discordrat | b62a2bcbfce49c39063720542621a36001bcacfd137ba8366b825020de82120d

Analysis

max time kernel
107s
max time network
106s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
16/04/2025, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kernel Mode (1).exe
Size

78KB
MD5

6119c2fd88393d762b0bfa24620b91d4
SHA1

ccd132085d4756f88e7d554c671cd7ba01e38887
SHA256

b62a2bcbfce49c39063720542621a36001bcacfd137ba8366b825020de82120d
SHA512

a6a43cb61c18414a49fca46ed39df7c1595632753ce36a54fe9b1f9311c641a2b5af096c5add40d6ae79070760b7f9314ff8796bf1475246c7db6dfb94ddcc77
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+iPIC:5Zv5PDwbjNrmAE+OIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM1NDkyNDE2MjYxOTAxNTI2MA.GE89pU.6SDUNoquBQfG7ltjuIHlLjl_DRADwSdfVSug-c
server_id
1351601990072795178

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Checks SCSI registry key(s) 3 TTPs 33 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	dwm.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4432	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	Kernel Mode (1).exe
Token: SeDebugPrivilege	4432	taskmgr.exe
Token: SeSystemProfilePrivilege	4432	taskmgr.exe
Token: SeCreateGlobalPrivilege	4432	taskmgr.exe
Token: SeDebugPrivilege	5132	Kernel Mode (1).exe
Token: SeDebugPrivilege	4788	Kernel Mode (1).exe
Token: SeDebugPrivilege	4800	Kernel Mode (1).exe
Token: SeDebugPrivilege	3168	Kernel Mode (1).exe
Token: SeDebugPrivilege	4872	Kernel Mode (1).exe
Token: SeDebugPrivilege	4904	Kernel Mode (1).exe
Token: SeDebugPrivilege	4952	Kernel Mode (1).exe
Token: SeDebugPrivilege	3524	Kernel Mode (1).exe
Token: SeDebugPrivilege	4200	Kernel Mode (1).exe
Token: SeDebugPrivilege	2884	Kernel Mode (1).exe
Token: SeDebugPrivilege	3852	Kernel Mode (1).exe
Token: SeDebugPrivilege	1164	Kernel Mode (1).exe
Token: SeDebugPrivilege	5812	Kernel Mode (1).exe
Token: SeDebugPrivilege	1880	Kernel Mode (1).exe
Token: SeDebugPrivilege	696	Kernel Mode (1).exe
Token: SeDebugPrivilege	768	Kernel Mode (1).exe
Token: SeDebugPrivilege	1796	Kernel Mode (1).exe
Token: SeDebugPrivilege	5760	Kernel Mode (1).exe
Token: SeDebugPrivilege	1940	Kernel Mode (1).exe
Token: SeDebugPrivilege	1196	Kernel Mode (1).exe
Token: SeDebugPrivilege	5736	Kernel Mode (1).exe
Token: SeDebugPrivilege	5844	Kernel Mode (1).exe
Token: SeDebugPrivilege	5468	Kernel Mode (1).exe
Token: SeDebugPrivilege	1704	Kernel Mode (1).exe
Token: SeDebugPrivilege	1056	Kernel Mode (1).exe
Token: SeDebugPrivilege	2124	Kernel Mode (1).exe
Token: SeDebugPrivilege	2904	Kernel Mode (1).exe
Token: SeDebugPrivilege	4568	Kernel Mode (1).exe
Token: SeDebugPrivilege	3912	Kernel Mode (1).exe
Token: SeDebugPrivilege	5872	Kernel Mode (1).exe
Token: SeDebugPrivilege	3188	Kernel Mode (1).exe
Token: SeDebugPrivilege	4408	Kernel Mode (1).exe
Token: SeDebugPrivilege	4492	Kernel Mode (1).exe
Token: SeDebugPrivilege	4856	Kernel Mode (1).exe
Token: SeDebugPrivilege	6184	Kernel Mode (1).exe
Token: SeDebugPrivilege	5072	Kernel Mode (1).exe
Token: SeDebugPrivilege	3832	Kernel Mode (1).exe
Token: SeDebugPrivilege	6320	Kernel Mode (1).exe
Token: SeDebugPrivilege	6236	Kernel Mode (1).exe
Token: SeDebugPrivilege	6464	Kernel Mode (1).exe
Token: SeDebugPrivilege	6488	Kernel Mode (1).exe
Token: SeDebugPrivilege	6580	Kernel Mode (1).exe
Token: SeDebugPrivilege	6752	Kernel Mode (1).exe
Token: SeDebugPrivilege	6732	Kernel Mode (1).exe
Token: SeDebugPrivilege	6896	Kernel Mode (1).exe
Token: SeDebugPrivilege	6796	Kernel Mode (1).exe
Token: SeDebugPrivilege	6988	Kernel Mode (1).exe
Token: SeDebugPrivilege	7108	Kernel Mode (1).exe
Token: SeDebugPrivilege	7272	Kernel Mode (1).exe
Token: SeDebugPrivilege	7100	Kernel Mode (1).exe
Token: SeDebugPrivilege	7432	Kernel Mode (1).exe
Token: SeDebugPrivilege	7716	Kernel Mode (1).exe
Token: SeDebugPrivilege	7288	Kernel Mode (1).exe
Token: SeDebugPrivilege	7708	Kernel Mode (1).exe
Token: SeDebugPrivilege	7892	Kernel Mode (1).exe
Token: SeDebugPrivilege	7488	Kernel Mode (1).exe
Token: SeDebugPrivilege	7928	Kernel Mode (1).exe
Token: SeDebugPrivilege	8088	Kernel Mode (1).exe
Token: SeDebugPrivilege	8176	Kernel Mode (1).exe
Token: SeDebugPrivilege	8196	Kernel Mode (1).exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe
4432	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
13408	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 14108 wrote to memory of 12256	14108	Kernel Mode (1).exe	220
PID 14108 wrote to memory of 12256	14108	Kernel Mode (1).exe	220
PID 11848 wrote to memory of 8648	11848	Kernel Mode (1).exe	221
PID 11848 wrote to memory of 8648	11848	Kernel Mode (1).exe	221

