Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://bazaar.abuse...

windows7-x64

3

https://bazaar.abuse...

windows10-2004-x64

Analysis

  • max time kernel
    332s
  • max time network
    335s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2024 04:12

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://bazaar.abuse.ch/sample/6e4030c0c65c90c8e020030b6214a9bc2905be19e9d644d658f027064f067460/

Score
10/10
badrabbitcryptolockerdharmamimikatzbootkitcredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • CryptoLocker

    Ransomware family with multiple variants.

    ransomwarecryptolocker
  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (518) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 6 IoCs
  • Executes dropped EXE 32 IoCs
  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 21 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies registry class 3 IoCs
  • NTFS ADS 7 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bazaar.abuse.ch/sample/6e4030c0c65c90c8e020030b6214a9bc2905be19e9d644d658f027064f067460/
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b75546f8,0x7ff9b7554708,0x7ff9b7554718
      2⤵
        PID:4756
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
        2⤵
          PID:4036
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4556
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
          2⤵
            PID:2720
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
            2⤵
              PID:1176
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
              2⤵
                PID:4032
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
                2⤵
                  PID:2844
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
                  2⤵
                    PID:4844
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
                    2⤵
                      PID:548
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1000
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
                      2⤵
                        PID:4912
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
                        2⤵
                          PID:1796
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
                          2⤵
                            PID:2468
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
                            2⤵
                              PID:1268
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
                              2⤵
                                PID:1436
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
                                2⤵
                                  PID:2028
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1676 /prefetch:8
                                  2⤵
                                    PID:3984
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2384 /prefetch:8
                                    2⤵
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4208
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
                                    2⤵
                                      PID:1492
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
                                      2⤵
                                        PID:1224
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
                                        2⤵
                                          PID:4004
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 /prefetch:8
                                          2⤵
                                            PID:4744
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4728 /prefetch:2
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:4432
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
                                            2⤵
                                              PID:2696
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5832 /prefetch:8
                                              2⤵
                                                PID:3700
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
                                                2⤵
                                                  PID:4792
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6692 /prefetch:8
                                                  2⤵
                                                    PID:4760
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:8
                                                    2⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:2620
                                                  • C:\Users\Admin\Downloads\BadRabbit.exe
                                                    "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • Drops file in Windows directory
                                                    • System Location Discovery: System Language Discovery
                                                    PID:4436
                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                      3⤵
                                                      • Loads dropped DLL
                                                      • Drops file in Windows directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2012
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /c schtasks /Delete /F /TN rhaegal
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4308
                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                          schtasks /Delete /F /TN rhaegal
                                                          5⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:432
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3814544259 && exit"
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1600
                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                          schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3814544259 && exit"
                                                          5⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4744
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 04:33:00
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4584
                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                          schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 04:33:00
                                                          5⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2124
                                                      • C:\Windows\BD.tmp
                                                        "C:\Windows\BD.tmp" \\.\pipe\{830EE7F9-E85F-4259-BFAC-82D43630B91A}
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3860
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
                                                        4⤵
                                                          PID:16796
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          /c schtasks /Delete /F /TN drogon
                                                          4⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:16848
                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                            schtasks /Delete /F /TN drogon
                                                            5⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:17160
                                                    • C:\Users\Admin\Downloads\BadRabbit.exe
                                                      "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Windows directory
                                                      • System Location Discovery: System Language Discovery
                                                      PID:4644
                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                        3⤵
                                                        • Loads dropped DLL
                                                        • Drops file in Windows directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4788
                                                    • C:\Users\Admin\Downloads\BadRabbit.exe
                                                      "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Windows directory
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1524
                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                        3⤵
                                                        • Loads dropped DLL
                                                        • Drops file in Windows directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3944
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
                                                      2⤵
                                                        PID:1172
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4060 /prefetch:8
                                                        2⤵
                                                          PID:1952
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6808 /prefetch:8
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:2612
                                                        • C:\Users\Admin\Downloads\CoronaVirus.exe
                                                          "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                                          2⤵
                                                          • Checks computer location settings
                                                          • Drops startup file
                                                          • Executes dropped EXE
                                                          • Adds Run key to start application
                                                          • Drops desktop.ini file(s)
                                                          • Drops file in System32 directory
                                                          • Drops file in Program Files directory
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:3128
                                                          • C:\Windows\system32\cmd.exe
                                                            "C:\Windows\system32\cmd.exe"
                                                            3⤵
                                                              PID:3220
                                                              • C:\Windows\system32\mode.com
                                                                mode con cp select=1251
                                                                4⤵
                                                                  PID:6624
                                                                • C:\Windows\system32\vssadmin.exe
                                                                  vssadmin delete shadows /all /quiet
                                                                  4⤵
                                                                  • Interacts with shadow copies
                                                                  PID:16876
                                                              • C:\Windows\system32\cmd.exe
                                                                "C:\Windows\system32\cmd.exe"
                                                                3⤵
                                                                  PID:20212
                                                                  • C:\Windows\system32\mode.com
                                                                    mode con cp select=1251
                                                                    4⤵
                                                                      PID:20288
                                                                    • C:\Windows\system32\vssadmin.exe
                                                                      vssadmin delete shadows /all /quiet
                                                                      4⤵
                                                                      • Interacts with shadow copies
                                                                      PID:20592
                                                                  • C:\Windows\System32\mshta.exe
                                                                    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                                                    3⤵
                                                                      PID:20332
                                                                    • C:\Windows\System32\mshta.exe
                                                                      "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                                                      3⤵
                                                                        PID:20440
                                                                    • C:\Users\Admin\Downloads\CoronaVirus.exe
                                                                      "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3204
                                                                    • C:\Users\Admin\Downloads\CoronaVirus.exe
                                                                      "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:2704
                                                                    • C:\Users\Admin\Downloads\CoronaVirus.exe
                                                                      "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:5024
                                                                    • C:\Users\Admin\Downloads\CoronaVirus.exe
                                                                      "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3988
                                                                    • C:\Users\Admin\Downloads\CoronaVirus.exe
                                                                      "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4344
                                                                    • C:\Users\Admin\Downloads\CoronaVirus.exe
