badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

23/02/2023, 03:18

230223-dtzaasee76 6

23/02/2023, 03:06

230223-dl9fasee57 10

23/02/2023, 03:00

230223-dhndnaee52 10

Analysis

max time kernel
622s
max time network
624s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2023, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

badrabbit mimikatz persistence ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231bb-506.dat	mimikatz
behavioral2/files/0x00060000000231bb-509.dat	mimikatz

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\DisableCopy.tiff	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
1784	6F18.tmp

Loads dropped DLL 1 IoCs

pid	Process
5032	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\6F18.tmp	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2404	schtasks.exe
1364	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133215988370098013"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3592	vlc.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
708	chrome.exe
708	chrome.exe
5032	rundll32.exe
5032	rundll32.exe
5032	rundll32.exe
5032	rundll32.exe
1784	6F18.tmp
1784	6F18.tmp
1784	6F18.tmp
1784	6F18.tmp
1784	6F18.tmp
1784	6F18.tmp
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3592	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
3592	vlc.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe
832	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3592	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 4456	2172	chrome.exe	82
PID 2172 wrote to memory of 4456	2172	chrome.exe	82
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2604	2172	chrome.exe	84
PID 2172 wrote to memory of 2852	2172	chrome.exe	85
PID 2172 wrote to memory of 2852	2172	chrome.exe	85
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86
PID 2172 wrote to memory of 4840	2172	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/Endermanch/MalwareDatabase
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ca049758,0x7ff9ca049768,0x7ff9ca049778
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1796,i,11350186558773079909,8489936519400094085,131072 /prefetch:2
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1796,i,11350186558773079909,8489936519400094085,131072 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1796,i,11350186558773079909,8489936519400094085,131072 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1796,i,11350186558773079909,8489936519400094085,131072 /prefetch:1
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1796,i,11350186558773079909,8489936519400094085,131072 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1796,i,11350186558773079909,8489936519400094085,131072 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 --field-trial-handle=1796,i,11350186558773079909,8489936519400094085,131072 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1796,i,11350186558773079909,8489936519400094085,131072 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2752 --field-trial-handle=1796,i,11350186558773079909,8489936519400094085,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2784 --field-trial-handle=1796,i,11350186558773079909,8489936519400094085,131072 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2784 --field-trial-handle=1796,i,11350186558773079909,8489936519400094085,131072 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1796,i,11350186558773079909,8489936519400094085,131072 /prefetch:8
  2⤵
  PID:2056

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2784

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
PID:4520
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:1136
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3542433249 && exit"
    3⤵
    PID:1240
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3542433249 && exit"
      4⤵
      Creates scheduled task(s)
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 04:32:00
    3⤵
    PID:1052
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 04:32:00
      4⤵
      Creates scheduled task(s)
      PID:1364
- - C:\Windows\6F18.tmp
    "C:\Windows\6F18.tmp" \\.\pipe\{13738308-DE07-42A2-BB58-A14456DC00C1}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1784

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ImportDismount.mov"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3592

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
bdc0edb8227b6b2942ad8bd7feb12a12

SHA1
559f0b3313c07424365ad1411ef2c79592bd7651

SHA256
c4689c5b88875513d887fd4f573148ffb4b0d52ee126f46108a6b7fdcf902323

SHA512
012a0781b0e56be46716f4d398f66369869dd62ed5cfd532daceb1cbd2611d5475e9629921277ff905ebacf7709e5cca818a1e0135c7757c271ec908c36fce98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3a4ff23920571cfb094b83fc8de67b36

SHA1
bd0a4695c685f453426542db98277db2a7ef38c7

SHA256
a5855bbd6433d48d70ff4f001fa1c96bd4439afb7b1ccee172610bfb4fa6fb92

SHA512
5955c777f696cc7ec6da1e95e32486801b66f6cd3d12476a1f60efbe787f175731f6034f64b6fc3c546894ae10176ab9c362e6ac3996e893e46b1cdb1e30f9ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
18d241d9c6f1c998779e88ca1aba2e31

