discordrat | 9a0c4c660c056bf884904ac11f6a1c48e593e2b0c3f333ffd7a622b140e366c9

Analysis

max time kernel
374s
max time network
376s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
27-03-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vitutal machine.txt
Size

175B
MD5

e9b580ce01c0b7844ba190f214600074
SHA1

a29436e3a477c77270a638b5956d2e61ae3bbe65
SHA256

9a0c4c660c056bf884904ac11f6a1c48e593e2b0c3f333ffd7a622b140e366c9
SHA512

6b176d92f0fa3dd819f703cf326773e8c676e09f2e4a74c2a8056f8993a02f0a466397d757d6506182860b9ea7486b0def3cba985a2e540080a957f17b571a5e

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyMjU1MjA4NjQ3OTI0MTM4Mg.GaU2F_.zM0KWE9EdES_hutMH-ygIxZTPrXGfhJt1JgICQ
server_id
1222550977224245328

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2788	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133560238801203765"	chrome.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\7\NodeSlot = "12"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\7\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\7 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0700000006000000050000000400000001000000020000000300000000000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\7	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\release.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2020	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3464	chrome.exe
3464	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
420	OpenWith.exe
2020	NOTEPAD.EXE
2020	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 1076	784	cmd.exe	78
PID 784 wrote to memory of 1076	784	cmd.exe	78
PID 3144 wrote to memory of 880	3144	chrome.exe	82
PID 3144 wrote to memory of 880	3144	chrome.exe	82
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 3936	3144	chrome.exe	84
PID 3144 wrote to memory of 680	3144	chrome.exe	85
PID 3144 wrote to memory of 680	3144	chrome.exe	85
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86
PID 3144 wrote to memory of 428	3144	chrome.exe	86

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\vitutal machine.txt"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\vitutal machine.txt
  2⤵
  PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdb6e49758,0x7ffdb6e49768,0x7ffdb6e49778
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:2
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:8
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:8
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4064 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3932 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2632 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5288 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1736 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3908 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2732 --field-trial-handle=1812,i,16759028670289495100,11937372880850179992,131072 /prefetch:1
  2⤵
  PID:3808

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1868

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
PID:3756

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:420

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SkipEdit.txt
1⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SkipEdit.bat" "
1⤵
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SkipEdit.bat" "
1⤵
PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SkipEdit.bat" "
1⤵
PID:4884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
198KB

MD5
cda68ffa26095220a82ae0a7eaea5f57

SHA1
e892d887688790ddd8f0594607b539fc6baa9e40

SHA256
f9db7dd5930be2a5c8b4f545a361d51ed9c38e56bd3957650a3f8dbdf9c547fb

SHA512
84c8b0a4f78d8f3797dedf13e833280e6b968b7aeb2c5479211f1ff0b0ba8d3c12e8ab71a89ed128387818e05e335e8b9280a49f1dc775bd090a6114644aaf62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7d82f6ec3ddc3f3852827762ce2f4071

SHA1
406e06e743d9821da3fef17aa90af39d0c975df4

SHA256
ecdb5ed6f5bf35a8c51f4fab7a344c42f62c6424dded915e37efde76b0e5473e

SHA512
ec831412f03a398e5a9943df9a02879e32eed7d0e3198fe1b38b888b3ef217ad70d7939279ebcdce570e8ba9068c7f006c24f813d7e0f851f965ce75f1f9a848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e53cb9e8b8f2d6afd1688a07efe4a439

SHA1
8e4d8b8737b0efdabc11af34fce3625bfddbd83b

SHA256
6d5bfb48824d44dff57733c8c90f3849e87a1c8f1e1885a7db40683447a1a1fc

SHA512
7a22264f17c5e0eddf6eaedbdd634cca7268959a540d8d84ff238ec03eeb8352a1fe9133df7e657c84a97b93f5e6eccc3556e41f4bb0b5815ce0839ad6098e9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8a5e45db02874ac72fa025782f7be033

SHA1
f04636eaaf0602cd0399091eaf6fc4dcca54f16e

SHA256
3ba9c2204e140a2359cbc2f9d457227504a72dd004dbed01a5463eac67753871

SHA512
d3eedf5425b9c47be4441a4994eaa7562b9b5cd095d66958c37a92e733b5c8429a2a06a33c6c5d1f1d39680e84c242c89832ff67f276031b22a61368b1ac3447

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
72d7ee69a84b4e40ad29fc4b91ae234a

