rhadamanthys | hxxps://github[.]com/sapperalfaboy7/nitrogen-v3/releases/tag/Download

Analysis

max time kernel
169s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/sapperalfaboy7/nitrogen-v3/releases/tag/Download

Score

10^/10

rhadamanthys discovery persistence privilege_escalation stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1860 created 2684	1860	RegAsm.exe	44
PID 5048 created 2684	5048	RegAsm.exe	44

Executes dropped EXE 2 IoCs

pid	Process
4964	nitro.exe
6120	nitro.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4964 set thread context of 1860	4964	nitro.exe	154
PID 6120 set thread context of 5048	6120	nitro.exe	165

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4872	1860	WerFault.exe	154
4000	1860	WerFault.exe	154
5488	5048	WerFault.exe	165
5824	5048	WerFault.exe	165

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nitro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nitro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662860885027197"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3744	chrome.exe
3744	chrome.exe
5652	msedge.exe
5652	msedge.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
1860	RegAsm.exe
1860	RegAsm.exe
716	dialer.exe
716	dialer.exe
716	dialer.exe
716	dialer.exe
5048	RegAsm.exe
5048	RegAsm.exe
2920	dialer.exe
2920	dialer.exe
2920	dialer.exe
2920	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5892	osk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3744	chrome.exe
3744	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
5892	osk.exe
2704	7zG.exe
824	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5636	OpenWith.exe
5892	osk.exe
5892	osk.exe
5636	OpenWith.exe
5636	OpenWith.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe
5892	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 4496	3744	chrome.exe	84
PID 3744 wrote to memory of 4496	3744	chrome.exe	84
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1116	3744	chrome.exe	85
PID 3744 wrote to memory of 1964	3744	chrome.exe	86
PID 3744 wrote to memory of 1964	3744	chrome.exe	86
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87
PID 3744 wrote to memory of 2680	3744	chrome.exe	87

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault8abeaeddhf8e8h4fc7hba3bh3ba01b543f7d
  2⤵
  PID:5316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9475646f8,0x7ff947564708,0x7ff947564718
    3⤵
    PID:5404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,13594044689532930260,13171887026524042794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:5644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,13594044689532930260,13171887026524042794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,13594044689532930260,13171887026524042794,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
    3⤵
    PID:5716
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:716
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/sapperalfaboy7/nitrogen-v3/releases/tag/Download
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff95b08cc40,0x7ff95b08cc4c,0x7ff95b08cc58
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,16234238739335987670,1196731022595898613,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1776,i,16234238739335987670,1196731022595898613,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,16234238739335987670,1196731022595898613,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,16234238739335987670,1196731022595898613,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,16234238739335987670,1196731022595898613,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4640,i,16234238739335987670,1196731022595898613,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,16234238739335987670,1196731022595898613,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4472,i,16234238739335987670,1196731022595898613,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3296

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5936

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:5208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5384

C:\Windows\System32\ATBroker.exe
C:\Windows\System32\ATBroker.exe /start osk
1⤵
PID:5852
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5476

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap5703:78:7zEvent23853
1⤵
- Suspicious use of FindShellTrayWindow
PID:2704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x51c
1⤵
PID:6080

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NitroGen\" -spe -an -ai#7zMap2652:78:7zEvent29917
1⤵
- Suspicious use of FindShellTrayWindow
PID:824

C:\Users\Admin\Downloads\NitroGen\nitro.exe
"C:\Users\Admin\Downloads\NitroGen\nitro.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 612
    3⤵
    - Program crash
    PID:4872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 624
    3⤵
    - Program crash
    PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1860 -ip 1860
1⤵
PID:5544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1860 -ip 1860
1⤵
PID:532

C:\Users\Admin\Downloads\NitroGen\nitro.exe
"C:\Users\Admin\Downloads\NitroGen\nitro.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 596
    3⤵
    - Program crash
    PID:5488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 580
    3⤵
    - Program crash
    PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5048 -ip 5048
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5048 -ip 5048
1⤵
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e0a938d1667aea60219cdeb34649dcb8