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5132

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5760

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5736

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5468

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5844

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5872

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6184

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6236

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6320

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6464

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6488

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6580

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6732

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6752

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6796

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6896

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6988

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7100

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7108

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7272

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7288

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7432

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7488

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7708

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7716

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7892

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7928

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8088

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8176

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8196

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:8220

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:8308

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:8440

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:8568

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:8584

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:8656

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:8664

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:8944

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9000

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9160

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9168

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:6688

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:6032

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9224

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9272

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9392

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9516

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9564

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9848

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9888

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10124

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10184

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10208

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10284

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10324

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10332

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10648

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10688

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10724

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10732

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10780

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10788

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10808

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10892

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10908

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:6400

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:6972

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9992

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11344

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11404

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11412

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11604

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11612

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11732

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:11848
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 11848 -s 1684
  2⤵
  PID:8648

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11864

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11972

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11984

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:8644

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:8972

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10904

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10920

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10928

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12452

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12520

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12660

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12704

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12716

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12792

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13076

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:8832

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11796

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11648

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13432

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13544

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13560

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13568

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13788

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:14072

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:14084

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:14108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 14108 -s 140
  2⤵
  PID:12256

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:12340

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:11948

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:13408

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13576

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12748

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13996

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11808

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12884

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13736

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12852

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:14112

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12520

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11632

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13980

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13772

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9320

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11692

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10216

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:5372

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13744

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:14272

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13780

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11844

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13748

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10604

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10396

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11896

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11672

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13352

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10692

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12512

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13392

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11708

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9804

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12844

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11676

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11936

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12912

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:11656

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12644

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13472

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13556

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13272

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13980

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11948

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13736

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12852

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11616

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13540

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:14280

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12564

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:10216

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:10620

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13324

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:9632

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:12364

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13072

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:11552

C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe
"C:\Users\Admin\AppData\Local\Temp\Kernel Mode (1).exe"
1⤵
PID:13732

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4344-0-0x00007FFBD90E3000-0x00007FFBD90E5000-memory.dmp

Filesize
8KB

Download
memory/4344-1-0x0000023A54600000-0x0000023A54618000-memory.dmp

Filesize
96KB

Download
memory/4344-2-0x0000023A6EB60000-0x0000023A6ED22000-memory.dmp

Filesize
1.8MB

Download
memory/4344-3-0x00007FFBD90E0000-0x00007FFBD9BA2000-memory.dmp

Filesize
10.8MB

Download
memory/4344-4-0x0000023A6F3A0000-0x0000023A6F8C8000-memory.dmp

Filesize
5.2MB

Download
memory/4344-19-0x00007FFBD90E0000-0x00007FFBD9BA2000-memory.dmp

Filesize
10.8MB

Download
memory/4344-18-0x00007FFBD90E3000-0x00007FFBD90E5000-memory.dmp

Filesize
8KB

Download
memory/4432-17-0x000001FCA1220000-0x000001FCA1221000-memory.dmp

Filesize
4KB

Download
memory/4432-7-0x000001FCA1220000-0x000001FCA1221000-memory.dmp

Filesize
4KB

Download
memory/4432-16-0x000001FCA1220000-0x000001FCA1221000-memory.dmp

Filesize
4KB

Download
memory/4432-15-0x000001FCA1220000-0x000001FCA1221000-memory.dmp

Filesize
4KB

Download
memory/4432-14-0x000001FCA1220000-0x000001FCA1221000-memory.dmp

Filesize
4KB

Download
memory/4432-13-0x000001FCA1220000-0x000001FCA1221000-memory.dmp

Filesize
4KB

Download
memory/4432-12-0x000001FCA1220000-0x000001FCA1221000-memory.dmp

Filesize
4KB

Download
memory/4432-11-0x000001FCA1220000-0x000001FCA1221000-memory.dmp

Filesize
4KB

Download
memory/4432-5-0x000001FCA1220000-0x000001FCA1221000-memory.dmp

Filesize
4KB

Download
memory/4432-6-0x000001FCA1220000-0x000001FCA1221000-memory.dmp

Filesize
4KB

Download