discordrat | 88d0b715a36832b0e69d30b180dd927800969ab1f0e3b21e584cd8033373dcca

Resubmissions

31/03/2025, 15:21

250331-srce3svnz4 10

31/03/2025, 15:02

250331-sesarsste1 10

Analysis

max time kernel
900s
max time network
894s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
31/03/2025, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

7943c195a125d0684b7f139d22485d30
SHA1

d8e99c1d9c3fc1b3d54932510e8c15ef35326610
SHA256

88d0b715a36832b0e69d30b180dd927800969ab1f0e3b21e584cd8033373dcca
SHA512

1c563a84162fed409ed9dcd5c76c031ebf03ed0309f554ff7662421412ea213d310dd01fa5e8dfa4256bfe71ca5406d759446006cb13c36b84c974d0b48befff
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+UPIC:5Zv5PDwbjNrmAE+IIC

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM1NjI4MTg2NTE3ODMxNjgyMA.GeoxaT.ocqOcSIpXr6UreUuaB7hoXHmcnhfEknTw6-SuE
server_id
1356279473779245056

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5608 created 640	5608	Client-built.exe	5

Downloads MZ/PE file 1 IoCs

flow	pid	Process
32	5028	chrome.exe

Executes dropped EXE 2 IoCs

pid	Process
1504	Client-built.exe
5608	Client-built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

flow	ioc
52	discord.com
57	discord.com
66	discord.com
54	raw.githubusercontent.com
16	discord.com
28	api.gofile.io
45	discord.com
48	discord.com
50	raw.githubusercontent.com
51	discord.com
53	discord.com
16	api.gofile.io
17	raw.githubusercontent.com
49	discord.com
56	discord.com
58	discord.com
68	raw.githubusercontent.com
69	discord.com
55	discord.com
47	discord.com
70	discord.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5608 set thread context of 3256	5608	Client-built.exe	113

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SystemSettings.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SystemSettings.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\e4a83910_0	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\e4a83910_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_8086&dev_0022&subsys_80860022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Users\\Admin\\Downloads\\Client-built.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133879070011134439"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
4640	chrome.exe
4640	chrome.exe
5608	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
5608	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
4428	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
1504	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
5608	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
4428	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
1504	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
5608	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
4428	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
1504	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
5608	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe
4428	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
1504	Client-built.exe
3256	dllhost.exe
3256	dllhost.exe
3256	dllhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	Client-built.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeDebugPrivilege	1504	Client-built.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe
Token: SeShutdownPrivilege	5304	chrome.exe
Token: SeCreatePagefilePrivilege	5304	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
5304	chrome.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe
2044	SystemSettings.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2044	SystemSettings.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3304	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5304 wrote to memory of 3360	5304	chrome.exe	81
PID 5304 wrote to memory of 3360	5304	chrome.exe	81
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5044	5304	chrome.exe	82
PID 5304 wrote to memory of 5028	5304	chrome.exe	83
PID 5304 wrote to memory of 5028	5304	chrome.exe	83
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84
PID 5304 wrote to memory of 5072	5304	chrome.exe	84

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:428
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{88e03d42-af36-47db-98f9-578174d05deb}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1432
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1916
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004C0
  2⤵
  PID:4000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2056