SHA1
96130b3197a83c06ea4cbac43e0b5c6eb1fb68d6

SHA256
1f7e7e1d94527a5ae04e75170b702278f00523ff005902c76b3f76c4b72cc97a

SHA512
6e093bdfaee2c63abd92c4db8b6fd3e11aa41204b254f67ebeddc3ce4077ac66710b44e9c78bf84573b7924b2ac8759413a289aaa13048c3121cd33e67ea4a7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4ea0dbf511010283ef735a86150a90ee

SHA1
6bcd2d19240703aab0a6c2524a7b0498598a50d3

SHA256
7e07703dc9385e301ecbb10f79be52f31ca468272144ee9479ce0c60a82c9274

SHA512
74137b5a4502235d5d379af0b21bcee5b4e615173da5155649f06bfe24a821c363a73f4847b969906378faa6e99fa3a2b7e883d8d7ee902a69d2b088498abe3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bba31656f352e66251fc8562624fbac1

SHA1
77417e9287daa4d017098b3a46722f85214abe48

SHA256
7f695478ce38a24810b1838270d4f5b888ff238ab87a9f83a516178da94b38ad

SHA512
d5025c5ae515b6646f2cd50a9e138743c856586fc1392944729f913b6590009fabb9064bdc8e65ce13b30a48a32a1343df1ca4b6400acc9017f6ce9cf70fcc66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5532b77d1d096fb41f1ef39f413a850b

SHA1
218d5644b423fef41e9347f51b9c838227ce91f2

SHA256
8411ff2ef0881bf3d9288aa299f895291dc4b3d771c0f604b2c3e576ed77f29f

SHA512
4bc59da4b0adac744381798af5ec4fb62925d4b89f5d727917481e9331baeadcf8ad1127dd49ebac74be6973ec4ab59898179a16208ea759fa95eec7b346cdc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e281d9628a8e95e445ab325e1f923035

SHA1
2ba4d6cdf0e627cab7984c873c8d096ead6e9ad6

SHA256
d1345b0621857b89e35a411b5847a533b40910c773ba15096e0793c515b7d503

SHA512
f8a8b92e8a9d702e47c006166d2673048d7d394c9426d9ec47806d6016967f5f401baae80c9acc41b813cf676e1c5fea4bbbb2f23b26287d72c1cf63dbb32bc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f018e785cdfa49d9cde54581d1be47bd

SHA1
284c67c1bc34cf7aa7f45e13161a1eb6075564a4

SHA256
a26e1221060ddd0dfa7265631689bcb54d7c4b0ba6812c5b9cfb98a54808690d

SHA512
f94f3c202c991799b4fb3dc60c4b1c33581c91c13611fe4949767c3027c443cfdb69d96fc0575707828923fd81350728d3f9ee4eab197691d4d0103546f4ffb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f9b3d56fecad39b46588f42f562a9321

SHA1
3555c3f0778a828adf9e0484d8f529138fdc3b85

SHA256
f3050c10bf319876a2805dd43ebcacb57f29719babe5ad40edef8e4586e0b93c

SHA512
036ff99084bd647cc1bf8ad418ced6ad4e3868668f1001694aea4f5432c28e91e1888d000936bb7141b0b703fca3d40c397fdb47fc9444daa48585965994a943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6399a22693372588f55781ee3f6fbe69

SHA1
aa0a927c8fbbc39fef22e3af960f3b3810ca1807

SHA256
c34ae5152be2cc7da170ea24ea1859f35d67a6689c8f115fc73ff34b7f4accea

SHA512
97f7b76a699bb8379318e1fd186ae01b867078830c4e3b7f340fd1bd668005c34a11146a3e97f65a2a21585067a980d0a53f129c043bacc16f536bcc75a267fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8721c915e7a13c2b7e3c16742d7896ca

SHA1
f4244436516d1cfc00f19e9b7a36d96981390443

SHA256
4820d0257c0704728f990b942e034fb9e1c8e8ebc4ce64c3bb936c8c9ea8123e

SHA512
ce9953ddd6f6952059437636a38bd790cf01635c390198d76703f24abd62f7ecd4211e40ea3a5eb4facc5486ea468bb3bb6e5e7c15c9fa954f980596d80570f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d54d1e525685b13d6ab543bc2db2dcfe

