discordrat | hxxps://github[.]com/moom825/Discord-RAT-2[.]0/releases/tag/2[.]0

Analysis

max time kernel
193s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 18:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
89	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Config.json	xeno rat server.exe
File opened for modification	C:\Windows\SysWOW64\Config.json	xeno rat server.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 83126.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 999719.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3340	msedge.exe
3340	msedge.exe
3320	msedge.exe
3320	msedge.exe
468	identity_helper.exe
468	identity_helper.exe
3244	msedge.exe
3244	msedge.exe
2312	msedge.exe
2312	msedge.exe
5100	msedge.exe
5100	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1092	xeno rat server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	Discord rat.exe
Token: SeDebugPrivilege	1092	xeno rat server.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4716	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 2980	3320	msedge.exe	83
PID 3320 wrote to memory of 2980	3320	msedge.exe	83
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 724	3320	msedge.exe	85
PID 3320 wrote to memory of 3340	3320	msedge.exe	86
PID 3320 wrote to memory of 3340	3320	msedge.exe	86
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87
PID 3320 wrote to memory of 4484	3320	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb046546f8,0x7ffb04654708,0x7ffb04654718
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2328 /prefetch:2
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5600 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,3107208900671224184,10063615070667049982,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  PID:1920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\Temp1_release.zip\builder.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_release.zip\builder.exe"
1⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\Temp1_release.zip\Release\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_release.zip\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Users\Admin\AppData\Local\Temp\Temp1_Release (1).zip\xeno rat server.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Release (1).zip\xeno rat server.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3901055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
48KB

MD5
0c2234caae44ab13c90c9d322d937077

SHA1
94b497520fcfb38d9fc900cad88cd636e9476f87

SHA256
d8e6f62282e12c18c930a147325de25aef1633a034eaf7a3ce8de1fb8de09912

SHA512
66709f74b19499df1e06700e1c257e14a82ca4287194e4b177b3f333748d927f413c8c459a35e7e5a2f92d28410b0129f106d94e3dd85bc0dd0b986add83b18f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
44KB

MD5
2b312fee4bff7fb9b399aa619ae1811d

SHA1
cf5e3270ef62ea6ce023f9475dbf7ed67e10527c

SHA256
fd5fb41882dfe849ea47547bf38b9abc435683d7473703b4cb37e8c28b1de4cb

SHA512
3a42c3a12da46656d8dca9b54651027873f42d2ec2e6e706a41b4b520d387f0c3c0388e3d117bd49174d7074079f3404c00b6141c8dd22d38ef1a257f52a9791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
24KB

MD5
e1831f8fadccd3ffa076214089522cea

SHA1
10acd26c218ff1bbbe6ac785eab5485045f61881

SHA256
9b9a4a9191b023df1aa66258eb19fc64ae5356cfc97a9dda258c6cc8ba1059ac

SHA512
372c486ac381358cc301f32cd89b7a05da7380c03fa524147c2ddf3f5e23f9b57c17485aaedc85b413461a879afc42e729547b0c96c26c49bbdb7301cd064298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
21KB

MD5
9ccb3e387ecf1d1c32d33a33b61db8f3

SHA1
9d6625afcaa4d6bfe223268ccf82ff32ea9532a3

SHA256
3d34b64d0099f608de0e555d46338252a99d36f2a25af7180702c9966621fa0b

SHA512
05c3d41fd4115bd66c1a938ad644424f8df93f96ae27004c800e43acbc4b23568456574ceba605ea696fb594585811fedd0f9ec547a697344479e4d7516f65f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
eddd8159ec7629c7f6ea2a82659ff547

SHA1
ddaf02eb6a3505f0c736ed52bb75b63152539b63

SHA256
ae14a5b230931e8b65306d0b73da597cdc865712e75235124c73eb882adc62f6

SHA512
8739e550878d72fa2e62c5568da898e3e717bd966ec43b83f272041fd3518b787d5573a37b9b77d37fdfbc323cb949b222f542150698cb5fa985cc4965d82d5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8c66ee3d91ff9ac0787bc0464c7c59f2