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2552

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2684

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2872

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
PID:3304
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ff804b1dcf8,0x7ff804b1dd04,0x7ff804b1dd10
    3⤵
    PID:3360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1908,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1924 /prefetch:2
    3⤵
    PID:5044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1480,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2256 /prefetch:11
    3⤵
    - Downloads MZ/PE file
    PID:5028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2344 /prefetch:13
    3⤵
    PID:5072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3228,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:3752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3480 /prefetch:1
    3⤵
    PID:4572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4212,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4236 /prefetch:9
    3⤵
    PID:4328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4688 /prefetch:1
    3⤵
    PID:3416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5248,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5256 /prefetch:14
    3⤵
    PID:560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5504,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5512 /prefetch:14
    3⤵
    PID:4072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5264,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5612 /prefetch:14
    3⤵
    PID:4372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5700,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5496 /prefetch:14
    3⤵
    PID:4220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5544,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5548 /prefetch:14
    3⤵
    PID:6016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5808,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5620 /prefetch:14
    3⤵
    PID:4144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5292,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5924 /prefetch:1
    3⤵
    PID:5756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5756,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5984 /prefetch:1
    3⤵
    PID:2764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4708,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4740 /prefetch:1
    3⤵
    PID:5100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4816,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6064 /prefetch:1
    3⤵
    PID:4736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4692,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3484 /prefetch:14
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    PID:5352
- - C:\Users\Admin\Downloads\Client-built.exe
    "C:\Users\Admin\Downloads\Client-built.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=228,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5744 /prefetch:14
    3⤵
    PID:1720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3824,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5276 /prefetch:14
    3⤵
    PID:1560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4172,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5800 /prefetch:14
    3⤵
    PID:2560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5792,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3516 /prefetch:9
    3⤵
    PID:2408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5276,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5748 /prefetch:10
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3096,i,14332259460661204774,269143042025559400,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6136 /prefetch:14
    3⤵
    PID:404
- - C:\Users\Admin\Downloads\Client-built.exe
    "C:\Users\Admin\Downloads\Client-built.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:5608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3476

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3872

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:5808

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:5964

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:5572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3272

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:5848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:5424

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4844

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:2788

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

Filesize
400B

MD5
0b59085f6bdb3dd0a9394945065701af

SHA1
0ec81dd24fc103e1020a08492ed9fc8a266afd3e

SHA256
91870a8380b83a1b9cba3c361a3103171fa6f0c3e1d779ee96b8f4615085ac69

SHA512
081735fc4da7e39c854ea46007975c1b5a58eeed926f416997ef8f887bba47946fd483fa99ca1a74bac80f0883504fb1858e4fa62518b706e783d7d8c053281f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
47d7a5c1dc7705c1431967e2cbaa2022

SHA1
6e6d23f172fe3bf0b8e02ebb2af2022b063e9105

SHA256
c5fa5774b1b387c4fd8de6aa079db70c036c6e21147e9e7d9d513f55a83597b2

SHA512
f53f3783efdd699aa72dba306811b0e7b7b9f547218d88540cc7ccdf3011a6868015fb4d47fafe5d62a71799d0b9bcd70c07a82ad7f83c1135148bda04648564

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\978cb144-7374-4f6f-8af6-dd119d1cace8.tmp

Filesize
155KB

MD5
913e47965dad7f524a355a8ca93a68ea

SHA1
bf82c0deeda114f0fede248f7da4ac65c1cdb3d0

SHA256
47e9343c677941d13d8d4ec63a6327517556f862ac49660819f0e4c8e5ba696f

SHA512
82a34deb0c3a6679d31cd1a4fc5c5388fea1ef3100696b64c7f25a142b65a54a17ca835d4612e4ed9643a66651b6190d99150f044fbb3b69fc27229f200061a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2dd462afe2117f0928e4d61083f665cf

SHA1
357f2b9ab8c41b3e21e423c589926dea4ce6be4b

SHA256
f77962d7eaccdfa428d486a7115fb114c3a5c5a63959114a436a35548f306a3c

SHA512
33c799ad130cddefa96650431f2ec6f5239a87543bd85b0b2d92b159e7a9fcf8fda02dc14d3814461ba787b54885e8c14bfd1cff256391b034c7bcc2f99f9d39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e2f858f815fa070ddd2937cda6069821

SHA1
d63e112b1c7365cb855e9cec0deda558c2cb462b

SHA256
7a2831e572f1446232c118d8b02f9c8ba35eed4b942c7e15a0f83f6b2ec0999b

SHA512
66681dd140baf0e86bef82cf7bef0b4d1defe03a89c493352495530ba3e966d8190297b18789e630c83ffc4a09d6f9673bfe2aec2520cadd81e4d34355e90224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a59d6d5fdf008b60c51b348917741332

SHA1
2f25970974724e6f4eb6b8cd900ac9212910c4cc

SHA256
4ed19e507ef5575b03560c586765eb25d2a0463be231a72b7eb7d0fc93139585

SHA512
2bf5738fb2f7dd9ef6c01897e1c0471069eb5cd903102e7a5449d91e056893bf07550f7507efbf625176aefe5f9f58439f890dbbfa12d6807c4f1b8c932f2fc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
845B

