meduza | hxxp://www[.]mediafire[.]com/file/vg7a2g534gxlyka/Kraken_Cheat[.]zip/file

Analysis

max time kernel
118s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.mediafire.com/file/vg7a2g534gxlyka/Kraken_Cheat.zip/file

Score

10^/10

meduza collection discovery phishing stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
444
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 38 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2888-320-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-327-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-331-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-328-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-326-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-325-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-322-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-332-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-452-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-456-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-453-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-457-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-465-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-464-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-476-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-477-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-517-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-516-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-511-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-510-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-504-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-499-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-498-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-493-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-492-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-486-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-483-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-481-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-471-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-522-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-469-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-507-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-505-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-468-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-489-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-487-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-480-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2888-474-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza

Meduza family
meduza
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Kraken.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Kraken.exe

Executes dropped EXE 2 IoCs

Processes:

Kraken.exeKraken.exe

pid	Process
5792	Kraken.exe
2888	Kraken.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

Kraken.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
170	api.ipify.org
171	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

Kraken.exe

description	pid	Process	procid_target
PID 5792 set thread context of 2888	5792	Kraken.exe	134

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEcmd.exe

pid	Process
348	PING.EXE
3804	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
348	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeKraken.exe

pid	Process
1524	msedge.exe
1524	msedge.exe
1464	msedge.exe
1464	msedge.exe
512	identity_helper.exe
512	identity_helper.exe
5628	msedge.exe
5628	msedge.exe
2888	Kraken.exe
2888	Kraken.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid	Process
968	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exe

pid	Process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zG.exeKraken.exe

description	pid	Process
Token: SeRestorePrivilege	2348	7zG.exe
Token: 35	2348	7zG.exe
Token: SeSecurityPrivilege	2348	7zG.exe
Token: SeSecurityPrivilege	2348	7zG.exe
Token: SeDebugPrivilege	2888	Kraken.exe
Token: SeImpersonatePrivilege	2888	Kraken.exe

Suspicious use of FindShellTrayWindow 55 IoCs

Processes:

msedge.exe7zG.exe

pid	Process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
2348	7zG.exe
1464	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe

pid	Process
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1464 wrote to memory of 3640	1464	msedge.exe	83
PID 1464 wrote to memory of 3640	1464	msedge.exe	83
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 4472	1464	msedge.exe	84
PID 1464 wrote to memory of 1524	1464	msedge.exe	85
PID 1464 wrote to memory of 1524	1464	msedge.exe	85
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86
PID 1464 wrote to memory of 928	1464	msedge.exe	86

outlook_office_path 1 IoCs

Processes:

Kraken.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe

outlook_win_path 1 IoCs

Processes:

Kraken.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://www.mediafire.com/file/vg7a2g534gxlyka/Kraken_Cheat.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedd6d46f8,0x7ffedd6d4708,0x7ffedd6d4718
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3240 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2118969406653770921,10767504732363730733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:5836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5992

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Kraken Cheat.zip\Pswrd.txt
1⤵
PID:6032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:968

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Kraken Cheat\" -an -ai#7zMap14919:112:7zEvent4643
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2348

C:\Users\Admin\Downloads\Kraken Cheat\Kraken Cheat\Kraken.exe
"C:\Users\Admin\Downloads\Kraken Cheat\Kraken Cheat\Kraken.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5792
- C:\Users\Admin\Downloads\Kraken Cheat\Kraken Cheat\Kraken.exe
  "C:\Users\Admin\Downloads\Kraken Cheat\Kraken Cheat\Kraken.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2888
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Kraken Cheat\Kraken Cheat\Kraken.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3804
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:348

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Kraken Cheat\Kraken Cheat\Settings\settings.txt
1⤵
PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
667acbd4e6b5ee0ac3b0c07a745c0df8

SHA1
869a501a95170ff666e61f500a8d8e7fb53d3cdd

SHA256
f04138ddda4a15032cdabbd36d54b3c75107e133e46afa5c9106d2b2c22bf35d

SHA512
b502c9c18eff411ae4b6634689b370ffeaf63a742083b5c4bc2c55f8ff60923d2b20ce623db12b093452a73ddcfff884bd2b1d8839bca3bef2ff2ce3c386035c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
94a9425c747ef4167e9919d989ea5c2e