                                                                      "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3700
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
                                                                      2⤵
                                                                        PID:31892
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6456 /prefetch:8
                                                                        2⤵
                                                                          PID:16724
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:8
                                                                          2⤵
                                                                            PID:3492
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6560 /prefetch:8
                                                                            2⤵
                                                                              PID:28928
                                                                            • C:\Users\Admin\Downloads\CryptoLocker.exe
                                                                              "C:\Users\Admin\Downloads\CryptoLocker.exe"
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • NTFS ADS
                                                                              PID:20552
                                                                              • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
                                                                                "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
                                                                                3⤵
                                                                                • Executes dropped EXE
                                                                                • Adds Run key to start application
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:20764
                                                                                • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000220
                                                                                  4⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:21008
                                                                                  • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000220
                                                                                    5⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:21172
                                                                                  • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000220
                                                                                    5⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:21112
                                                                                    • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000220
                                                                                      6⤵
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:20872
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
                                                                              2⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              PID:11608
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
                                                                              2⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              PID:14508
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
                                                                              2⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              PID:16808
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
                                                                              2⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              PID:16668
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
                                                                              2⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              PID:18260
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7092 /prefetch:8
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              PID:18080
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              PID:17872
                                                                            • C:\Users\Admin\Downloads\PowerPoint.exe
                                                                              "C:\Users\Admin\Downloads\PowerPoint.exe"
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • Writes to the Master Boot Record (MBR)
                                                                              • System Location Discovery: System Language Discovery
                                                                              • NTFS ADS
                                                                              PID:5572
                                                                              • C:\Users\Admin\AppData\Local\Temp\sys3.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\\sys3.exe
                                                                                3⤵
                                                                                • Executes dropped EXE
                                                                                • Writes to the Master Boot Record (MBR)
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:5416
                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                            1⤵
                                                                              PID:4740
                                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                              1⤵
                                                                                PID:3204
                                                                              • C:\Windows\system32\AUDIODG.EXE
                                                                                C:\Windows\system32\AUDIODG.EXE 0x490 0x384
                                                                                1⤵
                                                                                  PID:4912
                                                                                • C:\Windows\System32\rundll32.exe
                                                                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                  1⤵
                                                                                    PID:1664
                                                                                  • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                                    "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                                    1⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in Windows directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:4532
                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                                      2⤵
                                                                                      • Loads dropped DLL
                                                                                      • Drops file in Windows directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2704
                                                                                  • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                                    "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                                    1⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in Windows directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:4424
                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                                      2⤵
                                                                                      • Loads dropped DLL
                                                                                      • Drops file in Windows directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:4352
                                                                                  • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                                    "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                                    1⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in Windows directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:1872
                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                                      2⤵
                                                                                      • Loads dropped DLL
                                                                                      • Drops file in Windows directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:3872
                                                                                  • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                                    "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                                    1⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in Windows directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:3352
                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                                      2⤵
                                                                                      • Loads dropped DLL
                                                                                      • Drops file in Windows directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:804
                                                                                  • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                                    "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                                    1⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in Windows directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:3964
                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                                      2⤵
                                                                                      • Loads dropped DLL
                                                                                      • Drops file in Windows directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:3944
                                                                                  • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                                    "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                                    1⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in Windows directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:3376
                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                                      2⤵
                                                                                      • Loads dropped DLL
                                                                                      • Drops file in Windows directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1384
                                                                                  • C:\Windows\system32\vssvc.exe
                                                                                    C:\Windows\system32\vssvc.exe
                                                                                    1⤵
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:16496
                                                                                  • C:\Windows\system32\taskmgr.exe
                                                                                    "C:\Windows\system32\taskmgr.exe" /4
                                                                                    1⤵
                                                                                    • Drops startup file
                                                                                    • Checks SCSI registry key(s)
                                                                                    • Modifies registry class
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                    • Suspicious use of SendNotifyMessage
                                                                                    PID:19244
                                                                                  • C:\Windows\system32\werfault.exe
                                                                                    werfault.exe /h /shared Global\2d716febc7a24520a2c02ea3ceda7af2 /t 20452 /p 20440
                                                                                    1⤵
                                                                                      PID:20200
                                                                                    • C:\Windows\system32\werfault.exe
                                                                                      werfault.exe /h /shared Global\32181f46ad764863a57e96ff38edde15 /t 20344 /p 20332
                                                                                      1⤵
                                                                                        PID:20720
                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                        1⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:19340
                                                                                      • C:\Windows\system32\LogonUI.exe
                                                                                        "LogonUI.exe" /flags:0x4 /state0:0xa3928855 /state1:0x41c64e6d
                                                                                        1⤵
                                                                                        • Drops desktop.ini file(s)
                                                                                        • Modifies data under HKEY_USERS
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:5144