MD5
5db2d94e2558854a882553aa3162bd08

SHA1
ce4f5ced3597fa3a88021e4f94f63fa261c1e34c

SHA256
f9920d7589bf88c13b9a94474510ffcbea4e6a036c4531673fefd4dfe1e2a750

SHA512
ad7d026647ac24251decdb5cb57855fe1b1356a8b6d3f913c24d56a13944333307331ce3f21f8c61bf3181acdf48ac86c7e9447a4462c047c99f289d5b45b1bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7a5f0c2169a5147bd9337950303b1603

SHA1
8759e098e4b32b8bec978618620bf1c175fb171c

SHA256
15bf1dd52bf16848c222faa18a60d80516649a99659216dd79f57388cb9c5541

SHA512
63fab3507f40b3741a05c79a19191c0cdc2edb59380cd2ff615d283d128a71644d2ce66a9c8727b19fd65faa7530760f78a7110ee7247cf10a1050f7a518a790

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0fb338fff8c1c079a1e4431840511079

SHA1
9e5395cacca596df04618e1ba82ff18537a42adc

SHA256
c384212a9136806ce60a03ad01a140465306de99d68109796cf6128e9afe846a

SHA512
9db978a295ea8489927b0ff45142613f1a0c3783dddc34f538013bd84fe337ecda9e5a1b438f2084bf06496d1284ceaa6e6351f93089afa9f3f3bf97bffcd2f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
81659d6c6aead37809f48325a965d760

SHA1
2c20ab4767dbc1c6a8888faff3eb06e1b95b5945

SHA256
6994dc3ad383c9c159a95fded46b8476ba1924d5adab937db108234213daa235

SHA512
c30bde791d2c7efea533911540da01a7445b0c915e236cffedf709a584cb1faeb090c285fc0c95714bcf9f1e9ca658d699ad855a62c788c4953bffb5b5641fb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8d190aed71529df61da87786e0db29f3

SHA1
ff74c9f3d0620046cd892a9a88e9ea3c76f93750

SHA256
3bc0464f5646a4328652989687809cee19d1a386ed6bc536f690bc3d71d767f5

SHA512
b2486baf372632a7d9e749c1f2906cacfec22cc4bfa1aa3852500c3ff2e118ac228895213532b4418ee6376bb86e839e2b61e4bae0a23c338379dc82983da4f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
24371926bf2e3fb187353bad1260aa8e

SHA1
bfc625f509d3b01a38a3ffa501d77ddca34243e0

SHA256
6444843e58b68b104a91c1ff8b9321db5f042c75485e4ba97864578b1a3e8d7c

SHA512
3d3112a0cd63b2f2d0f1508c7f5c79659210be92616139f62628a36476af6477365d042645159fcadb9fea8977cb97da29e4df484af21eba6af78c6040160a45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
53b12935cf4fdb280b766d640b90f6c5

SHA1
9bc438d5ffafd814b1d0e84ea296cd16aa617740

SHA256
786a6ce19d042df0776d63d8366af877d0064018e79a7ef38a1b014a261dc2f2

SHA512
3c6ca85d65727ecfece662b22bf511439cae9f7aaf66f592d816e84697ef8253a73a3ef913db247d986f9ea543a7bae4d1e1bfb23199c99783484c4464ccd7ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
8cf1a1417fc553c57ad1e0d7a937fda3

SHA1
e97933ad52aa35697bc0296693db8e71659b6950

SHA256
c423436b2ee3b8128a4b4b43d23f9b3b17361b9882d1d1ebaa1228375dc9ee68

SHA512
7ef0052b89ce72286b1dfbcd501b78862db6a808c40b8b964b78a438830d0701d142f1667c13104dccd2ba4553cc9e052daee2effe7e4174c057ad12000a7dfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ab297ddca257ee6b5524dc02e1c42b9f