SHA1
0ab9e48cd1b0698d259f59cd716e1cad37c8eca1

SHA256
ca19328742c4a1d0ca9a43facba0e0153424aa3ade27fa04b8876d513a07462e

SHA512
b0fbe548fb3854e900da1aa14cc48c7fc381720c1fade18ca5ad4f690c8ed42b85c5a00aee199cf68f12c81a10606c9ab51e778a8b8cca08637a64b2477d9b5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a882c943296c28e302cada5860ae92d7

SHA1
59587ef48af63dfd3f56363bec633e876bc00059

SHA256
42ffb7410fa4f3e8dc88286afc702a336428517d57f37f9c8485f8af45b0bcc6

SHA512
35ff496a630ec29890d180f060809b7dc24b6771cbbb2e8a258b2a57187a8db563a9a2ed343340f2f563e1e3a5596093db2125202391704bffd2922e47b03688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3a39887ec31ec5cd6a25d1849e58a74d

SHA1
7a174ed5047ca597883224a0be2bc1c8b469f267

SHA256
0429f26c325e33c5c20b41dd8720af91cca9caf70f9502fb8a8d88ecd027e766

SHA512
47e9b2253a5f2e4a3f45d9644652f8ab1b723c5006de6f16aca6b55a2ef138783c020d5d3d25bbdb4ee6d6bcfdd6a43134df5c94ba05529ec4a3c2055e96e895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
52d7b2361da00fb00651ef40f290b4f7

SHA1
34460010281f1dc99b13030a78d011537bcedf4a

SHA256
aad2233f74deeeca1c931a4d9b53ae299fc59e0b27347d7192c489ae11980c10

SHA512
731371a38d6dd225e7eaabf4f2a475a2318453151cc0ff3ce9ec2c2bcacd06c68153d6053cd5f60d0dbde6d8d5245d3e9276c31bc3f1ce6de02ae734b438f22b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0de4f63d50c0615555eb6494a390ba0b

SHA1
7e7a9376436903e71e5b952cf5296560b1f06d21

SHA256
a125a82d438f2c3002df8fe54182a51fc1aedf051bf00e0f9ddff9c21d06853a

SHA512
6b4c05d4e9a08270c7ed48b88f15704e7a952c7d5420127acc865e2a872a5cfcae41c414d9244659a8879a56ec7105499f0b4bd42d308fd1ef24aa98ee7f9211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3f5e67e2d0416e19629e310f06aafb7f

SHA1
1439cb6b1d532a7914c26c3b530a75e533b1af23

SHA256
fa6496459f02b62d671e1e2b22ad31d75010c7a78b6c4e3bcfc981c429594dc1

SHA512
a70e5ec25dfe377f1e4e4a46517e616fd02770c49f76bfef0f583a6a1777728d89984e5156ff585eb526f702f6f369eb3cc3c9e524cc5a8963fb6968778cb84f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bef3861d03db66287ab449ec45130a58

SHA1
3be9dd8f1104372846643246a609d70f21cf6968

SHA256
f38d22b4040b2e17d59efabf81a049984c4abaa617adcb936d6b3c8b80741a4d

SHA512
9f2b1a3e79a66bb9bcbaaaa2be024e19c436969599e15989504524b814df3f814193b74599af9a8cf39825ec97f064add9b021fdf4e61b3c33cde6bd0bfb0dc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3178c3c6428b57704dffc21889de7985

SHA1
f4d12c054601ea478c99360c0886e2562956b6a9

SHA256
fb72b171e3d3c189fb9d6a6b1cb7acaef32a4a77204990c92d589c904fce869e

SHA512
015d694cd2d60aa84460f5d62d08c20fb5fc307d8e275a5db2d08650e58750e4f76963bd8b4f662b6b3b1a377033ee854a89886a12b3f28e276dbc05328e6eac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a4235f7011a9972f8ef58f02ae6db599

SHA1
7332ddd5d2567a0704c95dadf1b713eb7149b25a

SHA256
205e05752a06b2462f04ae49d5bbfb3b8456202780573d54c80c5deaa6fb1789

SHA512
f04f34956b6d6b7343f49c7c8aeeffbd78720f277878b153165f7e728e531d183b6eaab0a471fff5c7879769fcb246eaad3138a99b6a9c6b78da8af399889df5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3c7b3873451c2e2e3f622e34f7ee5a25