                                                                                      Network

                                                                                      MITRE ATT&CK Enterprise v15

                                                                                      Reconnaissance

                                                                                      Resource Development

                                                                                      Initial Access

                                                                                      Execution

                                                                                      Scheduled Task/Job

                                                                                      1
                                                                                      T1053

                                                                                      Scheduled Task

                                                                                      1
                                                                                      T1053.005

                                                                                      Windows Management Instrumentation

                                                                                      1
                                                                                      T1047

                                                                                      Persistence

                                                                                      Boot or Logon Autostart Execution

                                                                                      1
                                                                                      T1547

                                                                                      Registry Run Keys / Startup Folder

                                                                                      1
                                                                                      T1547.001

                                                                                      Pre-OS Boot

                                                                                      1
                                                                                      T1542

                                                                                      Bootkit

                                                                                      1
                                                                                      T1542.003

                                                                                      Scheduled Task/Job

                                                                                      1
                                                                                      T1053

                                                                                      Scheduled Task

                                                                                      1
                                                                                      T1053.005

                                                                                      Privilege Escalation

                                                                                      Boot or Logon Autostart Execution

                                                                                      1
                                                                                      T1547

                                                                                      Registry Run Keys / Startup Folder

                                                                                      1
                                                                                      T1547.001

                                                                                      Scheduled Task/Job

                                                                                      1
                                                                                      T1053

                                                                                      Scheduled Task

                                                                                      1
                                                                                      T1053.005

                                                                                      Defense Evasion

                                                                                      Direct Volume Access

                                                                                      1
                                                                                      T1006

                                                                                      Indicator Removal

                                                                                      2
                                                                                      T1070

                                                                                      File Deletion

                                                                                      2
                                                                                      T1070.004

                                                                                      Modify Registry

                                                                                      1
                                                                                      T1112

                                                                                      Pre-OS Boot

                                                                                      1
                                                                                      T1542

                                                                                      Bootkit

                                                                                      1
                                                                                      T1542.003

                                                                                      Credential Access

                                                                                      Credentials from Password Stores

                                                                                      2
                                                                                      T1555

                                                                                      Credentials from Web Browsers

                                                                                      1
                                                                                      T1555.003

                                                                                      Windows Credential Manager

                                                                                      1
                                                                                      T1555.004

                                                                                      Unsecured Credentials

                                                                                      1
                                                                                      T1552

                                                                                      Credentials In Files

                                                                                      1
                                                                                      T1552.001

                                                                                      Discovery

                                                                                      Browser Information Discovery

                                                                                      1
                                                                                      T1217

                                                                                      Peripheral Device Discovery

                                                                                      1
                                                                                      T1120

                                                                                      Query Registry

                                                                                      3
                                                                                      T1012

                                                                                      System Information Discovery

                                                                                      4
                                                                                      T1082

                                                                                      System Location Discovery

                                                                                      1
                                                                                      T1614

                                                                                      System Language Discovery

                                                                                      1
                                                                                      T1614.001

                                                                                      Lateral Movement

                                                                                      Collection

                                                                                      Data from Local System

                                                                                      1
                                                                                      T1005

                                                                                      Command and Control

                                                                                      Web Service

                                                                                      1
                                                                                      T1102

                                                                                      Exfiltration

                                                                                      Impact

                                                                                      Inhibit System Recovery

                                                                                      2
                                                                                      T1490

                                                                                      Replay Monitor

                                                                                      Loading Replay Monitor...

