hxxps://mega[.]nz/file/BjsW0Q5K#C_FDyUmglUvXk1wIwpO7_eyHfrcy8COtNBI7YaRFxac

Analysis

max time kernel
749s
max time network
740s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/BjsW0Q5K#C_FDyUmglUvXk1wIwpO7_eyHfrcy8COtNBI7YaRFxac

Score

9^/10

agilenet evasion themida

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

CraxsRat Cracked.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CraxsRat Cracked.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CraxsRat Cracked.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CraxsRat Cracked.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CraxsRat Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CraxsRat Cracked.exe

Loads dropped DLL 1 IoCs

Processes:

CraxsRat Cracked.exe

pid process

220 CraxsRat Cracked.exe

pid	process
220	CraxsRat Cracked.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/220-631-0x000002095CC20000-0x000002095DC4E000-memory.dmp	agile_net

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DN000000006569C4B6\Runtime64.dll	themida
behavioral1/memory/220-623-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/220-628-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/220-627-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/220-626-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/220-629-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/220-637-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/220-1268-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/220-1643-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/220-1645-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

98 pastebin.com
99 pastebin.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

CraxsRat Cracked.exe

pid process

220 CraxsRat Cracked.exe

flow	ioc
98	pastebin.com
99	pastebin.com

pid	process
220	CraxsRat Cracked.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

Processes:

CraxsRat Cracked.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk\DefaultIcon	CraxsRat Cracked.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk	CraxsRat Cracked.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\CraxsRat 7.2\\res\\Icons\\apk.ico"	CraxsRat Cracked.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeCraxsRat Cracked.exetaskmgr.exe

pid	process
4228	msedge.exe
4228	msedge.exe
1052	msedge.exe
1052	msedge.exe
4820	identity_helper.exe
4820	identity_helper.exe
3224	msedge.exe
3224	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4556 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1052 msedge.exe
1052 msedge.exe
1052 msedge.exe
1052 msedge.exe
1052 msedge.exe
1052 msedge.exe
1052 msedge.exe

pid	process
4556	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXECraxsRat Cracked.exetaskmgr.exe

description	pid	process
Token: 33	3340	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3340	AUDIODG.EXE
Token: SeDebugPrivilege	220	CraxsRat Cracked.exe
Token: SeDebugPrivilege	4556	taskmgr.exe
Token: SeSystemProfilePrivilege	4556	taskmgr.exe
Token: SeCreateGlobalPrivilege	4556	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeCraxsRat Cracked.exetaskmgr.exe

pid	process
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
220	CraxsRat Cracked.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exeCraxsRat Cracked.exetaskmgr.exe

pid	process
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
220	CraxsRat Cracked.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1052 wrote to memory of 2492	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 2492	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4072	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4228	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 4228	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3700	1052	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/BjsW0Q5K#C_FDyUmglUvXk1wIwpO7_eyHfrcy8COtNBI7YaRFxac
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb93be46f8,0x7ffb93be4708,0x7ffb93be4718
2⤵
PID:2492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
2⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
2⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
2⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
2⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
2⤵
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
2⤵
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
2⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5820 /prefetch:8
2⤵
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1792 /prefetch:8
2⤵
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:1
2⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1670486054504718254,11735531413446975397,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3040 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1808

C:\Users\Admin\Downloads\CraxsRat 7.2\CraxsRat Cracked.exe
"C:\Users\Admin\Downloads\CraxsRat 7.2\CraxsRat Cracked.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:220

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
c40113ee8e539625dc3d499dd0ee818c

SHA1
f6795623a9b65700e191665b3d16cc36f9d3f18f

SHA256
25ad52f0732c240a60af4eff07782b431bb48d8d61140e03634d848d34aff78b

SHA512
8dd8a1e28f8dff2c10d26e3806b69a443ee4b70bff3e4c6f94ac0324331ad90e666ea1a91fc48f6c0a5ca08403064bba5db7bc07699f14379430002cf60441af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\00\00000000
Filesize
4.5MB