SHA1
a8038d74c0fba90a13abf5fd6137a3fceee22c57

SHA256
149aecb778460bc9cebcaae3534dbda42941517d253770d62c6cef7cb78e0335

SHA512
324bc4068a4d66ff45f1ad7d4e7fc01e5ab58d47007f8683a7d36e94b8b1855d1230310152e4cc00d45a5c4f497180e276633a1cf73508bac048842414d43b5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dcc51b8d21bbf514f536b493cc013a3e

SHA1
98b8f6817e4346d9e7927ebe001f308faa8ba31a

SHA256
9739d0fea356ef4aa0ce28ee5a70c855c9ad7f835fa1f0d5a5825c99518db8fb

SHA512
280961e90fd897803295e723d8969f46b363014995497c7353e24283327664c1a08af0cc4aa41bb78b9d417661062041e884232b17c0dea887bfa57be8cfe65c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cab42b634bd5f15168fff380a403faa3

SHA1
566c167f71b145239b6923100f1411734efc7c94

SHA256
1c1971febbaca23f0afd3d030076adbbb35ee1a0bea3562745ca2ea9149878aa

SHA512
99c616a0f0c4d17f397d11db86c809313c82fab01fe2feb914b2b6086fc4172ebed65cb304bafab57abc0580e4c5b5b2363dc68f57dd1723cfbe8f74fdf792cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
503a2d64d712e65698a0e66a4564dcb9

SHA1
90563e889d506eb7aadde0d1f7d5c93f0dddf421

SHA256
5491213f08db53e82cd80c721742886e775080fe952ec2ff63c8e6638a9a8e66

SHA512
94e96b9b627895aa09987a9f288b9576143865c87bf9ed1749a42569f6929add209da70b55517ffbfb613daba9f480a5278834b6ea259a8d3f0156061037e448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
732d31a9f6d32f3f0df087a396a05417

SHA1
7ee6cdcd63cd793021cfa66e2fbdef36c595de56

SHA256
e1917198e6378e953e7866b711d80cecd47e7cb57f380b1e20e21c716aa271f4

SHA512
97fbf13ecdb5bcc7385ebc9d19dc673355c596f9e262d95dfb3ce7d6ce2f6c0c97c1f8059bf2e5f309ed71280a8f3df8d7f6e16bbc563cebd7df1a2aa52e48f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
18f230c6b72dfdb24820ceb6ce7f2f8e

SHA1
4a069aebb33b8e8a450e78763fb16788c5a50a3b

SHA256
cb574c91118b1f8498e1420905f12c8c80019805fff8df67ce9ccb8140ca8c11

SHA512
d6517deae3132fe40728d9a5f35f7c234366ec8d8f648dccce6bf44eb6ece9cd3e86b92209ab0d848a830c0bf8cf043cac9828ce39b1f038dd8ae85688432a8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
949d0ddf0022d25e405285ef7a16664e

SHA1
da93fb51ffa191d474dc2bb72ccea18ff13d92a8

SHA256
e51010567140803f98b90858e785a2d51bb5f6ac14043b82f832e4b2dde61055

SHA512
39931d54747fc7ac353c109fbdc1cb43f1ce54003297dc33327708581a5068dab7a435a4fd57f9f8020bd6f06b54fd789d344b7bdd0cd15fec618426253aafaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5d1cd2.TMP

Filesize
96KB

MD5
9e6a0543b45fed5ae97d672713eccb65

SHA1
18f9faefc2c9a751189fc0f67b6f31e1ddaa229a

SHA256
17c443ab38760925ff407ebe53d5cc672b1d115c0f4305f166a778a7a944c292

SHA512
ded6773493baa26d3781e1fb11f90a1ba9e32f4853d648eff7bfa71ff1ce549144d18865bddd974c9ff10b26dd763e7d690fc4be632ab014be702d6f77876dd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
de04c478827c2eed31a12e82b309979c

