hxxps://mega[.]nz/file/JGdklRCT#1zSSBOLkixu-yV6VDduaYYrmEj9oaNNNWYV79BjpR7o

Resubmissions

14/05/2024, 12:11

240514-pcrpnseg5x 7

14/05/2024, 12:07

240514-panv1aef5z 7

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/JGdklRCT#1zSSBOLkixu-yV6VDduaYYrmEj9oaNNNWYV79BjpR7o

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5416	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe

Loads dropped DLL 36 IoCs

pid	Process
5416	CraxsRat3.7.1.exe
5416	CraxsRat3.7.1.exe
5416	CraxsRat3.7.1.exe
5416	CraxsRat3.7.1.exe
5416	CraxsRat3.7.1.exe
5416	CraxsRat3.7.1.exe
5416	CraxsRat3.7.1.exe
5416	CraxsRat3.7.1.exe
5416	CraxsRat3.7.1.exe
5416	CraxsRat3.7.1.exe
5416	CraxsRat3.7.1.exe
5416	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
5200	timeout.exe
4040	timeout.exe
4152	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2296	msedge.exe
2296	msedge.exe
1160	msedge.exe
1160	msedge.exe
4864	identity_helper.exe
4864	identity_helper.exe
3196	msedge.exe
3196	msedge.exe
5140	msedge.exe
5140	msedge.exe
5140	msedge.exe
5140	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: 33	1128	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1128	AUDIODG.EXE
Token: SeRestorePrivilege	4260	7zG.exe
Token: 35	4260	7zG.exe
Token: SeSecurityPrivilege	4260	7zG.exe
Token: SeSecurityPrivilege	4260	7zG.exe
Token: SeDebugPrivilege	5416	CraxsRat3.7.1.exe
Token: SeDebugPrivilege	2776	CraxsRat3.7.1.exe
Token: SeDebugPrivilege	5928	CraxsRat3.7.1.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
4260	7zG.exe
5416	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
5416	CraxsRat3.7.1.exe
2776	CraxsRat3.7.1.exe
5928	CraxsRat3.7.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1788	1160	msedge.exe	84
PID 1160 wrote to memory of 1788	1160	msedge.exe	84
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 4560	1160	msedge.exe	85
PID 1160 wrote to memory of 2296	1160	msedge.exe	86
PID 1160 wrote to memory of 2296	1160	msedge.exe	86
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87
PID 1160 wrote to memory of 2216	1160	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/JGdklRCT#1zSSBOLkixu-yV6VDduaYYrmEj9oaNNNWYV79BjpR7o
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99cdf46f8,0x7ff99cdf4708,0x7ff99cdf4718
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17955481930658958226,7877825570190386905,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6120 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4392

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap25940:86:7zEvent269
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4260

C:\Users\Admin\Downloads\CraxsRat3.7.1.exe
"C:\Users\Admin\Downloads\CraxsRat3.7.1.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5416
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start cmd /C "color b && title Error && echo Please initialize first. Add KeyAuthApp.init(); on load. && timeout /t 5"
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "color b && title Error && echo Please initialize first. Add KeyAuthApp.init(); on load. && timeout /t 5"
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:5200

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Downloads\ProtectBackup.fon
1⤵
PID:5800

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Downloads\ProtectBackup.fon
1⤵
PID:4468

C:\Users\Admin\Downloads\CraxsRat3.7.1.exe
"C:\Users\Admin\Downloads\CraxsRat3.7.1.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2776
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start cmd /C "color b && title Error && echo Please initialize first. Add KeyAuthApp.init(); on load. && timeout /t 5"
  2⤵
  PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "color b && title Error && echo Please initialize first. Add KeyAuthApp.init(); on load. && timeout /t 5"
    3⤵
    PID:5936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:4040

C:\Users\Admin\Downloads\CraxsRat3.7.1.exe
"C:\Users\Admin\Downloads\CraxsRat3.7.1.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5928
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start cmd /C "color b && title Error && echo Please initialize first. Add KeyAuthApp.init(); on load. && timeout /t 5"
  2⤵
  PID:5828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "color b && title Error && echo Please initialize first. Add KeyAuthApp.init(); on load. && timeout /t 5"
    3⤵
    PID:5700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
1824a055ecc77b7430825c72f6348e55