MD5
d1dd4ef17c0fc269141a3f4fcde468d5

SHA1
011fbc462b782b115c6bd2cc34b3439810e048e2

SHA256
965b05da5af3f50876c2d7d2120260b2881542bbda00b969e8a3240a9bd4502f

SHA512
bad7a068e6b52f277d27f14b4251b0a8d873b8c2deb104aac4376bb0abb8248ae00096e6efc14cd7bdf76a6f169a0f1a405ea69deb36303ffa474c1e2e6a7695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.log
Filesize
34KB

MD5
9a617b16cd572ace82cf2681373e1f85

SHA1
4876726661c09c1eb01e00cbc75684fcd4cbc031

SHA256
c6300b5c7efcd3596895ea30a55a49ae8033b33d8af213d2ddac6366040287f1

SHA512
1a97fc70505c5f5d4e35c56c5c4a0ae23c5ba7efccc6fec1aa0f4d48979e985ca4b63fcf1985ae5fedf91f1bdda6ec0e7b4e60f9855ba230c2a226f16a3f3f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize
375B

MD5
725bea84afde17e6a4b098748c9bacec

SHA1
3f821be57ce3a90b5649dee6dd7f6de139fdb707

SHA256
f4dde4bbd44a7c2971686b1470a3818b294509cc90e47158d7b6291a5b96e2e3

SHA512
3796a626f557cd1a40cb08c757e4c304aa2aecb23840e108cce37db6348a7310d428281b3493143ed95605a5e38ed916ac9889430dda15e0b0a6cc40acc70312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize
375B

MD5
4bc855c975256b4ebaf76ccf6066a63c

SHA1
56e6e1dddc5b431320ad72f819dc52db0264ac51

SHA256
7e6e116202472563909c0ca12aacac143d06e561b82fd11cb8c40103c4afe3aa

SHA512
b348846f902b189e4aa2371b41802a2f001df6e76879c5bbccb4edff1f5c951fd2a7768d002be4a0fe7a8e7e14a2fac3896d26c20d42457bbd970b879831d803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize
375B

MD5
28700471804d88e62bdfe2123352585a

SHA1
a60315b1a1ad72c70aa566d4f9af735424077076

SHA256
87084e67254284702664a34c57197bc606d2b1a7fb0207bdabb04a6c63ce5d99

SHA512
33337b62981ba8570337e3336bc377576ac1d8ae1f2f6b8363c935942f661f5dd565f14cf498a0efc73c7f56b2de87beb6bb8f0d26cd07b67eec0fbcc50f652e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize
375B

MD5
7d9a7b81557b1aedc4283d993f0cda23

SHA1
d1e91ebc02f8750c2ca7539b525ef1e5bca69eb4

SHA256
89bfa750b8f0fee350f6c871f569008c266c77307aedb559e7494c2130479176

SHA512
4813c244a2f2ab44304635222168fcb20defa9d7a0b50cc3d567e9e4e089a2114ccccb67d97a70cd10e2a1dc50555c13a3c55de6fad2d869c4596172e2210f7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize
378B

MD5
7ce0146d42b7754dc23ca9330888ad6b

SHA1
90e1459ffeb18622d698fb422ce1bee269e3d884

SHA256
57c265b7137f496e44665c95d92bf4e136307a241b108310831abdea7c074c5e

SHA512
4137ea07bcf502fd394245815b0fa36b40e4b4a9313e820c17c85736616f3df8f0b3a7c853b1a47cfe790290b40d0bfbcfa57864ccf60249519b5ccc276d7b16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize
378B

MD5
40757bd2c57878660f2a70d1ad25514e

SHA1
86cd7d76a2ccdb0069a2dbf1e5e8717e9dbfd691

SHA256
6101175cf884615e8246bcdf545193c8b2323d56da784cfec64a621cb64f3ca8

SHA512
0fe226b11d3731183c3723f889f300b64d344e3d9e93983eca29883aabc980f945c76d172fde96a98258f822eb8e2b8f643fd56653c445f2e2cac96acc1e0eb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe57d4a5.TMP
Filesize
335B