                                                                                      Downloads

                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_EFB75332C2EEE29C462FC21A350076B8
                                                                                        Filesize

                                                                                        5B

                                                                                        MD5

                                                                                        5bfa51f3a417b98e7443eca90fc94703

                                                                                        SHA1

                                                                                        8c015d80b8a23f780bdd215dc842b0f5551f63bd

                                                                                        SHA256

                                                                                        bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

                                                                                        SHA512

                                                                                        4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\672f9c8b-70dc-4b44-96b4-a34c2edb0850.tmp
                                                                                        Filesize

                                                                                        11KB

                                                                                        MD5

                                                                                        e4ebae76f03cd05926c14b29289512d0

                                                                                        SHA1

                                                                                        56437b10fd89cc93e7673cbfb71a18890c53ed7a

                                                                                        SHA256

                                                                                        a225254c6521e63b6ff959c4d56e85f43f09a6e70865f0c4b2d3fc214ffcc16c

                                                                                        SHA512

                                                                                        c86dff0b1f759dbe950349cc29259e463d4c8957212ef8b14f6f7a6dfbc1c7ce525e1e174c067ab6e03de30947c1e450a7a120f61a48b03e5affc5dd67a9652e

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                        Filesize

                                                                                        152B

                                                                                        MD5

                                                                                        9e3fc58a8fb86c93d19e1500b873ef6f

                                                                                        SHA1

                                                                                        c6aae5f4e26f5570db5e14bba8d5061867a33b56

                                                                                        SHA256

                                                                                        828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

                                                                                        SHA512

                                                                                        e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                        Filesize

                                                                                        152B

                                                                                        MD5

                                                                                        27304926d60324abe74d7a4b571c35ea

                                                                                        SHA1

                                                                                        78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

                                                                                        SHA256

                                                                                        7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

                                                                                        SHA512

                                                                                        f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
                                                                                        Filesize

                                                                                        213KB

                                                                                        MD5

                                                                                        f942900ff0a10f251d338c612c456948

                                                                                        SHA1

                                                                                        4a283d3c8f3dc491e43c430d97c3489ee7a3d320

                                                                                        SHA256

                                                                                        38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

                                                                                        SHA512

                                                                                        9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
                                                                                        Filesize

                                                                                        64KB

                                                                                        MD5

                                                                                        d6b36c7d4b06f140f860ddc91a4c659c

                                                                                        SHA1

                                                                                        ccf16571637b8d3e4c9423688c5bd06167bfb9e9

                                                                                        SHA256

                                                                                        34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

                                                                                        SHA512

                                                                                        2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b
                                                                                        Filesize

                                                                                        67KB

                                                                                        MD5

                                                                                        929b1f88aa0b766609e4ca5b9770dc24

                                                                                        SHA1

                                                                                        c1f16f77e4f4aecc80dadd25ea15ed10936cc901

                                                                                        SHA256

                                                                                        965eaf004d31e79f7849b404d0b8827323f9fe75b05fe73b1226ccc4deea4074

                                                                                        SHA512

                                                                                        fe8d6b94d537ee9cae30de946886bf7893d3755c37dd1662baf1f61e04f47fa66e070210c990c4a956bde70380b7ce11c05ad39f9cbd3ea55b129bb1f573fa07

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
                                                                                        Filesize

                                                                                        41KB

                                                                                        MD5

                                                                                        3fa3fda65e1e29312e0a0eb8a939d0e8

                                                                                        SHA1

                                                                                        8d98d28790074ad68d2715d0c323e985b9f3240e

                                                                                        SHA256

                                                                                        ee5d25df51e5903841b499f56845b2860e848f9551bb1e9499d71b2719312c1b

                                                                                        SHA512

                                                                                        4e63a0659d891b55952b427444c243cb2cb6339de91e60eb133ca783499261e333eaf3d04fb24886c718b1a15b79e52f50ef9e3920d6cfa0b9e6185693372cac

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
                                                                                        Filesize

                                                                                        19KB

                                                                                        MD5

                                                                                        76a3f1e9a452564e0f8dce6c0ee111e8

                                                                                        SHA1

                                                                                        11c3d925cbc1a52d53584fd8606f8f713aa59114

                                                                                        SHA256

                                                                                        381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

                                                                                        SHA512

                                                                                        a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
                                                                                        Filesize

                                                                                        65KB

                                                                                        MD5

                                                                                        56d57bc655526551f217536f19195495

                                                                                        SHA1

                                                                                        28b430886d1220855a805d78dc5d6414aeee6995

                                                                                        SHA256

                                                                                        f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

                                                                                        SHA512

                                                                                        7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
                                                                                        Filesize

                                                                                        84KB

                                                                                        MD5

                                                                                        74e33b4b54f4d1f3da06ab47c5936a13

                                                                                        SHA1

                                                                                        6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

                                                                                        SHA256

                                                                                        535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

                                                                                        SHA512

                                                                                        79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
                                                                                        Filesize