SHA1
0e6af069d63b1d9d239ecf0f4aa6eb0d9957978e

SHA256
4693d48a5c4f0691654ee18981c5047d7684e828eef08f5f076632bd0c428460

SHA512
b52750897929c123ab8165831073bdedd24690f6e08d681b7a02dcf5653bace1649bb6a33989e4f2e98933370e105a88a04338bce113d6f2a99aea02935cf85a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\00\00000000

Filesize
3.5MB

MD5
c889b9724a305cd124b04b133eae32a2

SHA1
ca58498016a248a41dda4fda0b641138ec813d80

SHA256
31668443a27dfc732cf846fa0ecca8704abe60960df9c5df06333725a03d17c0

SHA512
6fe23772260648785f542ba4caa475f3d195015dec8372fea8c9a21d6dc9241cc6ff17c12af70ea6730281a85ef16f21b3e66e7dc0df3e0d6dc5ff96a2e728bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.log

Filesize
204KB

MD5
4b0321e862a9f04d412eb8346d19a759

SHA1
a1a90499badf879a374a005e2612ce8f77b25b46

SHA256
2431e983b4007885d4f7791a4a6ed79178404026f83e5a2996a49a3c7422fd90

SHA512
6d91e6f0f0ba27ffa98d06468e7904e90c10d03aeec14a1b3716358e2d1f02f08c4600252f61126546fc53efc106bb05e015346595d86ec936497d5e751c4d07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
375B

MD5
3b92370842f1b2c65246474e0b5a1fb0

SHA1
04a299b438a70685319acf254c39f3fb1c72a27e

SHA256
36c8a9a41c1e36667985dfbb51115c287ba1fb3c37dcdf61171ebaa255b9ab78

SHA512
411141e47252a512ffadddc1b65ada1716fc59bc77b2cf6eafb4f2404102c99668ca3641e82bfc187899169ec0138cf50eec6a91e84ed176682625a04610e07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
375B

MD5
f768f2110ae3fea3d68b2d1a4273391e

SHA1
7d419b2676f012bcc0848a42a674cf38057fef12

SHA256
dfa541ecc1281370568e4f6392e23eacddac7ffb9aa7908d16f4432b89fa5cb0

SHA512
17f7aadfe76b400f1f44651f8bef622c9658c79051d60ff5503ffc5f91a7f898be45b7d393b5651c24ef713e91012f09d1345867d849a1134a0d3ea2f7c209c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
375B

MD5
8c00a56a9cee5fb53ec4f10929c37251

SHA1
e45751438ee3a52e80bb4d5982ef4a59c9fa91b8

SHA256
5fb2f9a52d2e015931980a1ca14a1959d7667459586d2864e9747cfc2da399ce

SHA512
54162cf20dc2ae68cb1816fb4d330f94339107cc45ad725d3ea3220a6dc9007c38b0c9a84a7d577454e2139cc4a9a1a73fa46e8e7c5c265535bbf558ba3000bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe576699.TMP

Filesize
335B

MD5
7887bb81dfdceca85d9f807bf5768816

SHA1
ab4261ffac5d302cca6164ddd39abbe3e0da6687

SHA256
74f12de91d4ef839d0dc9541ec33568ecf1bf82f9ecda01b0aedfe1f0dfc0a32

SHA512
2e969764764ee656e71d4417ac047c606edb9e586cde3b94fe1ac3cd77d80d2e78d73c3e953cca030daf04c056cefc0b743d1bbec623a8929eba0921654d71e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
39846badc9e2f37c4c88384217f61a43

SHA1
89a73772f5ef436d96b64cc918a49a0a74822aaa

SHA256
6477dfb9d3810a4f6edae6ab40aebb38984131fd6dff06cf201789c470e81179

SHA512
f5097939176f20c4dd9088bd49f9aeed4af6febea8e204d8bbd5b647848914f152c889a93f4a2df8583feac6929f273e03894cb9309ff5e45df9c6abb86a4759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8ff913a2ac8e3d5769b72f2c13776189

