crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Joke

Analysis

max time kernel
361s
max time network
365s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Joke

Score

10^/10

crimsonrat persistence rat upx

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Hdlharas\dlrarhsiva.exe	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CrimsonRAT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 4 IoCs

Processes:

CrimsonRAT.exedlrarhsiva.exeBlaster.A.exeDesktopPuzzle.exe

pid process

3692 CrimsonRAT.exe
1700 dlrarhsiva.exe
452 Blaster.A.exe
60 DesktopPuzzle.exe

pid	process
3692	CrimsonRAT.exe
1700	dlrarhsiva.exe
452	Blaster.A.exe
60	DesktopPuzzle.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Blaster.A.exe	upx
behavioral1/memory/452-386-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-397-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-410-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-430-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-431-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-433-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-440-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-442-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-444-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-446-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-448-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-450-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-452-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-454-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-456-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-458-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-460-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-462-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-464-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-466-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-468-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-470-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-472-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-474-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-476-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-478-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-480-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-482-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-484-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/452-486-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Blaster.A.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows auto update = "msblast.exe"	Blaster.A.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

53 raw.githubusercontent.com
54 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
53	raw.githubusercontent.com
54	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640698528588074"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4408 chrome.exe
4408 chrome.exe
3436 chrome.exe
3436 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4408 chrome.exe
4408 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

chrome.exeDesktopPuzzle.exe

pid	process
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
60	DesktopPuzzle.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4408 wrote to memory of 2332	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 2332	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 4524	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 5052	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 5052	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe
PID 4408 wrote to memory of 3840	4408	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Joke
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa45ee9758,0x7ffa45ee9768,0x7ffa45ee9778
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:2
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4808 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5416 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5596 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5620 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5616 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5520 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5468 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5476 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5096 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4940 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5480 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5660 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:8
  2⤵
  PID:640
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3692
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1700
- C:\Users\Admin\Downloads\Blaster.A.exe
  "C:\Users\Admin\Downloads\Blaster.A.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:452
- C:\Users\Admin\Downloads\DesktopPuzzle.exe
  "C:\Users\Admin\Downloads\DesktopPuzzle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2664 --field-trial-handle=1856,i,9081186564042187599,9360583432893406635,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3436

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
186ad9256c4e6a2b13149f7ab5bf337c

SHA1
c51cd9993af8c7c191f57da26dd0f5eef33228da

SHA256
9d0adf3848c48c332575a2490857fa6fd06ad5faa8870e5e86e80f7abcfadd9e

SHA512
b0f76bfe8749c5753288e5d5c558cc73d2d6e9a4cc569a35bfeeed95fd3b8d9419eae057d82405f7824d9772440cd38390f28579e04e321f9bdc3977e286ea05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
de07c98fd64e27becf4794a63b67018b

SHA1
edb844d73e0c5a65af3567c7c72cf1259f223ac0

SHA256
0bdcdd5cd576633c91861d38418342dd761ddb6ee5e2fefc8c8a16f847fd0264

SHA512
b06abaceeb7e97ea8a5ae2d0dcc451f2871c83fc68a74a849e35e6fefbf437a1e9aae329eefa66bb0c790265317060da423c726e5bc5956973d8f3656c6d9ef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2e28481fc5fc22f4d702e69b229276c3

SHA1
3b555b6377ee49f1e757d0b902df51b71f2cec8a

SHA256
74dd583f25601330f8619784a175fcd66d559293679dc22e9720fffed0df1d5c

SHA512
d85d657aa20b1b23adc3c5b7dd16e278873595070f2a5b695bea3255a0f995beddc69094675db5ad4a04d0502e866b49b74c80005ed92e08124a545e6445ff78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
67aa0658dc1a9b714c32c107dc8d3ec1

SHA1
bd57ca7ce1ee5d67b22168441832d2f8f5aa6a4f

SHA256
dd5b7784301e35b7749f4c64425d382abce4f6850c34357adc446073e0acaac7

SHA512
5b4af7d1a146e4b4e8a97497e11a8203ecb723b0c80733bbda4c7a43962e56ace7668d1d66862a455e3b9a45bfb1fcbd2b2e6a0e73595beadae9885c69b3f29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
04736959c86f85287fbf93eefcb97cbe

