTY5+1hGUQNx"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02ygmmrhejyrygsu\Response Friday, January 31, 2025 16:20:27 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAADPCtF0LLCk+R3WtqRmRvEgAAAAACAAAAAAAQZgAAAAEAACAAAAC3q83nqpG9qnR33ViF7PLjkigIAywoBEhyjosHnret6gAAAAAOgAAAAAIAACAAAAB1hyh9v9l9HvlblsHUu+1iSCKUBeH1XkeQqjdU9PNdCIAHAABTeYmvcs5tAMFMJrNbg8OCBq52yftQXmwbE7G/myNbWl4drACihZmE0HR+eAdB1CMpXPmHBFy4goQCxh4CYniNAgIYqMoJjkfpn/tev9mbgIZ9D6U04aKFOMh9TQAJfk9CrvsI0TBnCbzSLjNo3EKZMslvyXM6Iy+x1H1URGdQ9b5RtYnivwZyWQH4335zn2co80RpiiaKQQMIqCbdOjTB2p7lX9cTCNNTj57WjBspuVp9gRGT9iX5cUaeUbnBEVxUrYyjwgNQLvnR4mBC+PisGoUuwa9hJp3N3Y+SESmRc2AE2swEIhm9J2m8ZKPooxobvkZKiWUv7YMhJRseK2XJ3Hcf6bKcoHsBOTHejghcqSWV6mrj1EcxVphwt4lvj/T/bjroNOxo0mrujgGjjZqIgbBnXBMWdnb60Nm0s1g4RZgfMhuiNRrQVx+YpyVkXNJz4gjKG6ezv4xG7cyCXcAZNRxt/12xrwmCg21/4ILZrtpbARMxoEeKwOoreZZVpOjSja4d51jJwVhCZQzxcFCCvTkGDerv2WyJ4xezFQPXSNTjYqRPtDGung5phRJ1h4hrjmXFzZxewk9ffVzzBLpylS6S+3GEtRrHdaFqiYSwHRyRPeEarA6cECCZ2/21UMvNpiCBgIm4sj2uvIh3dr8VX2mRJg8d/ypJen89cYwZemkVeDe5JA0jofGPwoyUZFwu+H16AmpHyPLMzgV7mqNB6apjxRTwFgwlv3vkXtv1Mc/sjYmTR4cnjg8wNBWu5FRbEo0nQwFvdw+W8pYLAzFtRmoar3wq9XadapBWfOzaXMyGbyET7zxot6WnP+P28W6P8rx1IPbNIrZCp8QEIewSJs81DHYaST8BaWub1pXja2AfD6EI4/bKe0PiUj/PhNXTJzF38CsoSvvTzA9gtaL/TSZmY6ixJSHwIJjIamuc867NWVkfmvr41Eucl9iZUvVubkkZ12RjzFztaHrngkj6yP7CHtDYM6FueKg93A15nLzsOBlGIycome7tBZ2C0Qw9SvUphI/B7CCsJsyNFzGWhFzY4OOmMjM8F7O2rPT09qBbGEoAJxmGT7LOn2JkF251zOhwhTZoK48d0ZfJfaLKkdQS1jliq7ra0VbZSxnTTXNU75DZbgQSED3Rgdaa18LDlur3N/p7elVzmSWyhU1Y0EO66QNBksNOfwiVE+t9Rn+ePFkmcmD5pN/KpKWYBBiXQZj1ECdVrFS700BkmlqKkPGW/VI5yKpDMchu3Lj9J/C16w0PBNXsHB0+07A1nl/UVmDKdHvClILlFCfG7upm4H3lvr0pGsbzlypii91IMjS+RdC6LJLPFth1Ani/8Z392rBDb0gj6XTrppQwxOtOqCbjcaUzv//rBVpidennk7hRuaF52dyehjlDprPkACb8cynh9p9xMSYR2pHlY34uDfyY1bZbFV0gq8fNbRAolf5YJYculP/mrrPW7aRVooeubO/Mx7KBwc78KFqeejRzeTFfizZygvV4Pa9Nptkdt02u/QQkKwqfhXkDSKNXxgPshyC64LnOP2RxM+ZdOOHDAk93nany4+/Co0ylRwSa5Fc+WGPsU+ln6qOEJhNHr9Op7qIRnjsjUSAeeO1nu1spaL0WDCMKBkHdxUme/F4fBu9eBQUduG/Zjl9sX9UPnttYyawWXsWy1hoNPhj8AOJo7CvJqqIOWKGEnCYFrSR/g8oYHzBoCRQiaP7Oko7xyL6mBfjYCx6pxKbmBZcKJ9NwRzIcMDCmR2W+V/XoqbN3OA+jP+jg1QzvCWoDlAXgUa9qTrY9gZTOjOIgbf2FmM1cgZ2/GeugPIqUHOPi42DocDC8p8Y+k6OnPVcxEyLL8gD3VWXSfhmrxWBWjcqS1f9/sfjhdn3KSmb5Sza2DQfvHf/F4adSsaDMAWfRLtVsKtuGsaTMc5E5KHfsjwFrxFkFYtwAIJx+gk/Kiz0M7Rz9/OAxICSFLQtZvv7K6vcqSliqOCbV8tBndDVRWFT/Q+gAjq4NA3WEfifk4eYPy1MnLOF2eyjF+cGTukarYauiqI6nxB2q2Jg0KecgiLwUGXLT9gxaW/fAQPtnbLzVqETwyJDKTFBDsXuMdOPWAuIUGdiViwSC3AERXpEps6EVgX+pwa8BlfBdGAHkzh67eiWdRsyMcO6hk062o2Tyg5SopbA79Fi3hRpEoSZjL6cEKEFuHsyswpdJJqoXeHXZtkz/AGmxeDHfvIu7XryrBali1BixlB91/1BHHs9Ld11GAZR3uqrdIW6W63+JCIxcWY6azMvAA7DNBKh0nK4WY0yHnTLZS799LI5wxjiVOdjYQ344fJw6Fvmw9s274QO4bLM26eUtRDpBjbXboiUNH/eb3xipYYiZqcsICktDH1ZlnMocKWicapcHpzK7sfViUpb7p8PyA/KwFcdTbebB3BjGw+B07yPZrAsurvoNnFxqwLNRsKsG/9CaA9jxkAXsLO2h6PhrC+9ZNZH/fce2HqfGhScj8MUXJ6gt7S6OE/Ws/XrgcMr+MWhQ3pNs6uPzlpHq1j64dhrGeaffZSbCKH50aIpAAAAAXQ4jCCxhOt9AJ6GTo9pBso5jGAYneWvBHi21rDyuFbq1A7C2O8L9SQc9M8tVqNElofATtAlwlTia6xYNdswF4A=="	