SHA1
35a330e91e714c682d3e1a5f926c7428fabb0d91

SHA256
05fa34e3c5206ae35d9b02cc0ba20c7b2208a52185f9041c1b146f6404688a0d

SHA512
54869aeaca927ad02d1eba92090d5e36f882ecbe75449e2fb7662a98e8bbdf8226691d4700ff1206c22977c37e2b0c9c47adc1d6817f6e75181c76b7a567f81d

Download Submit
C:\Windows\6F18.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\6F18.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/708-285-0x0000018461670000-0x0000018461671000-memory.dmp

Filesize
4KB

Download
memory/708-287-0x0000018461670000-0x0000018461671000-memory.dmp

Filesize
4KB

Download
memory/708-284-0x0000018461670000-0x0000018461671000-memory.dmp

Filesize
4KB

Download
memory/708-286-0x0000018461670000-0x0000018461671000-memory.dmp

Filesize
4KB

Download
memory/708-280-0x0000018461670000-0x0000018461671000-memory.dmp

Filesize
4KB

Download
memory/708-279-0x0000018461670000-0x0000018461671000-memory.dmp

Filesize
4KB

Download
memory/708-278-0x0000018461670000-0x0000018461671000-memory.dmp

Filesize
4KB

Download
memory/708-290-0x0000018461670000-0x0000018461671000-memory.dmp

Filesize
4KB

Download
memory/708-289-0x0000018461670000-0x0000018461671000-memory.dmp

Filesize
4KB

Download
memory/708-288-0x0000018461670000-0x0000018461671000-memory.dmp

Filesize
4KB

Download
memory/832-544-0x000001D9DA880000-0x000001D9DA881000-memory.dmp

Filesize
4KB

Download
memory/832-545-0x000001D9DA880000-0x000001D9DA881000-memory.dmp

Filesize
4KB

Download
memory/832-554-0x000001D9DA880000-0x000001D9DA881000-memory.dmp

Filesize
4KB

Download
memory/832-555-0x000001D9DA880000-0x000001D9DA881000-memory.dmp

Filesize
4KB

Download
memory/832-552-0x000001D9DA880000-0x000001D9DA881000-memory.dmp

Filesize
4KB

Download
memory/832-553-0x000001D9DA880000-0x000001D9DA881000-memory.dmp

Filesize
4KB

Download
memory/832-550-0x000001D9DA880000-0x000001D9DA881000-memory.dmp

Filesize
4KB

Download
memory/832-551-0x000001D9DA880000-0x000001D9DA881000-memory.dmp

Filesize
4KB

Download
memory/832-546-0x000001D9DA880000-0x000001D9DA881000-memory.dmp

Filesize
4KB

Download
memory/2604-136-0x00007FF9E71A0000-0x00007FF9E71A1000-memory.dmp

Filesize
4KB

Download
memory/3592-542-0x00007FF9C8E70000-0x00007FF9C9F1B000-memory.dmp

Filesize
16.7MB

Download
memory/3592-543-0x00007FF9C8B10000-0x00007FF9C8C22000-memory.dmp

Filesize
1.1MB

Download
memory/3592-541-0x00007FF9CAA20000-0x00007FF9CACD4000-memory.dmp

Filesize
2.7MB

Download
memory/3592-540-0x00007FF9DEA30000-0x00007FF9DEA64000-memory.dmp

Filesize
208KB

Download
memory/3592-539-0x00007FF74F610000-0x00007FF74F708000-memory.dmp

Filesize
992KB

Download
memory/3884-215-0x00007FF9E7340000-0x00007FF9E7341000-memory.dmp

Filesize
4KB

Download
memory/3884-214-0x00007FF9E86D0000-0x00007FF9E86D1000-memory.dmp

Filesize
4KB

Download
memory/5032-497-0x0000000002FD0000-0x0000000003038000-memory.dmp

Filesize
416KB

Download
memory/5032-489-0x0000000002FD0000-0x0000000003038000-memory.dmp

Filesize
416KB

Download
memory/5032-500-0x0000000002FD0000-0x0000000003038000-memory.dmp

Filesize
416KB

Download