SHA1
0563dcb3cc1c3c5826fb055ce23c762bd043117b

SHA256
fa6e98dee8aae767d0ee7c040aa188b741401bea9dc913fbf5628b20db70449e

SHA512
51752c35d54d48eda78e9b7281756ba6306f9b545f2a8a879f068b137e5d4c8a558beb0f4b226c0848e8bd158cfc1611c473284c36003b1ea0e411885ab46434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
534cd7b176e150b642ffe1b65c4b958b

SHA1
4b7932adbd899b6f93c5461ecd126a96d1eab12f

SHA256
af49c9f757bed847c3b752734aef3f57f1556f2614548487de50b4b3174c351e

SHA512
cbcc6699a4c2852f73923250272be7bca5a196d688f898fe8c5fc11d94a31e171dbab9c4a47bdb11ce30f557d205c16bfcf33d1ede7662c601f633f1e38d2595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ee2d316d42aa2086d1876fe72a3cac5f

SHA1
13e4c891fd5de37801f1faee4610655d38b3c396

SHA256
5020a103a083f757b1c461a8d65697bfb25b71ff9148501d636f69fc36a10674

SHA512
95bb8567c4867642b9c534af3185faeddeb5a91e1c28591ba89567ee95475d924a94bee643367470e83f75043baff507ea27648a3c4f7296c13a93de53a95649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d5843bbc5a335f27a01bff70afff465c

SHA1
768ec20d42461e6e4aab0ce170631b226e8852c4

SHA256
9caf592d4a6e8094ef84831691333638f89390e7340f70407fb160211658378e

SHA512
3abb6d2e9a2aaa9fe5258d8f13f3e628cc0edd9c7b0a93cbd747f2a4b1014a91006494a61758279465d58dc74a0bea492259510dbcb4b8505a249b043c80e1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5ae0037d72f30d6e9143d4451185b7d3

SHA1
0634fa7b062498c617d28712d7ad0c06efb0a47b

SHA256
1df893fd02c89ebefb469757992b7d70322f0d57ef2691ab2f6933cea9e8167c

SHA512
888a69205cbe8d6d276b10955616996efac168fe9f6e4960bde2896fffedc86722e3523d6c3e91874ec8d5c49c210a9f5a115105c9c6902cdd0f47bec2984ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8d9d0efa8235bd7abb4f1e1388fb896d

SHA1
b97158b1a1f15f6aadfc7921e83ac24cb0a13ade

SHA256
cd7b0a3b823ca98fcf0ef67a2ede8597ea898802cd9d76802a6e321869d4c1eb

SHA512
8eedca040752faa11ea40d415af8f55079379f6f09195c37db174583cbdbea60118e3ba5795018e7f672279f4832b2576447937f41ab0f8649100432cf15e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8ced95f7d46563644eda74b8d9f67519

SHA1
ec95e29c1a9dde0541c84a11d8f10455f83c40c6

SHA256
ec995741e8252870c5cd3f1e9cc11ce285e4d916f9a8495217087424bcfaa112

SHA512
11fd79dd809a81c399f5b819c148497e5d8afe6a2006c30f6f30703d1e2ed6b288170c8752758d1a2072c081fa5d90ee8cb243cd2e88dde748301890f037e661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581d86.TMP

Filesize
48B

MD5
ac26973347203dc38cfe9679e7c06d92

SHA1
8c0b0505bb814ffca84c900f562b78b418634484

SHA256
cfc90551b644dcd354b7f711f58738ad8dea0688f3f7833c80be13061f68e51e

SHA512
c1e8335c84f567598dcfa4de2ff4efb5f8c242692258f3649bc2069bcf938fc389bf84945cf2ddb5484efa706ae854e96eab413a64b7d1b2267650e9dd566f05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dbed7343b4db7ac51f442775a2426a47