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02ygmmrhejyrygsu\Reason = "2147780641"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02ifbuzhraljzjqu\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02ygmmrhejyrygsu\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02ifbuzhraljzjqu	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02ifbuzhraljzjqu\DeviceId = "<Data><User username=\"02IFBUZHRALJZJQU\"><HardwareInfo BoundTime=\"1738340429\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3496	Client-built.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
3496	Client-built.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
3496	Client-built.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
3496	Client-built.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
3496	Client-built.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
3496	Client-built.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
3496	Client-built.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe
2400	dllhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	Client-built.exe
Token: SeDebugPrivilege	3496	Client-built.exe
Token: SeDebugPrivilege	2400	dllhost.exe
Token: SeShutdownPrivilege	64	dwm.exe
Token: SeCreatePagefilePrivilege	64	dwm.exe
Token: SeAuditPrivilege	2168	svchost.exe
Token: SeAuditPrivilege	2168	svchost.exe
Token: SeAuditPrivilege	1696	svchost.exe
Token: SeAuditPrivilege	1696	svchost.exe
Token: SeAuditPrivilege	1696	svchost.exe
Token: SeAuditPrivilege	1696	svchost.exe
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeAuditPrivilege	2168	svchost.exe
Token: SeTcbPrivilege	5004	svchost.exe
Token: SeTcbPrivilege	5004	svchost.exe
Token: SeTcbPrivilege	5004	svchost.exe
Token: SeTcbPrivilege	5004	svchost.exe
Token: SeTcbPrivilege	5004	svchost.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeShutdownPrivilege	64	dwm.exe
Token: SeCreatePagefilePrivilege	64	dwm.exe
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3496	Client-built.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 2400	3496	Client-built.exe	91
PID 3496 wrote to memory of 2400	3496	Client-built.exe	91
PID 3496 wrote to memory of 2400	3496	Client-built.exe	91
PID 3496 wrote to memory of 2400	3496	Client-built.exe	91
PID 3496 wrote to memory of 2400	3496	Client-built.exe	91
PID 3496 wrote to memory of 2400	3496	Client-built.exe	91
PID 3496 wrote to memory of 2400	3496	Client-built.exe	91
PID 3496 wrote to memory of 2400	3496	Client-built.exe	91
PID 3496 wrote to memory of 2400	3496	Client-built.exe	91
PID 3496 wrote to memory of 2400	3496	Client-built.exe	91
PID 3496 wrote to memory of 2400	3496	Client-built.exe	91