                                                                                        1.2MB

                                                                                        MD5

                                                                                        53e6452a21197c8f83c7c9dcb93e60a9

                                                                                        SHA1

                                                                                        0c88935ff99f6e5e2da6d889f64322fd659e389c

                                                                                        SHA256

                                                                                        5015ce8f2a610052ec08f1ebe5ac5f41e6fd623fd6c74b0cd79d0eb6882626e9

                                                                                        SHA512

                                                                                        78f0550ca40752b3ef8943bf23ec2089e5f0136040ca3af2b7ca8ae6a28d64f8d97ac32ef82b18bdc4d19d6cedc4ad1970157791a7c55649374b290780750a16

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                        Filesize

                                                                                        5KB

                                                                                        MD5

                                                                                        1686793baa4a02171b24b096204c7c29

                                                                                        SHA1

                                                                                        23d83145ce882cffa910e79e6c575a2f561d0787

                                                                                        SHA256

                                                                                        0a12fba57c09947dab5ef9fe202a5ecd0baeb94599c54de572a47dab3a524c87

                                                                                        SHA512

                                                                                        84ac4bb5a2a8539fd94cb68f40385cb44b89557bccae240c5e6b240aaee4a9c2788c0d134e993674ff6073dc29a1b46f538ce07421252c8185cd1027cc73caeb

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                        Filesize

                                                                                        2KB

                                                                                        MD5

                                                                                        fab9e84a46d56b2ebcc66375b379e1a1

                                                                                        SHA1

                                                                                        3c711888a7e522e43dc72676733a2a7955da251e

                                                                                        SHA256

                                                                                        2c0b7e32a8dd4a7df46615d8c6fdaff9ad43bfb6f6d82237755b118e9747ef0a

                                                                                        SHA512

                                                                                        2c635a6c6d892b48a45a707331314b5f0c55c4ae9e184a2e69ca5d6254aaa4b5d3d8d329a0f902f33ea1de3950a2e0a77b2bde3db1e2c4162c5e762429bccdd8

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                        Filesize

                                                                                        216B

                                                                                        MD5

                                                                                        b2ff289943d83802e3988c18e70f1c7b

                                                                                        SHA1

                                                                                        728967493224a2482e08b5c12b0c8f39a3c51935

                                                                                        SHA256

                                                                                        a63b51f677ff90c72e9d2c4dc3a8504bdbd92aee789dd57b5a5b604e722046c2

                                                                                        SHA512

                                                                                        eadf62604363fd04ebe1c6acbfd5b6ab7bd7577510613b28f731f03da83acba6314a159fa6e207951cf5854b3b364115a091b12ce21ba2e1dfe342649a3a6401

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                        Filesize

                                                                                        2KB

                                                                                        MD5

                                                                                        bbad42461bdce9c2789acc8b0bc9e015

                                                                                        SHA1

                                                                                        08f49f2c9fc415f8159a14d7b9912dee6f5b4ed5

                                                                                        SHA256

                                                                                        f2e4cf6001dd1fcc0175edab4dd6a9c75e456f65f62b3b0b883e53bd09a745cb

                                                                                        SHA512

                                                                                        b951195dacdf6edfd8fd022a65356d609f18f5beb7c12cf3120cc1c170c2340de08804950d48eb39f514d1ee293e62c323d8adb00fcdb7bdd89dbd29ca3b5a0c

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        1843f7da3f9a3057a6d3f5c0c74a17e9

                                                                                        SHA1

                                                                                        d8ec1e856d0de171e919998fb72fca0e6579e172

                                                                                        SHA256

                                                                                        debf1c7d87ac18b0c9943427234d37824450b5565b384e589a1be79e7391c8bd

                                                                                        SHA512

                                                                                        8af6dc38cb0d54bacbf829124468dfdc6488e2dbff6818639e3624ee7cdd4b1f178e50055f03cb9ba92e37b6996e89c6fcafb254ec61c2004f77b4e3b50923dc

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        d739d86bf795222fa4e620d7782f3178

                                                                                        SHA1

                                                                                        7f825e6bdf3427e8ebd6d9ccb60eef23bca477c8

                                                                                        SHA256

                                                                                        e5c900d530304860e88cdf8066098916c098fd1eb9febc0495f29030d79cb5c0

                                                                                        SHA512

                                                                                        4cb98840e49fb8664f4510bd501e10bf6018574ced121bfebdfa96d89eeb6cf98fbdc8dba1e2ac57194ef883f26031fd398fb4e26c461fe0f5aa3d5dbd355924

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                        Filesize

                                                                                        8KB

                                                                                        MD5

                                                                                        97958ab5344bf00331be55707d73d96a

                                                                                        SHA1

                                                                                        e7fd9b7c497beb3e9fb5afda50606ae8c2dd9b84

                                                                                        SHA256

                                                                                        8f6b137b3d16f74f899f7bb568820e038267f13fb5b4050b81b293194b0758b2

                                                                                        SHA512

                                                                                        82ff701129c986f385ab00cf707e28a3b0ad1eac78f9f6776416b88b3ee9527814f22598e404bc01fab66a4571c4680a66c69e337c1134c3278a514fab35f0e8

