badrabbit | hxxp://google[.]com

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

badrabbit discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1660	BadRabbit.exe

Loads dropped DLL 1 IoCs

pid	Process
2268	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
139	raw.githubusercontent.com
140	raw.githubusercontent.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{384AB96F-0E6F-40FC-8E2E-922710938D01}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 672398.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 100293.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4428	msedge.exe
4428	msedge.exe
804	msedge.exe
804	msedge.exe
4044	identity_helper.exe
4044	identity_helper.exe
716	msedge.exe
716	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
452	msedge.exe
452	msedge.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2268	rundll32.exe
Token: SeDebugPrivilege	2268	rundll32.exe
Token: SeTcbPrivilege	2268	rundll32.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 1224	804	msedge.exe	83
PID 804 wrote to memory of 1224	804	msedge.exe	83
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 3548	804	msedge.exe	84
PID 804 wrote to memory of 4428	804	msedge.exe	85
PID 804 wrote to memory of 4428	804	msedge.exe	85
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86
PID 804 wrote to memory of 1976	804	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffead0b46f8,0x7ffead0b4708,0x7ffead0b4718
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1888 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6464 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6460 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,7154924100431981034,3157963233776752428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1660
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:1120
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x37c 0x470
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_EFB75332C2EEE29C462FC21A350076B8

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
41KB

MD5
9101760b0ce60082c6a23685b9752676

SHA1
0aa9ef19527562f1f7de1a8918559b6e83208245

SHA256
71e4b25e3f86e9e98d4e5ce316842dbf00f7950aad67050b85934b6b5fdfcca5

SHA512
cfa1dc3af7636d49401102181c910536e7e381975592db25ab8b3232bc2f98a4e530bb7457d05cbff449682072ed74a8b65c196d31acb59b9904031025da4af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
1.2MB

MD5
d717dc20ddf09d562cc7d4bddc69ea5e

SHA1
3c0a07ff93171250557ff41c1621eebd8f121577

SHA256
5b92638f93b754c48a8050863fe38abcb2ac7397979bf3b9dbfa2ffecce2383c

SHA512
07b48be4727a55e34ff097e8974ba14251436417edd64b3876b09cdfc31220551ab12f6f080af697e23b6cd9afda50ddbbbd00df53fbd538893b62fa43173e04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
27KB

MD5
ac4c4890fa7b92d5f076e94b226f42af

SHA1
15af973f75d3440b01f9b849d8a2ab7de4dd7bc4

SHA256
a2f3c4f186f667d67c725d82bf27ccdcb0f760447fb3ec2abed61f2107105051

SHA512
cd38b78aab26318c948e583ed3db13c21c76c9d83141f3ce5c45a3c74733e6e9e1329ca5afd4fd8910bc9f9536143ef491e74c04e10a5a38734d4c56d26e5c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
74KB

MD5
b07f576446fc2d6b9923828d656cadff

SHA1
35b2a39b66c3de60e7ec273bdf5e71a7c1f4b103

SHA256
d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496

SHA512
7358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
096cf5f2b8d98db5c39e6d749df7b7bc

SHA1
a38b40335c403afcb836dbe85db205d732c47e85

SHA256
458e6454c8ef2e551552e3843d44a8cbbb2a2e314caa1ba3ad43a52ed99f90e0

SHA512
c7101c39ea1f8600d8a33af3765b7295ef3a34d747d51ca9a015fcfbaff55750b156198610ac55346bb2ef04c83201dba5ee38a6a2b6413553028694f71a1d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a8b2cce27a5d92dfeb6a4de786a1a766

SHA1
f4a5d88645ddb79526d724a0196b4f0470f56c35

SHA256
ad2e63415fb9711c98e7872dc1f7fc1541e48b0fb8c8466e1bf465c40a1d0e4e

SHA512
3c70c7d4ce4dd3584c3dfe5c1b3261ad165d619e1c44aa5d234d6b054584d2041a49693b715856f0e18ba618cb281f46177abea4cb6461203f417c7ae8288c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
812ab034ae18f68fa3e710efe15fc1a6

SHA1
ed1778c07cb4b6b5d6da13612d47b33723742dd1

SHA256
d03a14b8b7799033eef43638a5091e74909a67ec9321a6d0167060160f7f1109

SHA512
19ee857ea5cb73e3665ae07324af2b8ae2cbe4e66521411c25a936f33533cde880ed97f42a2744faa6804947fd0f20193d2ee9c0ca7a19c62c39a6694a5dfc2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3eb2070a8a2debcc3e6b71c499cbaa45

SHA1
9c2e97a814994db48e8e46b0e6353374fa8ba06d

SHA256
67c22658d1d950e90ca0795f9297d6118ca96234e17c7b58fe672797eb870301

SHA512
c9c44f7479e18e5e09e267e84be1c72f75000f58896f1648e130a3b9e98bccf731ceff3e02deccdd96247e1bad6ac8b7fc01644a4bb778df9145e0e46330d703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
785b96d060a4d7c27ea74b75ac42cd7c

SHA1
572b8d26b95eecb78f63b0a0e6ad043f0d8e3a7e

SHA256
b0c24becafa4c5fa26f8bbe5605ced7442176addb0169330629fed762f3bef88

SHA512
4cd4e79dbb618f0b35de68613b2b296c4688602e9bedc1f638a380b6e91cda38772b8f4d61a4bcaf5f282b250468c45c344beced1059e87ec90c8799d1fc7c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1e1cf134558c61c2cd7faadf580c8f29