SHA1
1f2112ce14a17f267c102807f7bb784c00044d2f

SHA256
5b67f9bd295152529895532d75963580d101deadc416fd438f76a599e3fcdf13

SHA512
1b3bd461fbdf4fb42abe3c4ed2a67fb7c02c0574b014f361729ccb38c5266d362b40a66ec5f0d38a2812356d180281196a9a614905108c7c6ff3301de8e7561c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7427feeedce6cfaeb1e07cc7611e9361

SHA1
2d910fdab7fe65683d945a0f6d19e135e61b731f

SHA256
792819be0bdaf1489aecd0d6e6c2fa559ccee116b596ae714441e323761a4422

SHA512
996e00c4d62bb3561ac770100ab6dff2894f5ab2c973e5ccf87835c635838f06ad09e9f0b0e7fd0edd21cdd91c207ec6d2000671ab7c2da7a22221a1c0bbb78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
a283654b67d895f54f9fc847e5281425

SHA1
6b27f949ca92e9a982d8219b9d56c7e7144de2fb

SHA256
0bda1f8395de198ef2ec36b1515cdd373dacbbfe95dd11ac9f0c6023599f9e54

SHA512
dd1f67e6d0aefe0113e4b1e51210ccee2acea92503bc8d21a2cadc9555566152bead1769b574ec33d80efa55a3f660f083ea485faa4964f780d96bcbe46d848e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2e221f29e160586c1c52b4688c3f32ef

SHA1
8b08e72e59ee0bfff069ec7dd64b7b14ebc90bbb

SHA256
0753f00ee746af5626df49a4908fcd889684e57371a58483b078b1e472d4a0dc

SHA512
32e137a2e13c2ed3020e0646a40704efde7493201a42758953247b08276df91af1c4b335bd998ac9506980f0fb7edd2fcd751b1662a6a5c9786f3aba3805f962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7b5c94377f00d0039f549562dbd417c6

SHA1
ebc230d63eb389135f621d5ab48084096c74a474

SHA256
9f2de7b17d43748f41b60124c53c308375650019197457dfb2efa0e5bc29a6cb

SHA512
9f36071863e5f58daf7e03961474ccbc2963a1edaabfde5197c8045700a4c912e9b14b124e212828851ae033ff3ec6a4355db7ae9722832f9220690c58e89559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db75bcc076c94188acb1a2db10b96746

SHA1
bc94554c08988f642f2609a9bdf172082d08b2b2

SHA256
3fcdae432ca953a8c4ba45ca46130cfa2d5a7e5fa8a963faa57b5564cc111228

SHA512
5a5fddd9a891038078005030eff66e2998b6613a37186e640c72d9303aeced208f3e3228eac583a8ff92f2236335fe803358b047eb4a89f1d6759c9112b209d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e44c3d4cec4691421b56b91d28a4aeed

SHA1
8562e458ba7e9a318515fabc9c9c8ecc81d45c5b

SHA256
d30393c5f06ab3484c34d93b55fadd6eae2de12e34bc9fab29970905f96259df

SHA512
4de8716637f1825d9cae6ddd878590d577a1a625e9df7e7cfd89187a6dda3a3a16c1dbf9f48de3387bb9ca3c6edf13a88bc0e9139d1e57c5257da2ef199490eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7d72b23ae6338bcefce3c5999e184c8f

SHA1
fd8c3aee988d217d077dc0d5676d7f0442a16f6f

SHA256
d8cacc9c46854dc1f842c67603ae66cec59167b0551c1768e8e6ab1550f60eeb

SHA512
0dd6a2b204da713b8536b2f58c10fc9b3544675e2161ed6c256cb1a820a7cc61399e0a06dcafdc0592220c4a75abcc50b08c23d58309c9f588dbba5032584685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2620dac67a63f6673befa47bc536d61d