MD5
fff582c189f122aab32196f61d5e8331

SHA1
0eef0e8584190ad3a5fd2ba92c8e3cc6c7cedf49

SHA256
84599c2f8c88853cf8245fdc90fd9504cca5b69031d441cb3259d163b1f9dc34

SHA512
fd5f6aad09192a1848f4c68398c1d5b3f5f1e067d09d7a6eb15ffdd4eaacb134be9763dd46a5c61058b00c28db0f3dd8ccefcacaa09d6535a0862389764b61ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001
Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2e4676aa0ba68932c143cf17dd234f1a

SHA1
092e72303888bc607123cfb95ced07790ded8ba2

SHA256
b3d281f5d82b766a645901140e279f8ca1e954a6f5d57ab96cec0a505f6aa491

SHA512
7e040dfb025efaa95128eaa26eafeccadf0b3a5894013a51ec7931914ad2d6ce9da7ef633036116b6b1f961d1d6dc210358fbcc2fce775c142ad4512d8d8e46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c9661046b8cd204d0b080a323ee8b89a

SHA1
4d853c56e5ff91aa74d83a0cc488626070ef8bed

SHA256
e829e1a4d81d07b51f671ce7c0537b643e2046631da37e305ae152c1f88f89fb

SHA512
6c9c32b6c2e239bafe006f2157a0ebc446c94994068f53cf91585e5bd14674e7b733d3a4853016628806ba7e90ce78bedbd3cce438aafae8050fac71255f16c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
914921c0365b69cf6118663956f2ffec

SHA1
202651b04b7bce2250ac2d8f60c57c4db64ea3e3

SHA256
d3c7cdc2a751636d01c96670e9887cedf66ca78b8b7cfae88316bcec7f4ccac8

SHA512
df159e602084d7bb8863a9692af4867ff118be0fcb27637d6fef9408b0d8537daff0f8d2c4a64ec6e1087ce6f333da27419e7d7b3f0547d4be8d668b01127aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
ac2b12650b4a4955c7dd5b65944a5a65

SHA1
525867e4117ad569ec6097725d2c8a343898af15

SHA256
5f1abaa5145abb6b4f2d39f464ef9a7f5c6ade6b3e05298d273aedf9fb754cfe

SHA512
eafeda580d08dda93ae3b632fce6fcfc17d4c7c39772c029d92322886921f38423f3c60976b937f59114f4531069d9e39717519f97ee710a0b737fa998bb945d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579ed0.TMP
Filesize
48B

MD5
02396d904d301e1e4b02dd98a0853d12

SHA1
f55273ca3ae53d3dd38f541a76fd227d18de987d

SHA256
ab393e9a15f249427848d242778378758be977bed57fda9fca3b472e9538c1c3

SHA512
4dfb7dffa77987a198b19b1bdeec2626c328321f84b21c0caddcc84b0442b19c1e90073505f5f97c2fa8d3909219daf84536b8b726c49ec5ab4d664906eb50b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
9b8eccf7833727a8d49d81135dd8d64a

SHA1
02a21fff865d6b6c5514a5c80bdd18354cbe4aa8

SHA256
406da32b770af2aa71a6d8c7493217f50762c2e386a96b16b82fff45899cfa0b

SHA512
3966413e29813abc4cc1851236fc26c13dddaba39c45b9b2692160813357475b4c24041978a7b1f5ef96ff0cebdbf8f697796d8c07583a48ca8c494e23a6dd1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
00d9ef3c0cd33a4e3a50d8a9db2c3f41

SHA1
5500ba884743acfca4ebc643b9cf185b310d1776

SHA256
d0b7ccc52733124a35a7148800f2630e46ffe09340c5f7b2c2cd1d995c11f92f

SHA512
c6ba0e6cc1a0559ab437bfaa37fe93765aacaab5c9ebff655529042b29c48188dda91b3814dd8d25bd59007cbf598e516a626f625f3ab8c04fce9a95f9a7e089

Download Submit
C:\Users\Admin\AppData\Local\Temp\DN000000006569C4B6\Runtime64.dll
Filesize
13.6MB