SHA1
1f2ff6490ba26176dfd1bf64582d0c0008233e3b

SHA256
65bae6366645107dd133c732c27a532c13df56143fc4d688d38b7829013f796d

SHA512
98b0457ab427bc9625323a630bdf0ed2591556a411767e56454ac5199fca6e444cf4d015eba922ff30af8c31e87ec533ed2bde6e7fff5295ce0a2348067cd9cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
56008399ae355e4e0033528257050fd1

SHA1
258f2abc6e92984aa4bb1d709a56a5abb23fd1fe

SHA256
106e8c210f6c9923829cf9a002bddc1576cbf00dfd4091d0556f23df2ca5b5c5

SHA512
bfa92518bf61c4fc3076cb78803fcd8cbd9d1222d70bb4bc1fb78d3d373814adecb77797867001e1e06cf20381993a75a02e8b2454704ac2c00fe4bc999333ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7d8c5156c6c33d77b7dab8410dfc9860

SHA1
13cf6528b679d1c312edf5d32a9ed9760c33510c

SHA256
9226d5667d27be71a42fe6d2d75fc6bd64e8be8f60c65684d92ba89d37020b21

SHA512
cf56974544c030b751287ddc2500fae7e95f53e87874981a732becb0450fdaafd355d59e6feef45cd7ae6c2a496c97181ddc8697259375d724326be7179674f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8becb646b6a3a89123a0b171e74ab1e2

SHA1
4641f6be57317ca0abedd92e407981f3ea7f179c

SHA256
8494ac37a19706a5994af06670c67ec5f1614dacffa1e44577b52922af3f6471

SHA512
ba0a6c81f07fd8a66e0f0786f2d62383f81c75be62588b9c1ffbed750baa7a67daae78cbda17c01730af957ad6a7fae790599468384d1ea48f6e3273e2ee65af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bfc6ceeeafe723377a460b3fa6c87378

SHA1
dabf846522eb3304f6228bd74a10161ed4680439

SHA256
316a251f033b712e09c1c65a947a8002456b48e46cce920e1741941f13b73211

SHA512
18dc9d0bc99d416c0b07a367ca68072783a9efa550b08cc4cd97bbb847f9116ca6fa4154fdb89a0134e2c4dac25f322735a6c6dd5648b5ad7d86c34833631b48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f257c2e53da2d8cbd38d4e3b9169b53c

SHA1
aef15d493ec52a70296f4c84af9efb861c96b900

SHA256
be8e40b79e18fc7a8e65121f00660268e157b9d37666ee047e60dceecc50ffcb

SHA512
5a5038ec7c35891d9bb117519636373462c2c15b7301b14b62167d1085cecaa04f28e077a5f897114c891fb27c8066527d9551b67693873c208595cafd5766e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
78ea50d778ae712493aaffc3d73261dc

SHA1
99a4e06e245c80183608316bc851fcb9b67456f1

SHA256
169ab386cd3bbf01073fa60f5151fe9806705aebf364d9f3f9de1a34425fa6b8

SHA512
b9c26e93a64ef3ff85ddd2f248d2e1936549edf769ffc9059930b38feb34e96d64f99ae89229caee90200defa9dfde30de52c384086f0ba0fe2ab5147cd8d26a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
534B

MD5
8ffe7fb18969278f983eb2c6db90406b

SHA1
684dafd6ccf42c3d1e8a2be4bbb47cdc09d0bcba

SHA256
83da41a749fbfc14fef3aeaf19526fa10279f6d296515e5b590652ccf92230f7

SHA512
c9f09f4baa7ff739d30ab1e0deafbf43da98ebdc8d358e9a05815a374ae1fb018fc9f2943dc8ebdafb03ce79d4640c126e84689fffa7e27e595c4da0b3dc47f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58272a.TMP

Filesize
536B

MD5
e5bad700551fa409df127eb23cf1a182

SHA1
a586cf498b588eb692919c7a6a341c197c0671df

SHA256
ebc75c883d36f6f4b1a046efc980ab4296cd8ccb6702658109b31604e0a22d28

SHA512
29a1263818130ca8f2a69fe5b7ef5f5274a1a461d0656c316939ccab8f52411fcc429dfc72d43b0a89435ad931e565f6648fde813e95bbf68e63fa02a8771e9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1e99567d9576401383767f7da55c09b3

SHA1
7b15a2960efb2fb8a980b0dc395d4daa668ca6b2

SHA256
7f6ff309df0ec72a6aa1e737573f17ac9d08ca338bf229d7ddf61bef405483fa

SHA512
5708e6cb59342fdc0e82e7f35d2d7019c2ee143f4295495e810c1785438efdee982cf883598f91e5315f6bae3e463963a46d7f78afbb090530b1ff188e9650b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e1341e9f05ce96672e2e088dcd466a1c

SHA1
ab76b9eb58ddfd1ebd0222fff525f967ecd6d7cd

SHA256
89be3aaa3b21fcebb12e479718297411473d67faea9b757fd535a91cce383822

SHA512
d85b0a7792524fdcb123e591a7d187fac58cf3027c6fddb35e18a5ac00bfb554bcc3e9e65b33a1de6282bc430ab5e0b5cf6a30004aa8494dcfb5bbd81aa9808b

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/2268-1055-0x00000000023C0000-0x0000000002428000-memory.dmp

Filesize
416KB

Download
memory/2268-1063-0x00000000023C0000-0x0000000002428000-memory.dmp

Filesize
416KB

Download