SHA1
48242528ffcebfee6ec2d607daf1467ca2f1d7de

SHA256
6b5d38a80dfde64d387af18a2d30f6c17364e5d8fa180ea30a0c39593f6b25ba

SHA512
c644fd2e3707e9275b2192f79a89082507366c2ce18e6c2be7f4614e05d056f88e07bbc27d0b3f2020433d83702f8dd58682853532920a54749fef78ad0dc760

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a3d190a02406245a168fc4b438a99e6a

SHA1
dd1b1668c36f2d00f7f1ef384b2b403b31176581

SHA256
86d4c3260db7fdf8ed4fd04d385ffef6b4860cdb5072b2b7b4e362a75c2efd33

SHA512
efd15e0b06930110b54f641a9a179fc59b35d0cd6ac4692f32e694e733a982278bad950586c96916cdc761cd6c06c8647b5c7dd006f44255fd25edebfa907454

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c5582b797ea925784a4b557519c89f84

SHA1
f5bf974bd91269a0f916bd852f1988e52b5f5343

SHA256
fccf2d36352e16c3fe84eeccf298317b487a75338dae25b2c6e8f4864503ce31

SHA512
a626c73448a28b95cda6767c205ac9f00bc89c150e7b5ab2334b40e29e2d9f996db759fd7321678505ba0b57cdbf5647fd6e3fb886e56dccb582ef12cef52541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
834beabadc3487ae351244aa17411fd6

SHA1
48910b9c0d39fee60d60ff10285016a1baf7d1fb

SHA256
33822c3d7351f468d8d2a1a76dabbf6f11f19cb3ab0a22398ebefd66d72b451d

SHA512
c3ade202d1c7c59703e2aa43e990251500c902c7c41b70973b337cefecad06dc1863217019b56d3ae709128f1b38553fddc4bd63f6b8e2cbf10d46f6acfd36cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f69ea568ddc91bfa8664c65ae345fd15

SHA1
b556710bf3c35d4bfca4c4320f3e9538a7040a3e

SHA256
d1522623592f4c918a262453d7abf60c8a5997b775f1fe8e8e6465883e2d7cc5

SHA512
4c5ba626e4d5084932408db8febca0babed48e32d923a1858689cdf96255803e75eebf16fffdf486fc355daf57eb6059292af1d6536480a6e28f7b6104f88030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b275eaabb40275dd6f991b2a67554212

SHA1
75bc6214bc8e7cde1005d5843e6cdfbe0282aff9

SHA256
4b8eb8213fbd1f8a2596ac81ee2a6cb4a97e147fcfd2e8f777d78bb27e00b9bb

SHA512
a0f7725076b5727d63b156cf5141cb5ae000ff4481bff2d4eaa9abad5ae6c4ca872186d3e4d57ce521e49703f4a88e109d6196e05eaab48e6f3ccd9612c4566c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6ccbb8cd80647ae48572f28477b11be1

SHA1
51e8313e1f34e0dcc2e7840700a4967c3e66d332

SHA256
9e9bc6de06a496969827caf50dce150d13a167d321329d5536990faf7a0bb8e9

SHA512
a8522f415c5906dc02dd8cbe4c5a8a7efb86e372b6e5dee8ddc7589559961e1b06f6a307dc9fca01032f8ec9116374dd0ec9c00cd19a382396f3c81ad12250a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
051f1fea297521fc217dcbea6d1822d8

SHA1
944c40c472096059db17cab27132d84a6980daac

SHA256
bfefb1ddd6b5e90482c4457ec893c445c4cf413e66c658c56fbee41827ab3ac5

SHA512
05aa0e0d9b4f0bb7b54cad8251434f41ad02812f9ea77191c1c48545333056b7674154c6301b709f6499edfe107f69898298615a202e45a18736878ef29c47c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
68e7b6f445d4fe502fb7a872a0855cc5

SHA1
47c240887e3fda5b37b0cad7beda66d873a729ad

SHA256
1e38d8821df7e3581eae92764f301637eeefc8ad8e6ff80f03323848f5301e3f

SHA512
30fa7ec3c642f30cf2d561a68f1fe168b81fa99dc94750d9babe86dce4709de4ee4b868942c1a1b2ced9a952c5a0003cc05a357b0acfd07c9d434843d0210905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nitro.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ddae59a18964db399fab2173a1b3880c