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                        Filesize

                                                                                        7KB

                                                                                        MD5

                                                                                        e13dd4307f79df65a83c8995be67e165

                                                                                        SHA1

                                                                                        f3063d54cc5da9120580b8c6252fab7a66d8f997

                                                                                        SHA256

                                                                                        7781d1e485614f5103f7e24ba68e74e6a4c94615cdde0361e9e952b7acf07e8c

                                                                                        SHA512

                                                                                        05f5a84b207739c15f68a42e4ebc865d3f161a56531774f980122c5877803abea8137239339d339835130eccba0077995e91bfba8c2873fc588e4eda3ae06abc

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                        Filesize

                                                                                        8KB

                                                                                        MD5

                                                                                        abbe51cb6918d271b2101e1c6436215d

                                                                                        SHA1

                                                                                        ac6440399f28076bb7a3c4de709d4740bd51b7bf

                                                                                        SHA256

                                                                                        76a5b33117fb65846b33668235b9fdc8eae6cd9d1620df71b8831b2f3d741bc6

                                                                                        SHA512

                                                                                        6cf38f9f7d4a03ce9148138eea1b623f19dda15296f1a7f03591e5668bf8b18b5bca7994afb609be4e0e62d478e76f329d45aab2999b92a11c1585af92af9be3

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                        Filesize

                                                                                        8KB

                                                                                        MD5

                                                                                        0845ca3748c373cee20b85c51482f1d0

                                                                                        SHA1

                                                                                        314744ccf190dc55cd4b77a20a4972af0c6c84bf

                                                                                        SHA256

                                                                                        3e8791eb45cecd62b5601792bb48763215e91c6ae69de4f7f17428df2bf76140

                                                                                        SHA512

                                                                                        5fed9f1656af48d88a6da038232f2bbc0049c3ff063c0ee263568f0d2832ec38b4f40e08f9785c1fe1ebc1e820f23c583381813037d38f6877b9a00dd9b75477

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                        Filesize

                                                                                        6KB

                                                                                        MD5

                                                                                        fa7c53991814da64411ed59c6d06edf5

                                                                                        SHA1

                                                                                        27367833de5ee2d67c089ae1ee6319ebc4fca861

                                                                                        SHA256

                                                                                        55d167fdc7a13554b1a295dcf71d8cf1b7c3b95ba905517a03e06b00d4dc9597

                                                                                        SHA512

                                                                                        34e12b76192a68601948f0546b2ea20bdbdb85386a7ba4f3342cfc15020223f4907643f73ca448649e18ae94099c4413ee049c051b80d2e85fb6f09271f46962

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                        Filesize

                                                                                        7KB

                                                                                        MD5

                                                                                        33bb291aa224222412340cf88e0238f0

                                                                                        SHA1

                                                                                        3a3e29d647aeb966468a022d7a99137556bdce2b

                                                                                        SHA256

                                                                                        6fb1cb5237641dd7dfaa3818edd6f0e56d3654faf9ac3dd7a35a035da0ae8504

                                                                                        SHA512

                                                                                        25361a07a5b6b222d8db22a865c95b9ab7982bca172df46183d11f8ef983716325a974a54e793254e71127f7b1e3d90440db8dda1b754ba9fc453f3ba9d56445

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                        Filesize

                                                                                        7KB

                                                                                        MD5

                                                                                        0acefa24065f21570cc96f839d80664e

                                                                                        SHA1

                                                                                        9ca8f7e97cd8608e411e53db40af43d30b86f8c3

                                                                                        SHA256

                                                                                        2460d4ad2de5d5faad59489b6c3e48ca6aa3301d4af67df866233f1493074097

                                                                                        SHA512

                                                                                        8680c6c6c2baf7106b681472fca60917d77413d23e69ddf8ddd4ddcef3557d6425a641e2631b12ba6eadc2ce84360ba9f721e2908b8956b5704af879188b2924

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                        Filesize

                                                                                        2KB

                                                                                        MD5

                                                                                        8360213b6f588d5303a3309cc173ce60

                                                                                        SHA1

                                                                                        c3dfc65cd4e65ce4dd9da939693748464db841df

                                                                                        SHA256

                                                                                        ddf30d49a9e85b748045f859cf4eca1cfd1058657ae7c8a74c208b9067af6faa

                                                                                        SHA512

                                                                                        fc2b47b39582618fc9f320af97998a1813060e398e1f47211ecace3a4c122f3b99058c3849ebac289c72cec5d062ffa3070a6448e5c0e28061cf459df3dcd073

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                        Filesize