SHA1
4643f79aa373a0ab2b5ef42bd84324c7601f3da5

SHA256
c9cf1ac38e8b080e914f8ecff0a9d356eb621ef7905726106c518e0bde9e0e45

SHA512
30723b08100c8b74167ab70791541289818d629dcf599f026546afeabbe56b31090fa5481e5b8b352ad4d39a334c34ced03c1f165cdffb626f6d0079fd1070d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a5588bf015c28b64ea28b9a5de071439

SHA1
4d6e1768733c24f39077f6efed08aa44d538f69c

SHA256
b73af4a970cad2f3adc5ed008a3b15c564bb047d27089c2495aa4a775533ec28

SHA512
e2d9d18bf2d6ca671ff6637acb61dd72885965531c7beb2af77e6c190dacf9cff7d3d0a347fc629d5180790f4caaed07da0ca0014b6c70e3eeda6893a537f2fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bef0d3082f49cd5faed99fce807efd57

SHA1
60ee3655ad9b6cd5433b0a3727cacf86eb0659ef

SHA256
bcf83aed6acd4df8e66417100e9072a36e407cb41164985dbb5c0a8201e85414

SHA512
cdbc53e729fafa5d3701e880d09b795309bd47d0010c9e0c8cb6d167fa46b47fad4d26bb49bf0c03f3a17ace2778486b56a7fab742246ba3b91c7cafc7f45a1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
71a797d0eb0d6a12653b91765a72d6a6

SHA1
ad5d36ea89b51b3d7a463c079b8e09cbd3a3620b

SHA256
1728aceda4769428efd89f4410812240be83ffc53a12ce060f85267c0b1ad69c

SHA512
573d387fce4adbaa33477e8d8eacb9bfd0fe7c79d0ce867b8c73d5f1b7744e063e0856318e56d287087b355f63639640c15b8acd30546b1cc41cf3b0ad1a7f4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
33af2e2025fb84b7f08c90e82bc73c6c

SHA1
4b3a3af4a16e20f780baf2afa56d73aa2542cb2a

SHA256
5b703b0a65b92d31e01f191d1773b87b1da20638d1af3943ec4eb80e94dd4f8c

SHA512
a14fff75c7610e2a7fb77868d08bb2eb6a966e8a0abe021fd795f2731e1ec207b985d56b443e2e604f209ddaea52f8f7074072838de45a35b001bf4a4f65f4e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a01ba69b12eaeb83802895aa2bf6b000

SHA1
ded436d7cab269cc3e638b560678402f7bb40be7

SHA256
717bae3e2f9a3947eecb90b9d7ea8ae65286b22e424d3cb1509105b8ec5c7f9d

SHA512
88b850aa01780291d740d98497f5ccee5c5d30f209d6345756e565d3fccc4b22a576a295b500ec22a59d10752993c7d5762f714e98852feaa93f7406a769d13c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f224e0f141f6eed4cd849c5fbfd0673d

SHA1
d839d8e3998d2c08eb57359d647952b212b730e8

SHA256
30c680ae0f81d6c1ea015dc1e0a905db36b3d983d7c6163c904b86fb4f82334a

SHA512
260050a6d17a8ca22adb7efd900e0bd63f2d7a05c2a3de8c48908961f367e9d2e80dfce782e3be48103c2db489d33cfadfc489e72baf019c9b409bb99af82a86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
890cafbf2b6fd9c9cc615ff7de35ea3b

SHA1
42ea18dbcd76ef4e47e219ae4cd1b9323f0b1be2

SHA256
fb2252218f3e9cd7668eca47eb313d62dd06868937ae0e559a77e469f2f17613

SHA512
f850dbc083c7e3081c86b83bfc43545aa92c182b5e0d70d874acdb0a4efe416e11b2164c24627bd0b26216b51c7e648f52dc2fe41e4bc3835c7c1b35a947eb26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
884494f89c0f4d3fa629731a1b27f8e4

SHA1
1e41043984460abe7b4e8f8f169828de14cbe19e

SHA256
91ce083490c212e3b79ca245c90a139bf0434f08280e26d5d9df1a622bed5f87

SHA512
af6f4b291d9bb40149b19867752b4d416dfa92cc0fe43c0e218e2f5b7a92d86d7e3d2e4a41ecf6726cf2a4aba2dc9472106d1a1c736d45c6d9e2e7d4d138a258