SHA1
d1472648cdd6ad6ad60683c6febb2e38474cfba0

SHA256
e4b8bd89ba34b506856a3410fbee32bcd189a771e5d75bf7f2f4641394402425

SHA512
0e2abed5685b3693613335c303883a70c31eda3ac863351095fb0070462178d4c25ac58967353e6e41a9050a5153147ae498734008c50a643fd752e7faa92d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c010d892ceb6f2b63ee58ff693c7287e

SHA1
bca9f28f0fb4a38c6fe4c8b2486f8eea3f92aa2b

SHA256
c1e39cd25e5021a534edf62b82944fa94dc70e78d47d5c3a28c9245faccab022

SHA512
69063451647fde937940274f571fe15262aaa8f97ed02dd17f83b0a7fa68ebaad06b0847119ee44836c2620aa3c8e3682753086c4cfcda1c68adb7123bededc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
45e53c4580d5c5aa2cb946d70a356915

SHA1
403c57a5b7f2eec0e197ed2f6bfa43e4cf704f93

SHA256
04c68cdb401bf112825f43a2d9795ee8914de149f5a70d0cb7ddc6993811257d

SHA512
174bedc690a1d420a28ce65cfceb4127ffb3d8420a064ca258d39a55bf7b339491f7129c7efa2087cbf5837d16af6dea3f7f0a8d9406d41f8cb21363d575f6a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6ef291ae2a5869fec8f9941cbb847d38

SHA1
64785827ebc77a9c7e72968de2b138a32bdaae20

SHA256
4598c8351bccffc586d240e5ad8404422a133b8fe00ce2be7df5e88d21ba11c9

SHA512
346ce702c80d3f96fc5f7919f297d642352147459a69a7ab662fbfe93ba6e7ca9e6bece19022eb85c6366185f6adc6e9eddfdca6bcfcbfd9b55b5097b4830f2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c8e02e8a1ecee82cea88f7324122f338

SHA1
ffa5f57ad17017fddbce3850324ef77024dfd1bd

SHA256
aa7292e78808e92c4ca95bee09394974e333cff215eced4d2e95696615181052

SHA512
d95adac39a9b8f5978c7e11170d2fc69759770978d2141bd4b66a14ebcc8489ab64a746d33ed4ccab9df746acd075c6c24aa8b22294e23df7ace9836eae101bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
b4ab9a89dd00202d7087133c145f77d2

SHA1
b0b4ebfd2c02eb3fb7bb0445e5392bf9d9605a0a

SHA256
56c2ea1e11168b45a8adec94128bd0a9fa293df169c00ec00a3501abf1da8fc6

SHA512
1fa5434db8ae56f5eb586d1e44b2fed2b8abefe06e6ae0c8614343679c5d0844bdc919c259a0eb4a1f9ad90e251b8130ddeec70b19818fd5414bdce4e529c192

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a23eb80498aeacca2dcf78f6ebe853b3

SHA1
2d05637347d1a27472617a9971f58e9f05d65afa

SHA256
f49c4ee9c2f236526d991e576b93ecb960ab0deb3efcc44545060c960b30d443

SHA512
015bb09011b6f2c89c6645c67e746f4a83197339898eb60b9e36c1ba49d75bbb3e4829d554c45f04f526d4f80f1b045605b3e30815f52b190ca8b4dba9ea6c98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3456773db0b85da522a57fe84a112cc2

SHA1
0f82f110c49c1e931cb2db4ed214c0d3bb4913ba

SHA256
362d13adba3d6257bc8894e4cb9e801149097f83761c66b4ba7aed05bc4a0c5f

SHA512
50e2fccc506815ed391b3b7f549551a0892b11e43bde2fe16be31d503d7c8cac861e7284678500e5f263a69f6004fa1a27bce5931e58b5b6aebff1d666dd86a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a06808a614cc8a537bfa853ca6d76272

SHA1
b24469855c30a8a6837b9678b5a74f1bde0f6302

SHA256
86995532e98078f0d33c8187eccddd0936988115f0e3ae4cb06a14351283020c

SHA512
99bb4529ffd26fe758566349f8529af9f69d1397cdf5b3e1da42309c0ad6a8696c8fcdab0732e2d7d88fcfb48353fdc3ac3e4d214065d22df5b505ff5c433016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9c50938b43163546e550b52ca02eb8b3

SHA1
3e730166c07093a7eb8f04becb1aa4a7cc537284

SHA256
0f78857249ca4743ff32002330d5652dabfc38c20004442b74279b5dda83ec84

SHA512
f0b11bb6c2a59a6c20f4c75a8338eb87fdd6b20bb5e05a40a0e79b81da7e750d25ba9aea986f944b802633dc80765c70fd46d449e73504ae1152f6f3e8fa5247