SHA1
cae239f563de847ddbb595d1d5e354787ea67305

SHA256
a5e8127cce6478b4681c0705e3fdda7a43d0ef8694ab187edc35034411ba2878

SHA512
89a50c210f381903bd71bcef58e62ad34d0cc307d9e88db242d6fa441034f027f37c0fc82c8ccd5a4c4bc1e37e256a9fdfb5232f98874c6e6fd1c22f09592d25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
614d7b3ef32f206eba0895b1140581c5

SHA1
6b9da68abd4474ed75e3f270ff9a8f74a3b9c0c8

SHA256
d87db2bdac19d125d6efec4a628d9c1386c55dbd374a7d6714cf93ac5353d7e4

SHA512
ce63bdb10dd4df3a5289ac31a8a5d61cd8253f47f5206106988e18364684e97100f29f1288ae3753f6d6d4dfda927eca4110268875f70412e9e7e2c13fdad662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
976aba6b1b50c49836265f0a4ac4a5e7

SHA1
c20df90eb2877bfcc53f3dbbbba19233624c4226

SHA256
43a75e91385ef92b77d5a3bbdbfba3a58660b6bc3dc06ef5d252c3434bd3aca2

SHA512
d8ce6eec88f3bbe4da50be1a23baabb8ed380ac161ee1805c8f03d60ba1b7551b5c378936673a0799e542a57a620964dbe9ec17fc22739b1ef9182de9a8f5ece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579d59.TMP

Filesize
48B

MD5
d77dfb4239ac0d8294321070bc0df6ce

SHA1
2c43aaf62b2ef89a9d10e3a49a8399c7244edaf7

SHA256
38d17605ad6360092e9d426771588a3148e8782944cd66bb8d1387b0cb9b2208

SHA512
55243b84ffd1cd6839400b1f8d461237100c99ff51ee8aa652014284cd47d359fd7e026ac03e6083149677de53180f62df9fcbc391f323852c309c4309edfedc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fef907c1333e4b6f4b58f11137449591

SHA1
b01f0c2d06d686770203c13f1507ef1f902eadf3

SHA256
e8a0e2f0a036470f0a558cd8841831bcdf86a1dfd7aaaccad00ca40ad8bd572a

SHA512
5a819acc76371bb680e74446c44f01b39d655b5eb8c4241297e5047551657fbebecf67dc508e1fd0da0552307aabc87d1ee05074c821581402067c30e8a7d543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
108491b1ad357887706893dfce007987

SHA1
3127d87afcbea6f3b29a09706f811e7f9b1bc455

SHA256
3b2215f153249aaff0294bf3e60cdee3ef2d97b25a7374550f5946fcc668d51a

SHA512
1072d41f453c38638cb0e5186ccfb0f60c5a0e7b4bef16544ed789baf1014a24af750ccd8a3883fb5538cb2f5b04ebca9df8c75887dbcb046f4a8d3d6c074d92

Download Submit
C:\Users\Admin\Downloads\DrakeUI.Framework.dll

Filesize
1.6MB

MD5
0562b4c97f643306df491a938ae636da

SHA1
0807c37b711374ed4814a9518c9e264517de89a0

SHA256
70e72477f7fe0018e043ce8fe2228a289459058ee41caecd6f05855898bc5b80

SHA512
c969cd274b6bf65a34f1d129b6531616a3485a1f153088609ad2369d380fdec37c3e88a423495912715a26e353dd5498f7f9e73c895e9f3f18fc7d1e65d2ecaf

Download Submit
C:\Users\Admin\Downloads\GeoIPCitys.dll

Filesize
191KB

MD5
c070f2421851420e832e4f5989a775a2

SHA1
d6af3c48ffbe0fa1e0e54860836d3bbf374b8b46

SHA256
d54fd6c5903eea49a75d620d4ba232f8effb1863f5f9c974e4ac0a8fb1904131

SHA512
75c3edeb4c16d8e82eedc5595b9c3fde4cbd4a3e9deae1967ad513474920a48e4e9275fdc76f44032b1be570a4ece1a6393c4680af8989f67bcdec039d06798e