                                                                                        2KB

                                                                                        MD5

                                                                                        a8a595473d5b6688d90428a7b7b5d28b

                                                                                        SHA1

                                                                                        fa5885ed6c25b25f1c8ac43efc326b490cd47ffb

                                                                                        SHA256

                                                                                        a7dbec5e3f406a748870b2481c2f649b8c416a04d5707e79a912dcc536dcfba3

                                                                                        SHA512

                                                                                        5209c26d03915beef1ed96460f205b4cb5b1c8756203cef2213e1a4ea90a5bec4704d6863a8bfba9360a1db3e88a2584d483d38e3cd8348367179af620d77587

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                        Filesize

                                                                                        2KB

                                                                                        MD5

                                                                                        0abec2ccbe7041c799c2a67f3bd1c36f

                                                                                        SHA1

                                                                                        1c3646b39c917705d7244d2140decfb3d53eb415

                                                                                        SHA256

                                                                                        6f78fdc8c98f61c9e20f2b088f04dc1be23fb49bd0f52f7b6ef35395799332a8

                                                                                        SHA512

                                                                                        2930c525ae682a93f1c0fa23539c172384153cf59f50437fc5cb1e635c7a42986f7356547c76d07a0dab5306314db98a8f55d1a575e919a71c95782710e38749

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                        Filesize

                                                                                        2KB

                                                                                        MD5

                                                                                        1af8c8383f0f0e919f1be69c93b2fda9

                                                                                        SHA1

                                                                                        041de86f77f989cce0724631d33141f24b7b6f08

                                                                                        SHA256

                                                                                        51f11775dbac65dca02f5435ad22513a34619c9886613f2fadd7acbdc824802b

                                                                                        SHA512

                                                                                        39f7ff941c58ef13b886555310e2e48626770ab630b3999ed789161e19ea1d5b036c0f4ab6a6ae9420a7992a74ba5e0d97ecc17a6d03ed0d63a44628afd58748

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                        Filesize

                                                                                        2KB

                                                                                        MD5

                                                                                        55d5154f8b2ffdb095372657eb2fd0f6

                                                                                        SHA1

                                                                                        4afad36b232af162aad00d3701389f87b7b89138

                                                                                        SHA256

                                                                                        9e6377103cabab7aa85112bb085e824ffc76040b99b90a1920afb3ec890654c8

                                                                                        SHA512

                                                                                        0aa706d8689014f31f244739d3afc25562866542f1f24d08bf81d5cb1441a81098bf33a60bb368fc9bd5af6ae684180e8a0d21c778cfc6ad7ac4bdd2071d23ce

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                        Filesize

                                                                                        2KB

                                                                                        MD5

                                                                                        a3b16c70da86d1e61f9308563712d232

                                                                                        SHA1

                                                                                        8353e396a2b5e86fbc2e6f91c7466992b2965a0c

                                                                                        SHA256

                                                                                        0a0ba1fa2661e63181527051498bf36e94d1a0e41dccaff3eb7d5d0acc3cd3f0

                                                                                        SHA512

                                                                                        1018d66502acec4b836b3905cf72dbcc5a3c1e639ae62df8b526c08923a952be85a8f75f1b9341889f8829f78f07ecd49eb4ea56a77a18646c337df456843a79

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        85ba731aa4c28c80cf37096f4fd43319

                                                                                        SHA1

                                                                                        98c4c0297bd4ff3561a58bef316dcb964bf5d915

                                                                                        SHA256

                                                                                        cc792af64c4328254d03b1c3096824914cbd8906fdab2ee63a0235e744bb8713

                                                                                        SHA512

                                                                                        8c4910b4020ccba831e96c4f29cf4acd107ff239f0afae9682b3d9b1232a12180bd857a664dbaa3cfe8c6d8e43b28549b7e8f890863c3ba3bc5de8714806b0f4

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                        Filesize

                                                                                        872B

                                                                                        MD5

                                                                                        2cf57f80e0e57d4db93a76f73f8697ef

                                                                                        SHA1

                                                                                        db878b21735d7f3041e19439b756325a86628429

                                                                                        SHA256

                                                                                        cbaabaa2f327bbc179ca2981604805d47f269dd020677cc788c702b03120c0ca

                                                                                        SHA512

                                                                                        43c7703073f5019f19d528e1b4470e714af1b67b4d9de8bd9b1494a69c18e57dad6f29d9edc794ee602eb2b2e49f856e3f068af23346d646d80f0debfb08bc91

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                        Filesize

                                                                                        872B

                                                                                        MD5

                                                                                        7c973a9d38e6d8711d0bf1069ea929f0

                                                                                        SHA1

                                                                                        0c69f39a03ffa33fb23f0c82cd0fafa7e31efde9

                                                                                        SHA256

                                                                                        416aa329cf68f9022b8b793b4a8a9a6f67d6814e8c9fd4c33ebaf2d7400de3e6

                                                                                        SHA512

                                                                                        d81712b3c4555eaad4e0901ed8b7259ca20de6b529f22d7d17078def4d8cf59e0306a86c9f7a6ba014376d25ea0f704b875ac3ef80f4454f7694669f0e55bf2f

