badrabbit | hxxps://raw[.]githubusercontent[.]com/Endermanch/MalwareDatabase/master/jokes/Time[.]zip

Resubmissions

10/04/2023, 00:41

230410-a1vznsfh8v 9

10/04/2023, 00:38

230410-ay6y6aea89 10

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2023, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/jokes/Time.zip

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral1/files/0x00060000000231b2-484.dat	mimikatz
behavioral1/files/0x00060000000231b2-487.dat	mimikatz

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConvertToDebug.tiff	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\WaitAdd.tiff	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
3624	5EA5.tmp

Loads dropped DLL 1 IoCs

pid	Process
4108	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\5EA5.tmp	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4188	schtasks.exe
4696	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d93b5b04e245d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C383BDB7-D748-11ED-8227-6655A42BCB16} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{A8FE44E6-82A9-4C3D-8082-1FC387C90C74}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
3624	5EA5.tmp
3624	5EA5.tmp
3624	5EA5.tmp
3624	5EA5.tmp
3624	5EA5.tmp
3624	5EA5.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4132	iexplore.exe
4132	iexplore.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4132	iexplore.exe
4132	iexplore.exe
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 2244	4132	iexplore.exe	76
PID 4132 wrote to memory of 2244	4132	iexplore.exe	76
PID 4132 wrote to memory of 2244	4132	iexplore.exe	76
PID 4392 wrote to memory of 3912	4392	chrome.exe	92
PID 4392 wrote to memory of 3912	4392	chrome.exe	92
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4192	4392	chrome.exe	93
PID 4392 wrote to memory of 4928	4392	chrome.exe	94
PID 4392 wrote to memory of 4928	4392	chrome.exe	94
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95
PID 4392 wrote to memory of 2416	4392	chrome.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/jokes/Time.zip
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4132 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbb0f39758,0x7ffbb0f39768,0x7ffbb0f39778
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1812,i,183209718437124952,8185698578430955174,131072 /prefetch:2
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1812,i,183209718437124952,8185698578430955174,131072 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1812,i,183209718437124952,8185698578430955174,131072 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=1812,i,183209718437124952,8185698578430955174,131072 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3344 --field-trial-handle=1812,i,183209718437124952,8185698578430955174,131072 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4504 --field-trial-handle=1812,i,183209718437124952,8185698578430955174,131072 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1812,i,183209718437124952,8185698578430955174,131072 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1812,i,183209718437124952,8185698578430955174,131072 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:972
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff728ab7688,0x7ff728ab7698,0x7ff728ab76a8
    3⤵
    PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5040 --field-trial-handle=1812,i,183209718437124952,8185698578430955174,131072 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3316 --field-trial-handle=1812,i,183209718437124952,8185698578430955174,131072 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=852 --field-trial-handle=1812,i,183209718437124952,8185698578430955174,131072 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 --field-trial-handle=1812,i,183209718437124952,8185698578430955174,131072 /prefetch:8
  2⤵
  PID:1328

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
PID:2436
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4108
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:3804
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3468095984 && exit"
    3⤵
    PID:1016
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3468095984 && exit"
      4⤵
      Creates scheduled task(s)
      PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 03:26:00
    3⤵
    PID:2816
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 03:26:00
      4⤵
      Creates scheduled task(s)
      PID:4696
- - C:\Windows\5EA5.tmp
    "C:\Windows\5EA5.tmp" \\.\pipe\{10AB9720-7437-4856-8FC1-8B2C071F0972}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
9db13d88432ea7cff782c5d80b9663f7

SHA1
43f5bfad2ba0e9a313aa004a2c7c0718988225a3

SHA256
49d7697d17e46fcab67f6ca4d3642372117fbf6ed5bb8aa442d270b02dc52bba

SHA512
409018a8a5e60de82350257080748d64e91259d9d84ba3db4d3875a51274161999b39dee31cb1dfe32d49145941a23ab092cd0f2ad1e98fce6aee1603846c900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
8b40d66f03d8e6add2b270c789da7123

SHA1
0edaa9dcda84b38033aa924e219ac6361b2690a1

SHA256
f7c4d4e142440f863fc3a5c624629fdd0d7cec19c096c663492e45a921e23ca6

SHA512
6c2e64354e6898436373bab9eb111e57c0b69026ce100555f288da40faf7917241fe6943ee9f114d6b34d5a161b4f7d0690bad31b925573ad1ef00ca2e85676a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
31KB

MD5
b1de6a1b0e55bf48e8423ef4f232f506

SHA1
ae7dbb2e80dd5d0da0feaa10ce0457facc6ba598

SHA256
f403191c2289f94c90cb23fac47e731f9fe050629d772988736f7b8c84e50b24

SHA512
8268b68a1bcfa27bbdfb86de5d6df2ac45d6cf46e33282f73bedcaa80852e9125ebe1432dcc8c83826191002ceeaa49b9b1c7447dd8931b971d80a67e86eef1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
39KB