Download Submit
C:\Users\Admin\Downloads\LiveCharts.WinForms.dll

Filesize
19KB

MD5
76c775d09b24798f6923452e920979b5

SHA1
3fe2c79512a0d1153fb07f6640b27106c90d333e

SHA256
a5b61c1726304e6b72e09a0f35ddbf52f89a75a4e28e6ed098c8d1df6081b4ad

SHA512
eacc093f8ac9401f617df7e07fd68a8a0f1f03aa150283de67ad8c338fcb1520b0f07335547cf533a646ff95f239c92b029f952a706e736bcd9508817c9be0f9

Download Submit
C:\Users\Admin\Downloads\LiveCharts.Wpf.dll

Filesize
212KB

MD5
e924f79f0b5f3e79c98477d75831813d

SHA1
64f71e20e1953b13c771d8a8e63549ad6d64216e

SHA256
1bdbb1b5c1a50653e5c26161e9b7c03edc518721a6e10ea180a84049d967106b

SHA512
063e9bdbdaf0accb46cef5fdb98b30a97b8a6ba097a80d43a9799ff73e820d1c56d41ca9f71d94497736e3def7fbd0109db4000ab1d9e46cdc96357bf3e15fd1

Download Submit
C:\Users\Admin\Downloads\LiveCharts.dll

Filesize
148KB

MD5
9642899636959b7fc89bf34a8b998a90

SHA1
479a0254d1c9e5565c7d861bb77f54b7eae50c96

SHA256
9fcf89837b60f69c1c501e4cfa4d2860887afd0b8f325803367e795a4e3bc9ca

SHA512
435dccb57ff3e9d0663770768c866838b19fbaa5b8e79de0ca111d9c73276f016e016d1d268f72cf3435ecac122039764fada952e1a4f68f368b492bb866c9a2

Download Submit
C:\Users\Admin\Downloads\res\Config\Pass.inf

Filesize
24B

MD5
e1b54e517318b3b3363551e926b9e474

SHA1
cdd2df4411afed1c9e44997dc9ebf85728eafcca

SHA256
dab8688b4d139db5ba57783791efbce34e9e46c37a2c506685cbc6d18e68073e

SHA512
edcdd405bf3d57cd524151e9f41670cb7c3bf693e59254c8a034c30a8457b936d507fa434d38e733819a11cf3afc6858d909fbe73bf091f3c96526cf99138728

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\-1.ico

Filesize
33KB

MD5
410e4dba1b3e1acd689425d024f3fd56

SHA1
d38fcae133db0cff918dc455acd8ffa437989659

SHA256
e10518132ded7ee51739953121f6efe77412aa85bd744ea7b256a5a6da751e44

SHA512
cac41002ef9ffe4592a0949ebb3a21b3837645838e623d3a188f7e70b6c82b2253c586a6a9395007849da0ef94d6dc47bcfce9cde554e8b6becdaf21082cf014

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AD.ico

Filesize
33KB

MD5
2cce7e02f2decbdcf648cc249eeabbfc

SHA1
4a9cc2ab3162a949d5f559ac2828813da7aaa6d2

SHA256
ffd5e4016c4bc247f49ded9d4ac463e7bd9d7f92c9889528f5f3a865dc8234e2

SHA512
be3d96046ec50bfd8e4399d1268856d0cc1f541635896ad128d660660294cfd98f79998dfa46849a2e6e5aa3e637626a94a062ab694444b7210f69b3a55d1686

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AE.ico

Filesize
33KB

MD5
5c22046c8b4f37adbd0f41a811238d5e

SHA1
e3c49202f86ff0718f169ce4cb82570457891bd3

SHA256
0759c987d55b3e2bc78ea1761d451b0b40928865c5b5652ef7b304426bc1dab9

SHA512
655c129c7456ce083a9eec235e04b871a16c4226f7cb1aa2ac4b119770b24ac61036950b0a77257af96352318a991037a1b9b5e2925ca84272995dd8135abca8

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AF.ico

Filesize
33KB

MD5
e18c650283441dfbdc3aa46a414f326c

SHA1
eda65607858d6b93db9ca4a9f20cac382cb685db

SHA256
ecf99e08bf15aca4325c4790ee20ccc674b6f4fc6dbbef0885f36bf8e6e8aa68

SHA512
f10cd2a31390bbb06546052214a817153f35ed9b5c5403995267e1e9b4987630c08ddf7db414146211b8cfb4769949cd660060bd2a5c8a51bf5bc381372a6673