MD5
21e00d8cffdb42642b3b413540e9dd24

SHA1
eae6d44c96117fcf12b4aebad2b95af76bd11f8c

SHA256
611bb16bff870f5de73b83a4dc37e1dd519c4dad9ca323e5908c67516f2109b7

SHA512
e938e2c94484da96ec813f401e20787e91923377be9f8217d3a9e3a4d10a36e1ec548db054c99e03abb117b2897a44556a9de4c34b57b1fd3b190a321746906f

Download Submit
\??\pipe\LOCAL\crashpad_1052_KMBPVHZZYMBYTCOV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/220-627-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/220-1267-0x00007FFB81FD0000-0x00007FFB8211E000-memory.dmp

Filesize
1.3MB

Download
memory/220-623-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/220-628-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/220-616-0x000002093B3D0000-0x0000020940A08000-memory.dmp

Filesize
86.2MB

Download
memory/220-626-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/220-630-0x00007FFB81FD0000-0x00007FFB8211E000-memory.dmp

Filesize
1.3MB

Download
memory/220-629-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/220-631-0x000002095CC20000-0x000002095DC4E000-memory.dmp

Filesize
16.2MB

Download
memory/220-636-0x00007FFB81FD0000-0x00007FFB8211E000-memory.dmp

Filesize
1.3MB

Download
memory/220-637-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/220-647-0x000002095AED0000-0x000002095AEDC000-memory.dmp

Filesize
48KB

Download
memory/220-648-0x000002095AF10000-0x000002095AF2C000-memory.dmp

Filesize
112KB

Download
memory/220-649-0x000002095B990000-0x000002095B9BC000-memory.dmp

Filesize
176KB

Download
memory/220-650-0x000002095CAB0000-0x000002095CAEC000-memory.dmp

Filesize
240KB

Download
memory/220-654-0x0000020960C00000-0x0000020960DA6000-memory.dmp

Filesize
1.6MB

Download
memory/220-1165-0x0000020960100000-0x0000020960136000-memory.dmp

Filesize
216KB

Download
memory/220-622-0x00007FF4E4D50000-0x00007FF4E4F3F000-memory.dmp

Filesize
1.9MB

Download
memory/220-1280-0x000002095CAF0000-0x000002095CB8A000-memory.dmp

Filesize
616KB

Download
memory/220-1268-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/220-1642-0x00007FFB81FD0000-0x00007FFB8211E000-memory.dmp

Filesize
1.3MB

Download
memory/220-1643-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/220-1645-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/220-1646-0x00007FFB81FD0000-0x00007FFB8211E000-memory.dmp

Filesize
1.3MB

Download
memory/220-1649-0x00007FFB81FD0000-0x00007FFB8211E000-memory.dmp

Filesize
1.3MB

Download
memory/220-1669-0x00007FFB81FD0000-0x00007FFB8211E000-memory.dmp

Filesize
1.3MB

Download
memory/4556-1658-0x000001FC563B0000-0x000001FC563B1000-memory.dmp

Filesize
4KB

Download
memory/4556-1657-0x000001FC563B0000-0x000001FC563B1000-memory.dmp

Filesize
4KB

Download
memory/4556-1668-0x000001FC563B0000-0x000001FC563B1000-memory.dmp

Filesize
4KB

Download
memory/4556-1667-0x000001FC563B0000-0x000001FC563B1000-memory.dmp

Filesize
4KB

Download
memory/4556-1666-0x000001FC563B0000-0x000001FC563B1000-memory.dmp

Filesize
4KB

Download
memory/4556-1665-0x000001FC563B0000-0x000001FC563B1000-memory.dmp

Filesize
4KB

Download
memory/4556-1664-0x000001FC563B0000-0x000001FC563B1000-memory.dmp

Filesize
4KB

Download
memory/4556-1663-0x000001FC563B0000-0x000001FC563B1000-memory.dmp

Filesize
4KB

Download
memory/4556-1662-0x000001FC563B0000-0x000001FC563B1000-memory.dmp

Filesize
4KB

Download
memory/4556-1656-0x000001FC563B0000-0x000001FC563B1000-memory.dmp

Filesize
4KB

Download