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5df85815e9316e0e967d510d0ffbf82a

SHA1
97e6b777aa44f16014b3674230ec0dbf83bfee44

SHA256
dfe07bc77f9e398c2c18874cf1362898d0394b01ee9b58223bd031145d8079f0

SHA512
2f03b3a9a89a30f4950a3f136a018c866fb0a5bccc94c3776c51263107a024ec0dc1c2e1430488e9384b4c82e3ef481fd633f6c6bfa1a2e0dbbd380b75b8bfab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
81e143b8c327ad3d571afe6e221f9a77

SHA1
61235529acfd14eef40361ba29cf541ca6346752

SHA256
e2f427b85965007a0d110c3e782c9564c3be73890d2d010bc167710d7b0617f3

SHA512
17ab9823b0019d362fdd280af5602db585ba146d0284bfff01d20bf0639160ca7a102b4db224f849f9d1a517055b58e498b7207672b6791cf29e4f91f9c8ff2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
1f78279bf001c7dbe5cd9ace17d17c5d

SHA1
20a98946fda4a0adcd9c5f70243d1ae26603b7f0

SHA256
c6431826bc7d65cd8a07b66d51e1bae4d1d8f7bf12a9c922150dc749a9f0da7c

SHA512
6cbdfa0cffddded08719bffd9d6251bc34806191a91f6614ad21ae8a5cc7229f0c3ebd210506058e025fb44c9ee6a98aefe6c83bd4d20c2b5100be337f0c4989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
892693d4502b2d6411628fa1355f2e5b

SHA1
f593c6781e806b25d721e52e3b839ef4c23b0e51

SHA256
d7b6d60982997d91b09ae850d9a3a176a5b42808419def07a9cd91545391068a

SHA512
f811f928cf3b20cb6e8e018d2ddc51d6c48d6833341f001e1453cd504f6dcdcfe89fd35cedd2673bbabda8e73bd18c2dce257e8fb8c9905910c67752e13e1f84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe587e62.TMP

Filesize
101KB

MD5
602edcb5f667303790bea3fce39cfa75

SHA1
12b71f94b649ebc7c986d4cbbc0cf34431a848a2

SHA256
f9f09dfcf78bc5e579494d373cca22ec8dc7f341384c447ee8615c2ead8e4f2b

SHA512
34d29e872c15536e4e02b6bff54e333ab0d7f65f6464bddd9045774f2e6804bda095ddc1917f5f96e07528b5a99df19d5373e5701a2552612a5fce647121e2e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Blaster.A.exe

Filesize
6KB

MD5
5ae700c1dffb00cef492844a4db6cd69

SHA1
bed8e439f28a1a0d3876366cbd76a43cdccf60fa

SHA256
258f82166d20c68497a66d82349fc81899fde8fe8c1cc66e59f739a9ea2c95a9

SHA512
2cc1ec68df94edc561dd08c4e3e498f925907955b6e54a877b8bc1fb0dd48a6276f41e44756ed286404f6a54f55edb03f8765b21e88a32fd4ca1eb0c6b422980

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\DesktopPuzzle.exe

Filesize
239KB

MD5
2f8f6e90ca211d7ef5f6cf3c995a40e7

SHA1
f8940f280c81273b11a20d4bfb43715155f6e122

SHA256
1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6

SHA512
2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8

Download Submit
\??\pipe\crashpad_4408_PSRLEJBSODDONKTV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-477-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-451-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-481-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-471-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-469-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-483-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-465-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-463-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-475-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-459-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-485-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-457-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-445-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-453-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/452-442-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-478-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-452-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-448-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-454-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-446-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-456-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-444-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-458-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-440-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-460-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-433-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-462-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-431-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-464-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-430-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-466-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-410-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-468-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-486-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-470-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-397-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-472-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-386-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-474-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-484-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-476-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-482-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-450-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/452-480-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1700-350-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/1700-351-0x000001B46F040000-0x000001B46F954000-memory.dmp

Filesize
9.1MB

Download
memory/1700-409-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/3692-309-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/3692-308-0x0000020ABF0C0000-0x0000020ABF0DE000-memory.dmp

Filesize
120KB

Download
memory/3692-355-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/3692-307-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download