SHA1
41e6d4d9f467f0236b0f92b8f80e859a8bd98b7b

SHA256
0c62f1ce0b88a5a91a03486303d6624776dc06604ffb142dad732ac81ba5d844

SHA512
7adfb4cce40f7127b7a95594ea7dd6716ed8afa816bbc90357dfffe56924a9b085a5a872453a6d4a34045c5102d4f175ac06d867b6079bdfee7556294a4dd2ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0382213d4425cfb56c24533c8f24f5d4

SHA1
4dbaf3ca1aaef483bbb2cface3a5ca16e01f1185

SHA256
5912782664e596285d5892359212705bef06c2efd499c87f1455a1ca09e73c90

SHA512
cc2fa6d139cefa796a777e35a1af9ff7d63b5c885d8a54ed2cf053d9fe5a3c5827a676166d2aeef424cfa902bffff19635055a362af694c74450c20829d6eaa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a2cac77cabdbe7c238d744c31a6e73a6

SHA1
91427426f33da2197566562ed7f7cbe7280d36e3

SHA256
690673fa4f2f04e16cea2826cfe837d774da911caf1a54c6a6a354f795f68bbb

SHA512
7deeb7542078f6b775c85c06be4656ad0197758c8cfb53b69e4e539f6b3e6b422bd975543c7971bda3474f5c26d0a68146836f4809db4a2b10fe140782587715

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ce8908151f4031b395e5be2c3372894b

SHA1
af084fa83ebcb347f7024a1047bbcdfbca98cc64

SHA256
47634dbbfab1773f5cf95e600d091deba598e5f8b93bfd640166283c11779e78

SHA512
2b31f23420f4f0e59db008e00c8a0991e7b8a227a4c7a4a61190283a1a4b7a690caf86c77d33cdf35b7262f989eb8f54abb42048eabd9d2bb3495ebf1b38ddba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2e7473ba8520ba4b8a3f40a4d83ee357

SHA1
439176f4230b909cdf2b5fdaa119a176dc57f648

SHA256
b32029d5211ac6613ea1352e69e511d0a37f07b4df421aa38731a792dd0dcff6

SHA512
de814e04b344c00cd116b2a489cd62ba655a68d3a51047366300984750aebfbcc082b1b74bb989c14a1d36e4b25c2c8f3796b5dfeffc6fd378e7a83ef20dce5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
23173244cd5cd9429d209837aedf20f1

SHA1
57e3440e7070d2d1c5ec68cf6d0e781789c13e12

SHA256
9b0777926f2f7123543b5df4dcf30412e0311829205110721dbcccfdcd6ea5fb

SHA512
360465ed26b899ecea5ba964bce65e6dd0cc24ca3a0086a2beb12cdc15d104d4e8e8b284a0f364c695b2a6e4d9a6c065209bb2c2cf5b938dc66098378bcbe002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ad62.TMP

Filesize
1KB

MD5
1ccf2d2233743b4eebd39bc171bb6d2f

SHA1
765d4531264ebe3dd3ab4964626cb6e1c1855197

SHA256
63470ad01e3eafffade5aaa6527a433f374e88239b33a962a145f01887bd901e

SHA512
5506e8df817704013c7454f9cc346d2f83a067a7710023f6193e01a02f72c716709e62c7814d394b05c41eb43517bd459b99b847fdf31aee2b3553f19a655f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3805fff7879c1b9aea1625f7d0a102e7

SHA1
ad12a67cba0e7adf6221b91bb3e237d1ceb8bd3f

SHA256
3f305f3ea2bad509700057e182c7af75572c8266ec2e0e405ee7b35f3a333d48

SHA512
96d06aeada4d463d6a315d5a0f2d669220169d739ba547cfa644b42adccd813d385c3dc708b6463d0bd0d238ed14a60a003ad86f1dfd81187c991af8eb05c5eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae75626d90cfb7d10feba2fd58ddb357