MD5
e9bb1892979ff9c4045c72d4e2e4310c

SHA1
a04b08d745106556bc54fe3865e4b23a5279c317

SHA256
315e9e4947a9e7e76b814c74c65eebe921c403bab92bdaf2ee4b9b25dde53e3c

SHA512
562ad1e7dd1bc6f16646338e92213a26c2c99d92508abc584390afb9c1a3ee95f78a8300296fb949256fc38d84c1b07aeafa58b1d5c4a11c166b04051b2447e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
41KB

MD5
016bb18f40f76996ba8025dd77fdddac

SHA1
d6f714e5a8d97fc6e97b7c8133e68c703c9bd876

SHA256
7c45e962bd395befcb49b2b0b78bb5a131335681edd2c24d1184d6f5b97ae215

SHA512
eabedbd917edbbc75cf48f6fd3fc080444acdc37952b5545e79b4eacd245caa80a52df714fda4a71c613f96f50410b3fcc5809f54b62d4b401d8690977a5a69a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f40f1a3506c9b3598d2e358b4470097b

SHA1
114c3ac2c6e24bc6453d480824c03bdfa7c1aae2

SHA256
8b0ab02391c905f26bc865c96a2d1e921aa2f702c21e58247d817ce37227ca58

SHA512
0ed8815f1e5278a485fe36a4528fab3bd1521d89344ded0bd315f186585098a0e33777dda7eb6ce0648414522dd946bc69b1705601b86ce2d91a64470a736469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2e7841eb-25fb-4643-b60b-f6eaf6404014.tmp

Filesize
2KB

MD5
8484506e23dd9d1784134af2a9869f74

SHA1
318f9abee6a24991e5a75c37e05d26c7f80e919d

SHA256
63e6dbce945645b95819e66ec9b7cc2bb221e1ab08f5b897b6afbe50ee24f6d2

SHA512
0b95fa1405b8564cba3b8e0334021d3db3266c4f849fbc2806837603308d1dbb3bc6d4947a57eb51c5e47f066adb8c2d5e7c96977f5f746837c0874c1de7dfdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
65a8d913e7d9338085698278b529049b

SHA1
0fa5aa9dd7a303cd91f7ff6bb972c379cbb74849

SHA256
ee4094147fa8ed4fc0e00ea07952f20201692216f70f3e47f5b8690ea2e17399

SHA512
0389fe0062adea8bc6b7e68dbd45c52f9bfc559fe0dc37b78a889254ca871e6ad68f284ea867de9ff3f9d16563f653aab3f5ba171538620116595750d9e6a6b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
43f7b4e7c8f0aaef1303e1a6140c47e0

SHA1
b94a6330c47ab73215303b7fc58d39ad89502a9e

SHA256
580e168062425fc0cde7bacbd8d7531721f86319665f596645b84821e3c65f6c

SHA512
cbeddbe2d010e3d4a643f9be896f200120db02f878dd91d051b6a5c96408c02c401d09df998a1c8539256f30d1353d758ca2d479ad4a0b13bd705f545ecf62b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b66278d4a54963662c244a69aed5184c

SHA1
5bdc0746e87b7b20b73916dc1fae04cdc4fe183d

SHA256
866882b5435f8ad8ce2d1c26155a9a5f6b53cdcc6e3b3781f60328a7dadbe9a8

SHA512
650aba58f62d49547c139ba4a9d86fb1606de31dacd692425cbc45050577a5a288767f8cffcd8215957909c606415ffd4a82d3f2ae3828ab3f9931fb6671661a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
25d47d649a8496d405f390ada4dc7846

SHA1
3f962443c5bc9afc0610367fed1d8c54041722a1

SHA256
28ee7c77f361a31397aa43b5b4c40a449425c0a67d74650613ca2fb9e91ccf38

SHA512
13c765c4979443b6a6d60728bdd1f54e2fbcea0560ad79810bf0b89004749e417abd1522e237c8f7f6b819ad8cd2daf1260c89a63491725f5a13926c7051c2c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
11d0f487e662eb9c43cd39ccd1daf2da

SHA1
d76ebdc31b8470f5504e5f229185becc8028095a

SHA256
9da21f32c6c8917f684395a5730d0a5afd487b6379235b420673f48117d568d9

SHA512
ca76cb46a30e998c672c3fcf97e4e9cb98335219127936cdd735679cf998e6d047aeb870bff22cbe6330e8fda04fdfc6cf1a2e29171f4a527eb477e5e64d9f0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
582d50be3fcf31b37e8978b6fab0d87b

SHA1
ffc686bd3b23fbb099f27d5c2e57132299bfbc8c

SHA256
670a0120275b82442714947eb22de1c99c4d58c7e43dfdabc30d8aa410e059bb

SHA512
64b0986ce6f9db815b3efeef36942cb3430e5baecb818a6d38b0c1a77c5f13f5d9efd04c1894376ca137a8e727493f9c85c09b10d2f5d241724df2a9dc274a7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
94c11d2e219e8f072b500cb6aa63a483