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AG.ico

Filesize
33KB

MD5
93f8d14b56bf5f257f87ea438c7a3601

SHA1
31b71ace333e016408af2f18290463389206d1c0

SHA256
8e36c85a8ba6b92ea906d4dcda412b492449e668fac3b05f5fc512118fa71e5f

SHA512
a70adeb933e65ba11b28d11fad9a2eae29a623013f9bd8383afa5c794f214a6820f797f03f1714759bd38356b160b9c1e159dfcecbfa7e95f4ce2b24bfb24cf5

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AI.ico

Filesize
33KB

MD5
2d5ee470e51e769e649109d2721937d3

SHA1
89bb18a904dc2857e52cff3a384df50858d5e17c

SHA256
08afe88e8a0475e320c6da70ff530ada3a6fb426051a6337a769c14dc37ae316

SHA512
d6801a6b238a9779b0b8829f79412c227ed8480ec060e3d1992c9b1024c94a8f1f6ed32097c8a93a6f2600ad68b2ac537fba5f0982a41fef01a832994cc0cc20

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AL.ico

Filesize
33KB

MD5
5dbcdfb9a2f9120ba42006c997e22b42

SHA1
01fe537ccabec19b252e07ed6ab557a46a70e6df

SHA256
8f726d2132b2b7764936aaffb52ef7b0271abf857949588c36b32fb3c769bcc4

SHA512
519b0757a1bba205915aea9f8bb715072420fae126a4917f146c9ea7567fc231d74f93ded8dead86dcffb0fc293de1a4c85a161dd894b490e57806df67cf01da

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AM.ico

Filesize
33KB

MD5
16782d3d013fbdd1277424363dd8a0ad

SHA1
c26e1fd52de7ceb24af6f01fb4486d39e1932bfe

SHA256
faf3d661a09912ff0c1f6cc92dd8775c3d2be31e9a72fe0962c144d679021d86

SHA512
44bda0a5d59f1ead6939a6af13b81ab23b28be44a61e7e736d5e21cbfee813a3a44c5832b16036717f0e18a418dc449b5c3aa1e0f05c4830cb3b64698ce0901a

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AN.ico

Filesize
33KB

MD5
ed05e0515da2b4c11d839493abf8d44b

SHA1
8862a2bd75632d916fdd049b31f2155ac7894524

SHA256
8f641c948721c9e7e92f28224b8b1beeb27382e5bac8a4014a57537dd7543a8d

SHA512
31613012f4ea1da8d1318f69e6e9a4be068e9e490f01ef0e1f880b33f50d715d92d7498ca99223ce81d6656ccc4293a7fbd272939e99dbc21d62176a6c6d9553

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AO.ico

Filesize
33KB

MD5
a5c78266329a1eb0f3e52bc0343783b5

SHA1
e0b254e2176f0eab8d2b76213a64c24ba1788675

SHA256
550a1b6e2b97febd865cd130b0c0d484cf2fd02b8066ddf6d7290b9cffb35059

SHA512
61a7bf67f9019e5f4c653246e1844703619d6421c3625c963862ee9b0b3975b26ce2f785c9b3cc79e77181c098f0e3d60c9f0e21203928117c6cd45f104af36f

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AQ.ico

Filesize
33KB

MD5
be6fa7ab4980735841141d4d3f642a4a

SHA1
c6d03cda7f73a959a3d20d0e3897595fbe2915e9

SHA256
3439ebcdd8e7a614f157f58d7f77d190aac7fe514129a01024a8b68b7008fbb2

SHA512
fbc116df306de7a04f43cb2becfecbbaf103d6b252336e0bd37f006506140ceb14f114cdf62e203bc12f78c25906066385eb6caa67f694d8526b341bcf3462f2

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AR.ico

Filesize
33KB

MD5
bb4f489b2ae1f6601513296357fb478b

SHA1
b8337772e2e17d48412f44373ea8a821b85e9c54

SHA256
af2f591584f6c59da15fd42e5175dc136844442e1c755fac047b0efae3956c50

SHA512
547e0753a1ac4058ec609ddd2d6ce54b50cc47177ee319f5bcc82eca9e231d01d74b7c2d02de90557c08224bed962c74f8c4079a1292153cbff32db234ddf6a6