SHA1
ea1c444acbaaa5adcd7244c864fc37a72a7a5024

SHA256
fe33b748a8d63dd66724b6fd997e11e92860850d276573bb541a39ecc162ea8f

SHA512
db3b9a5c9367bb3f1b60b79d4bb47c594a26ef2c1c4ca3deb2abd38773c82383f300642caa00c716296d60bbc505ad5f3955b5a346c01673a47a479816ce61a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ed9c.TMP

Filesize
538B

MD5
96b5907ca7a750aa3ddb50a3bf2e328f

SHA1
1fcd1d2dfd2c43994c073947087d9f13c94de135

SHA256
dc41bd535e70bcdfd672f7735604a24e840fdc62b8b7af6a09368b0800a92c99

SHA512
58806449a5d84ec2c84dd3c41149f4748be0cb408129682eda08084c00e2a385c09c8879a3a7add58211932fffe803a7d5d4646269fd37dcf4d0fd26b6991505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5f01be67f8fcd3e9fc2f560a7ca5fa50

SHA1
fc90708514c807c52de11b425b9706bd363d5a95

SHA256
be4038b62eee7ff2240ecaa717356dafe59da54b595674c207bae5c5d6d049a2

SHA512
aad95655551e2190a0e3fb12470eb8951d20777275981572176f462e326b40bae118fe0bd0f663a1d5c512de8803c3bc15099d1f047cb0628d688d78e6a6c065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
542eb78d5590c2cc84dad79cea881b7d

SHA1
e7dd34c77400de68ff325ddc2a55fa854fd5089a

SHA256
e791c9c0a4cd216f29d09c21459d4c25459880aa776276dceaa1b9106d0471b1

SHA512
dad32cfd09c2985ab9fe0490d617b8436375765bfb5d10afd9e0238504aa7d5db71d59ac54f5da1a3f9d01e09dfe6de7603417957bd7c127498c9b7128475d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
523cae21abf3478ab2c6adaad06ece15

SHA1
4bd0bf6e1af1525f4f47a25011c556bf30ae8bbc

SHA256
c413833f6dca1e5cb37b660d43131aaf7dc0d42ed69a1695567ee2624cbfbb43

SHA512
5c7b98a6073e7c16c87d21a3b0930c9a3597614b5802d24c5a5691d572efaa1326092d8e84ed555112c7b699d088f610e63923a32c5e6163e2f1431907e7ef16

Download Submit
C:\Users\Admin\Downloads\Kraken Cheat.zip

Filesize
10.7MB

MD5
f3ae551e52491ddf865c1f0226cb5dba

SHA1
cc0959d1a88fad61b83c8a740319d844f8b84424

SHA256
f7c305a1aac53a14d3bd92ce035c03b7e6be7308f23705ba00348c2db749c0b1

SHA512
e4c49390fd3a23135050d5dfd35f842d141e59396707ca5b39cdefbe9067f321182412110b865d137cce469d94865f7a4f9942ea47c2a96ba97bc434d9a4e9f7

Download Submit
C:\Users\Admin\Downloads\Kraken Cheat\Kraken Cheat\Kraken.exe

Filesize
3.7MB

MD5
2efb1d6f632c13e3be57d710f190f8d0

SHA1
19437cafa11c6ae5fa27e35de3369cf0817a7dbb

SHA256
ca54bdbbd6238be2040eb965561f078e573569d8d2fa0756d02e2795276c62bf

SHA512
ae3a3fa1c142c5d57f641da0941364189ffe01daac6a4739d5d84508f0461451ef4c818cc1164d9cfab3ddbc6f613f94e26046fd7d613e42a7ec858dec29b38b

Download Submit
\??\pipe\LOCAL\crashpad_1464_WCQWLVUAKMSGWVWM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2888-476-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-511-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-325-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-323-0x00000000C0120000-0x00000000C0121000-memory.dmp

Filesize
4KB

Download
memory/2888-322-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-332-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-328-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-331-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-327-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-452-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-456-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-453-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-457-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-465-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-464-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-320-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-477-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-517-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-516-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-326-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-510-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-504-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-499-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-498-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-493-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-492-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-486-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-483-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-481-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-471-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-522-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-469-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-507-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-505-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-468-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-489-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-487-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-480-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2888-474-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download