PID 2400 wrote to memory of 608	2400	dllhost.exe	5
PID 2400 wrote to memory of 660	2400	dllhost.exe	7
PID 2400 wrote to memory of 948	2400	dllhost.exe	12
PID 2400 wrote to memory of 64	2400	dllhost.exe	13
PID 2400 wrote to memory of 436	2400	dllhost.exe	14
PID 2400 wrote to memory of 860	2400	dllhost.exe	15
PID 2400 wrote to memory of 1076	2400	dllhost.exe	16
PID 2400 wrote to memory of 1104	2400	dllhost.exe	18
PID 2400 wrote to memory of 1116	2400	dllhost.exe	19
PID 2400 wrote to memory of 1136	2400	dllhost.exe	20
PID 2400 wrote to memory of 1212	2400	dllhost.exe	21
PID 2400 wrote to memory of 1300	2400	dllhost.exe	22
PID 2400 wrote to memory of 1360	2400	dllhost.exe	23
PID 2400 wrote to memory of 1376	2400	dllhost.exe	24
PID 2400 wrote to memory of 1500	2400	dllhost.exe	25
PID 2400 wrote to memory of 1516	2400	dllhost.exe	26
PID 2400 wrote to memory of 1532	2400	dllhost.exe	27
PID 2400 wrote to memory of 1676	2400	dllhost.exe	28
PID 2400 wrote to memory of 1696	2400	dllhost.exe	29
PID 2400 wrote to memory of 1740	2400	dllhost.exe	30
PID 2400 wrote to memory of 1784	2400	dllhost.exe	31
PID 2400 wrote to memory of 1824	2400	dllhost.exe	32
PID 2400 wrote to memory of 1836	2400	dllhost.exe	33
PID 2400 wrote to memory of 1844	2400	dllhost.exe	34
PID 2400 wrote to memory of 1924	2400	dllhost.exe	35
PID 2400 wrote to memory of 2028	2400	dllhost.exe	36
PID 2400 wrote to memory of 2064	2400	dllhost.exe	37
PID 2400 wrote to memory of 2136	2400	dllhost.exe	39
PID 2400 wrote to memory of 2168	2400	dllhost.exe	40
PID 2400 wrote to memory of 2192	2400	dllhost.exe	41
PID 2400 wrote to memory of 2480	2400	dllhost.exe	42
PID 2400 wrote to memory of 2488	2400	dllhost.exe	43
PID 2400 wrote to memory of 2716	2400	dllhost.exe	45
PID 2400 wrote to memory of 2724	2400	dllhost.exe	46
PID 2400 wrote to memory of 2768	2400	dllhost.exe	47
PID 2400 wrote to memory of 2784	2400	dllhost.exe	48
PID 2400 wrote to memory of 2796	2400	dllhost.exe	49
PID 2400 wrote to memory of 2804	2400	dllhost.exe	50
PID 2400 wrote to memory of 2828	2400	dllhost.exe	51
PID 2400 wrote to memory of 2996	2400	dllhost.exe	52
PID 2400 wrote to memory of 2964	2400	dllhost.exe	53
PID 2400 wrote to memory of 3088	2400	dllhost.exe	54
PID 2400 wrote to memory of 3380	2400	dllhost.exe	55
PID 2400 wrote to memory of 3500	2400	dllhost.exe	56
PID 2400 wrote to memory of 3668	2400	dllhost.exe	57
PID 2400 wrote to memory of 3832	2400	dllhost.exe	58
PID 2400 wrote to memory of 3996	2400	dllhost.exe	60
PID 2400 wrote to memory of 4108	2400	dllhost.exe	62
PID 2400 wrote to memory of 4544	2400	dllhost.exe	65
PID 2400 wrote to memory of 5084	2400	dllhost.exe	67
PID 2400 wrote to memory of 2760	2400	dllhost.exe	68
PID 2400 wrote to memory of 4400	2400	dllhost.exe	69
PID 2400 wrote to memory of 1528	2400	dllhost.exe	70