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AS.ico

Filesize
33KB

MD5
caba1e66c954bc8d784efe2a3c02d808

SHA1
ef1d5ba4735c99b55648503513d9ae7393a3a6d6

SHA256
4946c58e14318696ea03cf9bcb5d8a7334273c2f9e30173a3c7ae0bb7ee70bc4

SHA512
430806d048e383411e36a8e3777a27b7efc1819cca50c7d7eeba662d32351a366d3cc0b892f819b6a96db8281c5e249d3faef13e8a4ec3bef75e67b9567bd466

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AT.ico

Filesize
33KB

MD5
8effa2f5bbcecf6415b04f9408c0a65d

SHA1
3f3249fe921c1d4767b76b0c3a720cba0262b565

SHA256
236c59500b9bd83212375ca7514c0d62dc088203ed269e9cd55ca6349adbc8f0

SHA512
3f8a1f0683207ed616819a0e42b18e5b02eab0300fcf6eac1c399f0e5475f45d62e0bdebfe0055d411d529649938623acfd4b3b02fe80fc9da6a0492dcd31822

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AU.ico

Filesize
33KB

MD5
ae8189b2c04d783a2f68f0204f1baeab

SHA1
e5709598ed08427a1dd83e1d994330bba1b1b091

SHA256
047f9bd82ca7e2685c1dca4c065209977b5e8c32f78ee821bcc7aba12decb044

SHA512
ef1dd8330cf3cfa9840a5902e13c669e6de911ca9f383067506e2c106f05021aa79df60e2a867259bbd1dd056b9367d5814e9bcbafb242d718fa7fe0fe664248

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AW.ico

Filesize
33KB

MD5
49d969f363a153b7e1cb4dc2cb742238

SHA1
2a8fbfd37be58690dc2e0ca2b3ce04c2d15d6eec

SHA256
f0d730a0d8ce85f049a6d8a52733c506a8cf48584b18838f3d677b09d9c09b52

SHA512
97f17ab20ee96ae4e71e31c7864c509ef0b714215606413c801b3608770415ab63d6d5be0980af7231e4c2e270407fd273c36e0e47d524e59126b933fafa4eac

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AX.ico

Filesize
33KB

MD5
19169001a889e72fef769900ca7a8b27

SHA1
e17d9c371cc34d19f05c46d81e06f7ae2159dc7f

SHA256
5ac8c61a8ad2d7ecc3e76927fd6d52b4f279c4d3a92dd32715395581c4615423

SHA512
4c8247ab0f37cafa90ae34aa865af45b6b388fdfa8ab96935d2ae2064c620240dbb8f93c9958844a34fbd249422a9b5751639179697bab44aabda8afc18b0454

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\AZ.ico

Filesize
33KB

MD5
3abcf274a070469b7fd5cc1f60408c9d

SHA1
a2fbdbc0028f398a90b351fe5e3a2e4b31153b07

SHA256
d3cc5eeabeae7f54a8c5600b5c2354b355492634031e32e8ba981806b0494b61

SHA512
14be128eaa0b49b7ad07ad2230732e923a30c204faae1c3afac766088836845fc385a99ef50938f6261456e0e45afcd17c0661345ab72cca8b66bd710eb3035f

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\BA.ico

Filesize
33KB

MD5
a603875f8aecceb0d62c9c346f250e62

SHA1
44b58245d17d8d205e6bc2015965b3ac9374245e

SHA256
b586dd987bd326d24ad3edddd1f649d2fc49eaf96028e62e6e14208591a31a9b

SHA512
62c218f9e7e30c056c02b0e9e35b39fa9b66faced7fa8c3a14e9636450d271da04aa5f04a627452be03d0df062b38db0bbeb4fcdedb0d7d820d0bb186cb38953

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\BB.ico

Filesize
33KB

MD5
a272b143736710d954a021e7b5b1fe41

SHA1
abf3a358da02a0d9786a022a1367d9bf805ae060

SHA256
f679b5b2dfe2c980b55b713a025936c10260db10254391c5b66dcec51dd97705

SHA512
9290ed552de75f080719d3e6f4954234b48cb1bf87952bf62d1799d64c0d0a2419fe6776d5a84f691f877a6e7ccb176824e7dd00f5ceec7da32458faf1ef6485