SHA1
6beeb1009ace85c494b643cb4d6122dca1258613

SHA256
24e268965b669f91e3cf2af9fba6414243da4e14f1493beb40c88a2376fbe050

SHA512
ba5448448c538b7bb4baa4eafa9d4bf262436cc0ca7622b26b380223f8927d03a8b11e41a506309f163b55bfd9c03adba3dc36edfb148100039062c41220ab8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1260da272a29ba18b0fa936083d3731e

SHA1
40a2087dcf68c5b4c6fb53a0e881304f84ba2c43

SHA256
1be653ed5f0ecb3263bdd35a05ed52b3c542654cb34f010497290e8c92e3a3df

SHA512
3e5dfd67fe6a09bcdf1cafd767e45acba180693e2f8748a46282367f1c1024c4239f97d4a21f1f97754bb20f3cf05231cacae85f381ad13d4a867a80ce7555d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5853e7.TMP

Filesize
48B

MD5
fe14f85e7c6ace2295216e8a709cbb91

SHA1
92d28fd8dc5a2de4a00f6a734334c23a21d87c93

SHA256
3015f24ae80878736cb633b631323b66914525fe11b12f8ae0ec8c1bdc7b84f0

SHA512
12f1dc14fe77028ea0405ecc4a36f468f9b91e31ec8dd029fd5424f0d3eddfded30322502848bd3e949d60dfec03d6d781e8811614608c997a822ebe5db9f1ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
c30538ce21b19fb25118c96a9e094e78

SHA1
a9206a586b5de058ab04dec2c4b3adecdc699b50

SHA256
8175cf4ec1b928a5ac0a333bae0478da94787f01d0abd9878535c0aa657427ec

SHA512
a85ee3aa613b5a09d19ec328896151f553cf22ac9c513f6a23530f61ec39ae28f683cb83161b8230f34b4c1c7d664df7bbd9f3cd5efb3649165279fdfa4913b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
dfdc1787cd3dbeede9ff592e8ed45dae

SHA1
6521634321bb6f4680a961c60c762622c1118eea

SHA256
b0300eeeba02566a39687ceeb3e335e96d62b607da9c6de487ae2035583a2a5a

SHA512
a864443d9bd84c1d2b18ca0ae525323836265977f6d05433a1eab38110fa04620f91038ff4a5bfed90d915eaa05ac614cdac2e0994e0172cf76c783732fd318f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
0fca197f6bea4e7279bc72bdf71a5914

SHA1
ea241f88e9946265820fe65f2d1173c5a283eb01

SHA256
ef48bbc06b48e3f06c8d84919b1a07fb3a55dace573cfecee946533ceb22e087

SHA512
9e577a27515b2bbcfdb9a335a4b83cb07151d56ac06e94e5a9b477fd49855710367eb50c3ba5a6a091a2b793762bea08b708eea2d6ffc6adba90b4b7bd55a767

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5304_90909118\83f4ee4a-f5ca-47f7-9089-cd3bedfd94a2.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier

Filesize
158B

MD5
134e43469eb65aa6b22c1eb6a3dc2e05

SHA1
cada461a080998014a9ddde1670684a44cd21563

SHA256
00ec5836f40f33fa190a321e543bb49e04572faeed1d443eafa290dd0ee790be

SHA512
d079b21719b70940d3c6a924710aa922dc4fcee8ec8af3f5cf78e45052f3ba3b168e4e000c5f9ee1dd52ddaa526c1a7c9bc54051376e5f3a71b1fa5b8e95b59e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 886733.crdownload

Filesize
78KB

MD5
7943c195a125d0684b7f139d22485d30

SHA1
d8e99c1d9c3fc1b3d54932510e8c15ef35326610

SHA256
88d0b715a36832b0e69d30b180dd927800969ab1f0e3b21e584cd8033373dcca

SHA512
1c563a84162fed409ed9dcd5c76c031ebf03ed0309f554ff7662421412ea213d310dd01fa5e8dfa4256bfe71ca5406d759446006cb13c36b84c974d0b48befff

Download Submit
memory/428-668-0x00000179A0A20000-0x00000179A0A4A000-memory.dmp

Filesize
168KB

Download
memory/428-669-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/640-661-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/640-660-0x00000251FBF80000-0x00000251FBFAA000-memory.dmp