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:64
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8848c13a-a061-4eb4-afc6-8e621353ce9d}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1076
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1300
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2028

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2768

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2828

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3380

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3500
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Downloads MZ/PE file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://chatrawr.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xcc,0x128,0x7ffe38a146f8,0x7ffe38a14708,0x7ffe38a14718
      4⤵
      PID:1912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15906424298037559999,4178045299151027182,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      PID:3188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15906424298037559999,4178045299151027182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
      4⤵
      PID:2928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15906424298037559999,4178045299151027182,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
      4⤵
      PID:4520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15906424298037559999,4178045299151027182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15906424298037559999,4178045299151027182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:2284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15906424298037559999,4178045299151027182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
      4⤵
      PID:2896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15906424298037559999,4178045299151027182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
      4⤵
      PID:2520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15906424298037559999,4178045299151027182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
      4⤵
      PID:4856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15906424298037559999,4178045299151027182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
      4⤵
      PID:824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15906424298037559999,4178045299151027182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
      4⤵
      PID:576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15906424298037559999,4178045299151027182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2760

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4400

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:2096

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1596

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3180

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2380

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1548

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4684

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3720

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
456B

MD5
958368c57d556f409282540422336cc3

SHA1
c53a351cf1c5789acc18e7e99047c04ef8527abd

SHA256
27d09f07073b592ce89906a6a83c06817872d1c03248de1d22c04b1a99deb73b

SHA512
8cb9eeb5d157fc9a4d00f2e119192b867e3d5a92d23b2fc61f95148e78d930f1b37c206719fae0c05712805cece8eb5c3ab10152ab87767314f91bc7d944436b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Filesize
48KB

MD5
4637df7305acc1eb62d7c7db560449d8

SHA1
b4fabc3d45f2afc6473a1b57383d9d4bcc65886c

SHA256
f7a9e27b30376f3de988717088d3f1c0233ed52cefe2d17423f1ee4a37c8c07d

SHA512
d9c6fd411d0a5b0f3fcb96040acbe76caddfbbee1d50f7a65f2a46fb7fb3747479e4883975e13e4664a302c559173f302198687b17581ca248b1eea43b5426f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
495158ac53802333a1cebd4cbb251f99

SHA1
165f732fbd00bad72e7bbc3cca3abc8798573f4d

SHA256
81e7445fc40c896cfd8b75796ea7e0d9f3706c9836e0c11302433da34b6c491e

SHA512
e713567375a70dd08b3c2c85fde92817f7edc1930d8f5de0e08e0980cc7a57a6ba01a040f83bcf50d136f5e867ecdbfb54e629ed40456250ba7f251ef8926667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0077f29dd0a5976729edacf457172fd8