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\BD.ico

Filesize
33KB

MD5
7bb2410b8a58504b0645e9e869cb903e

SHA1
a1d49a900e2367817575d581c34a3f4b5282db25

SHA256
f8d767b5e74cde08d614d64bc51f4d9db90dc056dba1c38ad8b21aa6c598a286

SHA512
a629b6e3a5fc4cc0499e18139260a7c67c629d76c8264ffd3d99c62154354b50bcc5d73b0475891cf38b90809de996648c211a9c2df0aa4e885e536fe4d3f825

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\BE.ico

Filesize
33KB

MD5
f7ed63c5a74feb0ee727cab8d64e2ba2

SHA1
d06d03cc1f832a30c3b5ae51f164291498ff4df4

SHA256
bd0eefab4e51b0beae22d4557f8c43e2908c39b23158900d9c3d38d4a3c27b2d

SHA512
01bb6f850b6b213e365b55861f6a92442c15931db6989f6be03a009a97151abf066eb1298fbd6d130a7ff47970097ecda5855acd2f15fb750f1e5f6916b06e48

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\BF.ico

Filesize
33KB

MD5
afe862286a0c17305ca72a54bacc21ca

SHA1
e220c5912d11960c8e9ee38f44dca1361b729dd3

SHA256
5f865103ca695247ab7ea7e02a1942ef01cd65120973e17fa3fcc3e59f9f7eb9

SHA512
33905016ee79a2213a5dd03d553e0245058422d45861f4587f4b3aa2e9562686c209fd1e76575d7614a52388f3308907bbdf867223e15a7fe62d3650b130ce68

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\BG.ico

Filesize
33KB

MD5
8237c4778058a9bab26f406b8f06dca2

SHA1
4bc2b85679ea7e634af68b4e31135d3205ae01c6

SHA256
426c8b630bdc5916c5a687450e90a265d18a1042111c7f26a5a7d85d143044ad

SHA512
b64ec153ba921e2f91146ec1461a75b59fb8e71ddb27dc306144a9cc1aa271e6a61096210f4a3a8e56b45ced2f16343cf61a8bc594b52ccb1d9a0d5b312456ed

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\BH.ico

Filesize
33KB

MD5
75c68788c23a5adf9efe2c1b70526710

SHA1
3750a765118359dd026580d071da6bd3ecd677f3

SHA256
2525fc71eb284013f3add2f13578363e8030ed41fec3a7fd599a96b2a8ba0d70

SHA512
c2a8ee014d1c9ed3ff09d6781c5062fd9aa2dd233c911358eefc2f27d24cee05883086420b2ecab27138a5f6d0143e045ea2b80a221b30b28eb02ecfe3b6c0d3

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\BI.ico

Filesize
33KB

MD5
f44e4ff32292c899f1dfc0d40946c945

SHA1
3e1c7d81166d64dcd6052a7fbe72dd6a56753682

SHA256
84145ca9e4595bdd4838af891ca65f3b88f4ce830f867b6d4f821780152b9c16

SHA512
aad82aee512ee6768ab98e83aeda9b6954d792e81273594d4c2f46183fc0f7df8c0fc4a8035a43c8989b61690dbebea8e286461b01eeafa3398ecbe61750fccb

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\BJ.ico

Filesize
33KB

MD5
994401f509db6b74c3ba205814ff1f02

SHA1
3334f65250c7ba7cbee20065bf4d52becdbd392d

SHA256
569c37c33bf5fe84cf1766c26c531be1398e80585551cd065dfb8dd62a57b608

SHA512
cbdf647eebcbbab5df5b8b68ffbb900534f2d41ec2f4d74e53e53eabbd2219caf83dce0cdbb53cd9c126ce1f88aa667439bce5a5a6ae5e6eb07acc8c8740d1d2