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9b3da0dec2c5379b6622cbd7ae5a458e

SHA1
e261c96c5f96d72668d2c686942cb859a6e323f1

SHA256
7151250e8f6ea37903064eb264c43b07f06f8d078265df7437a744d2182f5419

SHA512
80a7bd852171651758b36d2937949a43b863246d052bab8c8da7b861711e664570be73a824fffb53a527139c539360753d717dbb8d8a629b4c26513217726a30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
2cc1e0326c683b93a84e0a181ee6ff5f

SHA1
70a4a7cec27ea9d5f568c3ba313095af7fd7d86e

SHA256
abeaa3f699df504c5edc2171ae379e60edaf9a4bcf352bfe18ff7f2ba1094e23

SHA512
a519d3b95eed4c26f10026da85798e8faba876d0d34914f2694141fce30acdd92c2830764d2d8bca1bf6627ba1f86b81f5f7a21ef798fcd67f24ea6fa859affe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
f723be5dc0714b908e62b4d8b7a17192

SHA1
fa8190187cfac4c05d5c8ebfc55fe1d7fec394ab

SHA256
59d4cebd4f5aa8b52ef78d1584b8de0c5197dd643537dff6f1bbbe536b5d5c05

SHA512
debc4d48e3ef749365dc874841a7e06cc2cf256a77e3de7081bb067b067dde217e5e724c772c6d926dcea10fb535b86d56689bd1123bcbcdfa996906f7fc2352

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b5007644-d2b9-4a5c-a810-1bade20a6b5d.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Desktop\SkipEdit.bat

Filesize
16B

MD5
deff1674415d5eef36e53e7784d5ecb6

SHA1
5ced42315128c3f6d6dcc7fdf9c66a3707c571c6

SHA256
c23180e421471a8f765e4a0f08386a03662803cd0ff89ea12ae428187cfb74df

SHA512
c5ef8e16bcd3d684c432f5e7e457b01545bc4c2d5144e8c38fa8dd336dfcaec63122e05d1677a1408324a084f3ab3fb1ca81b792d609afbcbcc6c6ca01a04081

Download Submit
C:\Users\Admin\Downloads\release.zip.crdownload

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\release.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
c00760903fd4ea3bd525a0b781521eb2

SHA1
a722e93090a882233b85f91762bb6cb3fbb7724b

SHA256
589a7cc7e3b35f659dde89190e494ff94012d4ef4f787653b70818fc874ec254

SHA512
523ee987f10501d7ffceec88aae737057855fde9670e01a08c9f97066f680bc8cc03fc5f1e349cf7aa29036627677d4e7eef70153b6a2a44d8c12563f117a6b2

Download Submit
memory/2788-204-0x0000017890350000-0x0000017890368000-memory.dmp

Filesize
96KB

Download
memory/2788-205-0x00000178AA9C0000-0x00000178AAB82000-memory.dmp

Filesize
1.8MB

Download
memory/2788-206-0x00007FFDA2E20000-0x00007FFDA38E2000-memory.dmp

Filesize
10.8MB

Download
memory/2788-207-0x00000178AA990000-0x00000178AA9A0000-memory.dmp

Filesize
64KB

Download
memory/2788-208-0x00000178AB1C0000-0x00000178AB6E8000-memory.dmp

Filesize
5.2MB

Download
memory/2788-215-0x00007FFDA2E20000-0x00007FFDA38E2000-memory.dmp

Filesize
10.8MB

Download
memory/2788-216-0x00000178AA990000-0x00000178AA9A0000-memory.dmp

Filesize
64KB

Download
memory/3756-132-0x0000000004AF0000-0x0000000004B82000-memory.dmp

Filesize
584KB

Download
memory/3756-201-0x0000000074DE0000-0x0000000075591000-memory.dmp

Filesize
7.7MB

Download
memory/3756-198-0x0000000000910000-0x0000000000A32000-memory.dmp

Filesize
1.1MB

Download
memory/3756-159-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3756-158-0x0000000074DE0000-0x0000000075591000-memory.dmp

Filesize
7.7MB

Download
memory/3756-134-0x0000000004B90000-0x0000000004B9A000-memory.dmp

Filesize
40KB

Download
memory/3756-133-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3756-131-0x0000000005190000-0x0000000005736000-memory.dmp

Filesize
5.6MB

Download
memory/3756-130-0x0000000074DE0000-0x0000000075591000-memory.dmp

Filesize
7.7MB

Download
memory/3756-129-0x0000000000040000-0x0000000000048000-memory.dmp

Filesize
32KB

Download