SHA1
69c75e2c15a9b44381b6f5684252dbe91764a080

SHA256
61305ce1e5949fec0ef63fa1148936fff499b70535bcae049fc1c3fb11bf817c

SHA512
5c2c112a56f4863dc2cf1ac798c90f572d189871163edaf6a4580de1bee613e0d9d50c7fceefedefc3a1635edccb9bfb2d7ecbb06bd60f389e4ce51b9934ac7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
748fc2389420ee42ef0d68a34612805e

SHA1
41e73fcb02c3b700b4d5fbe42b764a5a0a506f91

SHA256
0209478de085a4693f1830b40f9d38c2bdd439f5c880a94c0697ad3937bc7945

SHA512
364350d98ca8a734fed1f492c3190b25638e610e7053f54ec80c9325ff6ee6a23a0895c91f48f0850824f4c3a6442ca8be97f0f9abe8c800fa3c76336ed9021c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de4515628002497555ed65ebbd23bb6e

SHA1
e1032052c7c45de045fba2cdd285038621f18579

SHA256
32dc2a13e6d18705bb02ce378ece55814dfbc0a9ea9f7d65d2c8d92352837a4f

SHA512
2281387bae797f6e3b41201f110de00e3d38d4743ca2d9d303f4db65aaa66608fe3c9b52423234a155ae4ed251bfd80456b19fddc50ccf00c54ef614a162ef9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\eafe6153c1b5c6de76a99a241106b827f1271c13\d3a384ce-59aa-4be6-8b07-9f65ebc79d92\index-dir\the-real-index

Filesize
72B

MD5
15c4901a81fd74169b12bcdcccbc3c8f

SHA1
8c3e4d2b7fb58d700e908abbe7a4c03255d0ad53

SHA256
5951fd8e091b4b622d6ea453eb3ec5f9b57b1df5f4dc5ae657854cdca0ce5e50

SHA512
3eb7abd45d58bf804792f4085316c238b63211412c7b7bf9026ccd1707a2459a878520db111c736361c7de23754c002a273c32f93ee42f9316c1e8410f4e2b9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\eafe6153c1b5c6de76a99a241106b827f1271c13\d3a384ce-59aa-4be6-8b07-9f65ebc79d92\index-dir\the-real-index~RFe5a181d.TMP

Filesize
48B

MD5
98cf16f4ce14d4a15b5f584a99436d9e

SHA1
6db8e6e0c3c92771e70a69ef337edd6a004252fb

SHA256
10de11d00213015fc66140efe1322b2b3ed3f4c83669fa597832dd9149b6e7d8

SHA512
7173ed32d73d755ea2b0afc232bfdfa2661be99e4959e18d17f5775b00ec2f47ec95a972b4036f7d31937ac64f3444503a0e2a8c0c453cdd25ddf397448602af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\eafe6153c1b5c6de76a99a241106b827f1271c13\index.txt

Filesize
95B

MD5
8b339ad9c9410dbfe4af3e8b8f7cd415

SHA1
b2818ad380644efd70d8bd30809457200759fd6b

SHA256
4e951cdcaa7d52489f70b695707a09030ad5bf2d8020355449fd32ad644e0e49

SHA512
142e38f11f460e776fa6d0e13fc0160bd5c1fbc0716be67f48529c7bb6e61986cf66fcbf2b75d46db90321a97f46c2b5c14d1d48a8afe0c59d845c32a18fc04d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\eafe6153c1b5c6de76a99a241106b827f1271c13\index.txt

Filesize
90B

MD5
9b1007166eb7fe39dc0b653586b3288b

SHA1
9f66c2a6f6e6e6977c02d3de4c502c45044875a2

SHA256
1e4be4eeac37ab818db7a08fbf4a0765b5f68316fb6d97ce8ae0f3ea7f7385fa

SHA512
ebf48ddb03b874a1c82f4ab66a739845c84f2e5740209f7600cf58cf683bd8ce4e79a59e3c4b37090e5a8dfc0dbc6d2a46f3877eb1384f9d319a168c59d15e27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f893c536bf548f937808305d70ab8ab0