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\BL.ico

Filesize
33KB

MD5
a5b94c9bcb4d88d9db4d0a568f80b079

SHA1
80167cfe16e20d0eda73b7b4627ce676911814be

SHA256
8165efe84da8f10193cadb266016cfb6ca87724614d00c70495a7b9afc172caf

SHA512
5a186a33e52870dbe2e58c889e913315add63486dd184b216cc3a8b2317169e3ffea8eaaf95084eef6ea04a0f3a791d6012bce6b0118143aa514820050577c54

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\BM.ico

Filesize
33KB

MD5
d3be823145f7a4b0424beecfff5c9e75

SHA1
0d279742a4c5468d58f2d141b5e3922699b165b7

SHA256
7f33f4d7cdbe5ac4745917badc34bb93d38a8e5abff6bcdc0c76d3171baf275a

SHA512
6f84de202333e036d1aa772a82448e3e0adb2b453d3f93eab5ed745b4399b74e07abd3a533862a68b57dcd1982941698545e239a6510e0f59a51a442adbd7009

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\Flags\BN.ico

Filesize
33KB

MD5
4af382e98b18f91caac79ae5240ccc40

SHA1
3158bae6579aa85151b67ab08687b64467c19e4b

SHA256
9cb1449764b3abaae85b2edb0e39afb9776e4c662591f3b241b741a502bb777b

SHA512
0a6daa2b22ee49819d0cda58cfe74343638c62041ef342b08918edd4e1e9e4e90ce2e72a09773b2d9a8859310d237cb8f765fa9658cdfa4adaf1b9e40bb5880a

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\GeoIP.dat

Filesize
1.1MB

MD5
2fbec46d430f57befcde85b86c68b36e

SHA1
3ff9829e3242deb69a7fde0832b7d9345b925afc

SHA256
681ede512fe7ac21e976c754bfc1e1a75a9e02c3d931ce6849cfaa9d4080338a

SHA512
42036af6f57e446fec194ce71fa634dee9f4c77342f64a867fca8730d76349190960a7e7a5967ea59c250ca1b220d4845b4911dd63ee870f5620d9eb513b91d6

Download Submit
C:\Users\Admin\Downloads\res\GeoIP\GeoIPCity.dat

Filesize
25.6MB

MD5
fab3cc04a19ffdf90d775e27967a7c25

SHA1
723c1635338bec7c1c876769618789268b8faad2

SHA256
bf41a0a700e3b35415609d090b15c5355e5cf4ca703ab119626b2d450997c608

SHA512
fe013386ff799cda195222341ee601d7b8b3c5c8abacf3c80e3fa03af52ac848f8a79a7dd87d8831d5a366243343f1025f704f49d858da4b02235968f834a9e6

Download Submit
memory/5416-1299-0x0000000000970000-0x0000000004C2C000-memory.dmp

Filesize
66.7MB

Download
memory/5416-1308-0x0000000009720000-0x000000000972C000-memory.dmp

Filesize
48KB

Download
memory/5416-1325-0x000000000B830000-0x000000000B9D6000-memory.dmp

Filesize
1.6MB

Download
memory/5416-1300-0x00000000095E0000-0x000000000967C000-memory.dmp

Filesize
624KB

Download
memory/5416-1317-0x000000000A340000-0x000000000A36C000-memory.dmp

Filesize
176KB

Download
memory/5416-1313-0x000000000A380000-0x000000000A3BC000-memory.dmp

Filesize
240KB

Download
memory/5416-1309-0x0000000009C50000-0x0000000009C6C000-memory.dmp

Filesize
112KB

Download
memory/5416-1324-0x000000000B680000-0x000000000B6B6000-memory.dmp

Filesize
216KB

Download
memory/5416-1304-0x0000000009970000-0x00000000099C6000-memory.dmp

Filesize
344KB

Download
memory/5416-1303-0x00000000096C0000-0x00000000096CA000-memory.dmp

Filesize
40KB

Download
memory/5416-1302-0x0000000009780000-0x0000000009812000-memory.dmp

Filesize
584KB

Download
memory/5416-1301-0x0000000009C90000-0x000000000A234000-memory.dmp

Filesize
5.6MB

Download
memory/5416-1359-0x000000000C6E0000-0x000000000C6EA000-memory.dmp

Filesize
40KB

Download
memory/5416-1360-0x000000000C710000-0x000000000C722000-memory.dmp

Filesize
72KB

Download