SHA1
286ad9e19151f9ada5efd551bf7a40bb7d0f876c

SHA256
d9d78bf992a99b3abb61d59c5045d87361096acc40c415ce8b2310fbdc9648c0

SHA512
3bb211e02465856eedc152bc481450b2f23425e8859f326bf48a0736abdf7e414b0c508a3a6f64e8b383a7d80cec4905e63dc3707b470f74f4e41dd032c4d9b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d42fbe06cb6a649207e9d30e6bc0b8df

SHA1
277036a145b44a36af1dc71eee137f1b3ca4773f

SHA256
0df7661f109f9768fef57415ca514f8522faae7be9c67b26a87ccd98b7786b72

SHA512
34717646e60b930434611049da7a7a42c03f93e25a272937b3f8318f7c9bff28e556eab233e3c3a028b74d7b05d6d5bb104c6104254ed5ff74d17768e9173232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3ff89bab490a97e08f0d46969676cad0

SHA1
3b8e8e8983c9ee120eddb6619a5df5237db73417

SHA256
cb6de1ddcb439a588287d75da02e24fbee4d45a2fb6b41785cb9d36fd3f95647

SHA512
7eb99a16ac165bec4896032098f38a380e7c06bd269b674e976ea8cabbb8fdae89323d669f5cb7d3a4079641e7d71a1a12c62a3ea4aee58761b69941aef89837

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 110570.crdownload

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 438544.crdownload

Filesize
11.0MB

MD5
07411eede333fd84a6c5a7be92a718cc

SHA1
d88a219bb148756bf818a1d5526fea978fd5a172

SHA256
bc8d2e270fa52690dda2bfcf79230ed9baba27c871afc79b536ecb7b87284105

SHA512
ada7cb62cda0ceacb6ac770466086837ff2d0aa48c81eb123e844a702200b93be7a883ed547ae555f82cd89458a0e3c5f6da0bc138cae3ae99ea9f48f8c54b3c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 83126.crdownload

Filesize
528KB

MD5
691b1c14d5d26ac4d4d4af39fbf523e4

SHA1
f6342b5778bdd672199a9343137c4f4aae7d5870

SHA256
c3727b9a751f3e6ced8722bdfcdac7e9d4ba9723a3680b7dd939c1a159edaf6d

SHA512
7b3d6da7ee23dd6276a30eb0c416a5e888a3fe6302f1c305b39b51c9e0ae3dbcaf783f5199859962b5b5e54c4a979b38ef10ffa613b798f296d6c9a940143383

Download Submit
C:\Users\Admin\Downloads\release.zip

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
memory/1092-474-0x00000000093F0000-0x0000000009744000-memory.dmp

Filesize
3.3MB

Download
memory/1092-473-0x0000000006A10000-0x0000000006A32000-memory.dmp

Filesize
136KB

Download
memory/1092-472-0x0000000006910000-0x00000000069C2000-memory.dmp

Filesize
712KB

Download
memory/1092-433-0x0000000008190000-0x00000000081A2000-memory.dmp

Filesize
72KB

Download
memory/1092-432-0x0000000008160000-0x000000000817A000-memory.dmp

Filesize
104KB

Download
memory/1092-431-0x0000000007FA0000-0x0000000007FB4000-memory.dmp

Filesize
80KB

Download
memory/1092-430-0x0000000000BD0000-0x0000000000DD2000-memory.dmp

Filesize
2.0MB

Download
memory/2216-157-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/2216-156-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/2216-155-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/2216-154-0x00000000008F0000-0x00000000008F8000-memory.dmp

Filesize
32KB

Download
memory/3628-237-0x00000239460A0000-0x0000023946262000-memory.dmp

Filesize
1.8MB

Download
memory/3628-236-0x000002392B980000-0x000002392B998000-memory.dmp

Filesize
96KB

Download
memory/3628-238-0x0000023946980000-0x0000023946EA8000-memory.dmp

Filesize
5.2MB

Download