Filesize
168KB

Download
memory/640-658-0x00000251FBF50000-0x00000251FBF73000-memory.dmp

Filesize
140KB

Download
memory/700-663-0x000001F1C5170000-0x000001F1C519A000-memory.dmp

Filesize
168KB

Download
memory/700-664-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/752-680-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/752-679-0x0000020BC4FD0000-0x0000020BC4FFA000-memory.dmp

Filesize
168KB

Download
memory/756-675-0x00000101FC3B0000-0x00000101FC3DA000-memory.dmp

Filesize
168KB

Download
memory/756-676-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/988-672-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/988-671-0x0000022462890000-0x00000224628BA000-memory.dmp

Filesize
168KB

Download
memory/1056-684-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/1056-683-0x0000024023B40000-0x0000024023B6A000-memory.dmp

Filesize
168KB

Download
memory/1064-690-0x000001C85BBA0000-0x000001C85BBCA000-memory.dmp

Filesize
168KB

Download
memory/1064-691-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/1168-694-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/1168-693-0x0000024EB2260000-0x0000024EB228A000-memory.dmp

Filesize
168KB

Download
memory/1192-697-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/1192-696-0x0000022709160000-0x000002270918A000-memory.dmp

Filesize
168KB

Download
memory/1260-700-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/1260-699-0x000002316F190000-0x000002316F1BA000-memory.dmp

Filesize
168KB

Download
memory/1276-703-0x0000025F5EF70000-0x0000025F5EF9A000-memory.dmp

Filesize
168KB

Download
memory/1276-704-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/1368-711-0x00007FF7D6510000-0x00007FF7D6520000-memory.dmp

Filesize
64KB

Download
memory/1368-710-0x0000013A424D0000-0x0000013A424FA000-memory.dmp

Filesize
168KB

Download
memory/1432-713-0x0000027FEC9D0000-0x0000027FEC9FA000-memory.dmp

Filesize
168KB

Download
memory/3256-653-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3256-652-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3256-654-0x00007FF816480000-0x00007FF816689000-memory.dmp

Filesize
2.0MB

Download
memory/3256-655-0x00007FF816090000-0x00007FF81614D000-memory.dmp

Filesize
756KB

Download
memory/3256-656-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4428-6-0x00007FFFF5620000-0x00007FFFF60E2000-memory.dmp

Filesize
10.8MB

Download
memory/4428-3-0x00007FFFF5620000-0x00007FFFF60E2000-memory.dmp

Filesize
10.8MB

Download
memory/4428-1-0x0000028149210000-0x0000028149228000-memory.dmp

Filesize
96KB

Download
memory/4428-2-0x0000028163B90000-0x0000028163D52000-memory.dmp

Filesize
1.8MB

Download
memory/4428-0-0x00007FFFF5623000-0x00007FFFF5625000-memory.dmp

Filesize
8KB

Download
memory/4428-5-0x00007FFFF5623000-0x00007FFFF5625000-memory.dmp

Filesize
8KB

Download
memory/4428-4-0x0000028164290000-0x00000281647B8000-memory.dmp

Filesize
5.2MB

Download
memory/5608-904-0x0000021FA6E50000-0x0000021FA6EC6000-memory.dmp

Filesize
472KB

Download
memory/5608-905-0x0000021F8E060000-0x0000021F8E072000-memory.dmp

Filesize
72KB

Download
memory/5608-906-0x0000021FA6DD0000-0x0000021FA6DEE000-memory.dmp

Filesize
120KB

Download
memory/5608-651-0x00007FF816090000-0x00007FF81614D000-memory.dmp

Filesize
756KB

Download
memory/5608-942-0x0000021FA9DD0000-0x0000021FA9E7A000-memory.dmp

Filesize
680KB

Download
memory/5608-649-0x0000021F8E020000-0x0000021F8E05E000-memory.dmp

Filesize
248KB

Download
memory/5608-650-0x00007FF816480000-0x00007FF816689000-memory.dmp

Filesize
2.0MB

Download
memory/5608-964-0x0000021FA78D0000-0x0000021FA7B9A000-memory.dmp

Filesize
2.8MB

Download