SHA1
3102cf7f2f64d268c44cd1bb4bab97a855f0eb59

SHA256
bcd96328ba076f892f236973e60fb8ad951386571bb6876e4f9e8a0625db87cd

SHA512
0c942b41df91693c30c2416c188f40477f49bbe4ff9b73740358e60720415b7a884d488c8a8278df3b74113ec4bc9c79e8d6efab6097f238ac1b51905a87146e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
561886cdb7475542c718b98441293955

SHA1
7d5290b619aeeda9e22fc0a0a5a48da66aeb3215

SHA256
e7c671febe8f5a08bcd21ab48dfd14952af6d2cde2d96b3388a06b00c43a724e

SHA512
c9fed948d7806d3ca0cf358597a1e2ca4478c8230469e350eec97da7a54167f84d6bbfe27e9641e667906819ec0b7866a470f4974fd5f2820ab62eaecc3c7442

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
548dbdf7f37f8537ec31c04a29c6feeb

SHA1
dd42206c0cfa5d1e9b449a760bbe49ad39dcef0a

SHA256
356a880a3e8e2c5b026b7731c67ce14e790665a0aac734d28378a7b3340f4772

SHA512
1bc6debd2727f5baf339583eda83e930f283cea2029aa66f3e386b8531087f900c628ed64b03c965652c2bd09809cc76391e28cbcaf8863cfa1c84aed2ea9afe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b14a12a015c8f36f5f192c129636136d

SHA1
2bde3886daed5b6912250ee1c1dcac3de793c43b

SHA256
ab7f55a6e55318a3e9dce045a73d51fe67009fbec40396665660c46cba7a49a8

SHA512
04af9d59fe4affde5837720eddc56eed8fd70f64c3e148961be9a2f498739f5f256769b6c51e6a8f3761d09411584c5101f14fae05d2015a332e0f7a585bcac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
83941b9f58d7e90793ab204efc978904

SHA1
6fa969188b3743f119d2ed3f5b48b9bf764738f5

SHA256
7cf2a937935eaa79bc5604d5b8d24f522f16207fd86721d4af5482b81079703c

SHA512
a1ceced9b17e829cc3a1354793056cba2199937e076ca4cd8d5e4524cdbb213a895e60a719b561442e40849634e28178ad53020d7e595f3ea2b40410c67cca23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
210a0be9657a9e105a9ebfc526726992

SHA1
576dd876074a13ace83c30aafaaa16fb427bc1db

SHA256
a385ffe2ee3f01cb41a03ca7077e86be30c36f7c6165f8afbab70c038fa7e31e

SHA512
e9d986d577595fdc343502de55599e3771d7eede1788a6bd1ce4643c77e37616fa8ed419739f6dffc7a36c97c5dd6133dc626d82fc66b7866ee38055fc330b66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5847e1.TMP

Filesize
97KB

MD5
0dabedb66b0af169caf38272d6711f26

SHA1
10094f0fccce715711e22ddd69db49376fedfc50

SHA256
2edc4afccdc4590c504b87ec2e1053cb1f4e277b6bcfa44773779fd5ac2023bd

SHA512
ca44a2b22745f42c3b9ae9900065e5c511695b09a8c8801d9129660ba96b3ca449368254747ec82181edf6fc797839d52f5203d9c31bd851d1611376a8c3f21e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\Time[1].zip

Filesize
104KB

MD5
9418544d8cf5e54f71381e0cbbf71f90

SHA1
765b2b506571eebb0c7057f8eae4df19a02df227

SHA256
97b8f7fe0101acc64e962067791943fc8182aca1a692b18b88247d984212c513

SHA512
656e3cf0143e81350914d3211db4f5a7a1071efd960b4757da7ce2f9f106344fc741fd9f76443e12803a01e5910eabb5e7c8c03267bd9b4866c4ee0bded736a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Time.zip.hddxh1d.partial

Filesize
104KB

MD5
9418544d8cf5e54f71381e0cbbf71f90

SHA1
765b2b506571eebb0c7057f8eae4df19a02df227

SHA256
97b8f7fe0101acc64e962067791943fc8182aca1a692b18b88247d984212c513

SHA512
656e3cf0143e81350914d3211db4f5a7a1071efd960b4757da7ce2f9f106344fc741fd9f76443e12803a01e5910eabb5e7c8c03267bd9b4866c4ee0bded736a1

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
ee591dc6a4b47aeef13fd9589ed73bda

SHA1
15701abe2253c6d046bf36902a2cb53d50a78bce

SHA256
cd129ce2b717fd6aa9a0dbe1b6b36adc87c06a29128119320b38233ebf0b4384

SHA512
1a70d7bb1a4add909191feb1ed2d123f47837bd033c16cca7c946837fafabc221d94878057f163fb6997b9b322d6917f165af475e5b092abd57969ac4e2b5269

Download Submit
C:\Windows\5EA5.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\5EA5.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/4108-467-0x00000000009A0000-0x0000000000A08000-memory.dmp

Filesize
416KB

Download
memory/4108-475-0x00000000009A0000-0x0000000000A08000-memory.dmp

Filesize
416KB

Download
memory/4108-478-0x00000000009A0000-0x0000000000A08000-memory.dmp

Filesize
416KB

Download