SHA1
7057ee152a021cf2dbc6590d1fb067c032d4200b

SHA256
dc5b4c3da4f20ebbf9e04379e6c51120327cdcc8ca82ea73be0795ce7a276884

SHA512
56a272a5903bab5c2b7f3f9cf4f679237529a5958c25bd2eea1296587e0efee121c6ef0ec998fe7a82053d222fab118655700d9aabed02e375f8837f0cc890cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a153f.TMP

Filesize
48B

MD5
91afd5d9ebfae0a9d97cd234f0eed4eb

SHA1
25092f61eb159510ef8c8ec111751126cc29fa5f

SHA256
8bf7e95e15a2b613b85a4e88ff296b7bd5df1af86a9e2e382ca0c4c28994a084

SHA512
a5fc350aaacca65ab466cc5dc8eb3408da7814d5b74383334c2612228517eadb2e00d72820008cf703460707d7505e8499a64a1aaf064863e831828b16b36793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e9c52afef2d114d7f322d588bc1b445f

SHA1
12301912c79cbddfc4d9ea2db668520b4ce73a36

SHA256
00ff1f5dcd8f6c258ad4c240528e719aa12fa9735549ae620401da55d2f76b28

SHA512
2ea4c5edf5152c942a6be947dc75adea5ad54f4f95c5abf4ba96e025d1fc04eb5dc356a698763785ec87cd85682a98f2e3de4d87df08dd90fcd7e97cf7c67bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
047e25592c0ba9266af5294a7154f192

SHA1
9fd0dc18771081243ada60c7ed04420c3d242e32

SHA256
0ac424bcc7110a2d5fae2355238077e92aee7d3d5f8406f352e2c7f1a9792071

SHA512
32bead1906ce88436f591fb3c302b3ef945238225413451a817be65c735bfa5e1cb29afb30acf6337db24e28bfd51e439d86097e2e8de2daf0d4266b02ac3a32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3756129449-3121373848-4276368241-1000\Preferred

Filesize
24B

MD5
2ac07006c8f14fd6b739ae150dccef1e

SHA1
7e74073c1f738588d659fa8e00cdea6cce05f169

SHA256
c623c70728f32fe41e397e3ec4d9cc430472c6a7054f9cd544d2ea8fa8a54155

SHA512
992eedada9a6a83c4cfae82de911537250531b067ec6c376f5470cabe762346d9443608e84e3c65110746b42648fa948236568bc2425902b9792158f2b8b1001

Download Submit
memory/64-29-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/64-279-0x0000023A901E0000-0x0000023A9020A000-memory.dmp

Filesize
168KB

Download
memory/64-28-0x0000023A901E0000-0x0000023A9020A000-memory.dmp

Filesize
168KB

Download
memory/436-37-0x0000029EC83C0000-0x0000029EC83EA000-memory.dmp

Filesize
168KB

Download
memory/436-282-0x0000029EC83C0000-0x0000029EC83EA000-memory.dmp

Filesize
168KB

Download
memory/436-38-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/608-19-0x000001F389650000-0x000001F38967A000-memory.dmp

Filesize
168KB

Download
memory/608-33-0x00007FFE5B3CD000-0x00007FFE5B3CE000-memory.dmp

Filesize
4KB

Download
memory/608-20-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/608-32-0x000001F389650000-0x000001F38967A000-memory.dmp

Filesize
168KB

Download
memory/608-18-0x000001F389620000-0x000001F389643000-memory.dmp

Filesize
140KB

Download
memory/660-24-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/660-278-0x000001364E480000-0x000001364E4AA000-memory.dmp

Filesize
168KB

Download
memory/660-23-0x000001364E480000-0x000001364E4AA000-memory.dmp

Filesize
168KB

Download
memory/860-283-0x0000028ACE9D0000-0x0000028ACE9FA000-memory.dmp

Filesize
168KB

Download
memory/860-42-0x0000028ACE9D0000-0x0000028ACE9FA000-memory.dmp

Filesize
168KB

Download
memory/860-43-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/948-34-0x000001A34CE40000-0x000001A34CE6A000-memory.dmp