SHA1
3f8a6ba012b213a0c320fafc197fa1cf6da60d6f

SHA256
8ad2595a3a61857c7e4f4e36525e770ecf82ec5ebf075fa8eb51f125297a3ac4

SHA512
4ae3fe7d028128157140b6a9fecd6290202759e9064d287385359c0482e0420ce9c74b38f6c36448bf5bbea1756ab18c45e9632fb49ece0a44d6229df546a1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2099c64eb6b4eadaafc33cbd2525139a

SHA1
2a30d6eeb0e17cb1a2ceb40c635d355da5064aaa

SHA256
e1d7b48af02912dfc7c32fa9f30876c22d83e981fe4699dca41caf3d0521bf83

SHA512
e0e1486d61f74c0c8cf34ecf73fcaa2fca02658de09f3185e157a09505ae8afc81c18d35e2d178bc43613c88744aca2ea1247305dce3001febafdf467d6799e1

Download Submit
C:\Users\Admin\Downloads\NitroGen.rar.crdownload

Filesize
8.3MB

MD5
ede1266566f1f5b72445b54fdd777871

SHA1
03174101545f6d9b39a39628c851ff217fbf23a2

SHA256
587322c9740d55c91f25992cdfa74bea19ee360e2c435a2bc099f02605166dc6

SHA512
5ee0d863d74d407b196ac3480e0921ef77c0c084a626e85cb0c16c2b09ef62c1d831debc87b4a0b6c5d7d71e3e778c7e5acad8d374eb922a55589f66794f2829

Download Submit
C:\Users\Admin\Downloads\NitroGen\nitro.exe

Filesize
448KB

MD5
247e118fea545a3c2fe66e2f6cbb909e

SHA1
9b3111d641b4d298c1929bb854fe625dce04a31e

SHA256
fb60104722bd3e978deb9f646a66c645669b56976f3860422151936945104b0d

SHA512
339d33716e0906b40ec99e959f364681af828d9e4c6756955ca20d4bd309ce534e77593d9e662fbf15b848f480dcd6ca73d94407499b067e1984d0070af96078

Download Submit
memory/716-433-0x0000000000FD0000-0x0000000000FD9000-memory.dmp

Filesize
36KB

Download
memory/716-435-0x0000000002E00000-0x0000000003200000-memory.dmp

Filesize
4.0MB

Download
memory/716-438-0x0000000076BE0000-0x0000000076DF5000-memory.dmp

Filesize
2.1MB

Download
memory/716-436-0x00007FF96A210000-0x00007FF96A405000-memory.dmp

Filesize
2.0MB

Download
memory/1860-424-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1860-432-0x0000000076BE0000-0x0000000076DF5000-memory.dmp

Filesize
2.1MB

Download
memory/1860-427-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1860-430-0x00007FF96A210000-0x00007FF96A405000-memory.dmp

Filesize
2.0MB

Download
memory/1860-429-0x00000000038E0000-0x0000000003CE0000-memory.dmp

Filesize
4.0MB

Download
memory/1860-428-0x00000000038E0000-0x0000000003CE0000-memory.dmp

Filesize
4.0MB

Download
memory/2920-462-0x00000000029B0000-0x0000000002DB0000-memory.dmp

Filesize
4.0MB

Download
memory/2920-463-0x00007FF96A210000-0x00007FF96A405000-memory.dmp

Filesize
2.0MB

Download
memory/2920-465-0x0000000076BE0000-0x0000000076DF5000-memory.dmp

Filesize
2.1MB

Download
memory/4964-421-0x00000000006F0000-0x0000000000766000-memory.dmp

Filesize
472KB

Download
memory/5048-456-0x0000000004000000-0x0000000004400000-memory.dmp

Filesize
4.0MB

Download
memory/5048-457-0x00007FF96A210000-0x00007FF96A405000-memory.dmp

Filesize
2.0MB

Download
memory/5048-459-0x0000000076BE0000-0x0000000076DF5000-memory.dmp

Filesize
2.1MB

Download