Filesize
168KB

Download
memory/948-281-0x00007FFE5B3CC000-0x00007FFE5B3CD000-memory.dmp

Filesize
4KB

Download
memory/948-280-0x000001A34CE40000-0x000001A34CE6A000-memory.dmp

Filesize
168KB

Download
memory/948-35-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/1076-46-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/1076-284-0x00000209D2D60000-0x00000209D2D8A000-memory.dmp

Filesize
168KB

Download
memory/1076-45-0x00000209D2D60000-0x00000209D2D8A000-memory.dmp

Filesize
168KB

Download
memory/1104-50-0x0000022C45DA0000-0x0000022C45DCA000-memory.dmp

Filesize
168KB

Download
memory/1104-51-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/1116-53-0x000002353C860000-0x000002353C88A000-memory.dmp

Filesize
168KB

Download
memory/1116-54-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/1136-60-0x000002031ED40000-0x000002031ED6A000-memory.dmp

Filesize
168KB

Download
memory/1136-61-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/1212-64-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/1212-63-0x000002BE58F20000-0x000002BE58F4A000-memory.dmp

Filesize
168KB

Download
memory/1300-67-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/1300-66-0x000001B8E2000000-0x000001B8E202A000-memory.dmp

Filesize
168KB

Download
memory/1360-69-0x000001C3B27B0000-0x000001C3B27DA000-memory.dmp

Filesize
168KB

Download
memory/1360-70-0x00007FFE1B3B0000-0x00007FFE1B3C0000-memory.dmp

Filesize
64KB

Download
memory/2400-12-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2400-16-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2400-13-0x00007FFE5B330000-0x00007FFE5B525000-memory.dmp

Filesize
2.0MB

Download
memory/2400-10-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2400-11-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2400-14-0x00007FFE5A5C0000-0x00007FFE5A67E000-memory.dmp

Filesize
760KB

Download
memory/2400-15-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3496-513-0x0000017AB6FB0000-0x0000017AB7026000-memory.dmp

Filesize
472KB

Download
memory/3496-7-0x0000017AB6550000-0x0000017AB658E000-memory.dmp

Filesize
248KB

Download
memory/3496-0-0x00007FFE3D2D3000-0x00007FFE3D2D5000-memory.dmp

Filesize
8KB

Download
memory/3496-514-0x0000017AB6160000-0x0000017AB6172000-memory.dmp

Filesize
72KB

Download
memory/3496-515-0x0000017AB6F50000-0x0000017AB6F6E000-memory.dmp

Filesize
120KB

Download
memory/3496-9-0x00007FFE5A5C0000-0x00007FFE5A67E000-memory.dmp

Filesize
760KB

Download
memory/3496-517-0x0000017AB7080000-0x0000017AB70D0000-memory.dmp

Filesize
320KB

Download
memory/3496-8-0x00007FFE5B330000-0x00007FFE5B525000-memory.dmp

Filesize
2.0MB

Download
memory/3496-6-0x00007FFE3D2D0000-0x00007FFE3DD91000-memory.dmp

Filesize
10.8MB

Download
memory/3496-5-0x00007FFE3D2D3000-0x00007FFE3D2D5000-memory.dmp

Filesize
8KB

Download
memory/3496-4-0x0000017AB6980000-0x0000017AB6EA8000-memory.dmp

Filesize
5.2MB

Download
memory/3496-3-0x00007FFE3D2D0000-0x00007FFE3DD91000-memory.dmp

Filesize
10.8MB

Download
memory/3496-2-0x0000017AB6180000-0x0000017AB6342000-memory.dmp

Filesize
1.8MB

Download
memory/3496-1-0x0000017A9BBC0000-0x0000017A9BBD8000-memory.dmp

Filesize
96KB

Download