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                        Filesize

                                                                                        2KB

                                                                                        MD5

                                                                                        5d85cc10384c0a88df3a1b9bf86ff5cb

                                                                                        SHA1

                                                                                        563c99a62ed5ced9b21a5d6bc25b6f590812784e

                                                                                        SHA256

                                                                                        3a57c9ce694728423223f61e8e2d835c5aef41dd98780e5230dd94f085ddd046

                                                                                        SHA512

                                                                                        7feaf75d9da6a6e837b8759d19afc8677549a72b18b9c4d33439be1b66c399a5f67c8906e65829e617f0b980ebe88a2d8a74aff796b3b441d9d12fdbf0347ca9

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b0bd.TMP
                                                                                        Filesize

                                                                                        370B

                                                                                        MD5

                                                                                        e50c6a5d8954833953066450cfa6c62f

                                                                                        SHA1

                                                                                        7bc70b1716557495840951f13444e722c381d8b8

                                                                                        SHA256

                                                                                        72ccd09cad04cdfa12bf926dd35d4799d87e64ff9d1478056faf6569bf5f4ff5

                                                                                        SHA512

                                                                                        4b62a428228416b0d5be92d2b23a270add03d76a52585b0683ede9e2ae69d2be6fd27c700acfc4216e53b88390e38e46958932e181781e6a220f7da674ced3b8

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b12c9.TMP
                                                                                        Filesize

                                                                                        2KB

                                                                                        MD5

                                                                                        452985016e6852b01c08b93763b82e65

                                                                                        SHA1

                                                                                        69bfd7eb330d593ae4cf1e7fbda84b0103efe474

                                                                                        SHA256

                                                                                        f78a59f3408659835ec666da55b5c62d663808d1442151d50f8f30b7081444eb

                                                                                        SHA512

                                                                                        ffcd9366d13aebda8358db439508ac473a5e6903a8377df901ccc4a2efb2e9037460fae5d7d7e66d5e057bd6d2624d4bde7a2c7cd41335f29b2f5e4c9d05f9c1

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cf75b305-41ae-4e49-85a5-7019a1182fc0.tmp
                                                                                        Filesize

                                                                                        5KB

                                                                                        MD5

                                                                                        462917ca39c8660b14c515f0fe2c94af

                                                                                        SHA1

                                                                                        d4d74c0a0893ecfcec9a1c8e9278e284c3fc61c1

                                                                                        SHA256

                                                                                        2c631f388bc34f2b33ff3fa611f7933cd8b2ee11fceec12885f7d31343e01691

                                                                                        SHA512

                                                                                        f33b937cabdb45121ab96beaa4981213652a648bd81eeccb5f53c3a567c4e4a2c1d0af4fc8df9feaac22ae3a6dd1896f0845294309844ce96dcab967675a1651

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                        Filesize

                                                                                        16B

                                                                                        MD5

                                                                                        6752a1d65b201c13b62ea44016eb221f

                                                                                        SHA1

                                                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                        SHA256

                                                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                        SHA512

                                                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                        Filesize

                                                                                        11KB

                                                                                        MD5

                                                                                        4dde836fc80081b838a1eb52edb0782e

                                                                                        SHA1

                                                                                        f5b76107189e79916a0ef659108f3683928ea951

                                                                                        SHA256

                                                                                        e330fe22cc984f3974a15c2ace22f4e1ca1f09baf280653dff7cd0ad15225cb8

                                                                                        SHA512

                                                                                        3b9585e430604d493c3edf4280364beba48b7d665d1c7d9fd2a4f51a37f91849a3960a60f6c32f5e9393ec8df52441acc4f087962cbc8bfd28670798f0410b5c

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                        Filesize

                                                                                        10KB

                                                                                        MD5

                                                                                        71c84b903e8e9c67d3505e9b15eed828

                                                                                        SHA1

                                                                                        c36af9e7b94b9b74010a143156c7884c83425d52

                                                                                        SHA256

                                                                                        ef844694ec28f1e683c8fc5ee67752d9ca765bd702fe9b9b2b46d3b834691c69

                                                                                        SHA512

                                                                                        2ee27c456dc79fb21c357a221c92251bf4cfa1c81e24100e74c1d3f0ab4c7ebec30ebff3999e08e73dbaceb38d38af4af0727e9a1f1220c63f12f940bebf6581

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                        Filesize

                                                                                        11KB

                                                                                        MD5

                                                                                        9180b5ffb4de483a53501366649ee658

                                                                                        SHA1

                                                                                        a5499e943659e608dd87019c60421eb6d674f278

                                                                                        SHA256

                                                                                        71d7523909b020024be930cd21af563dbe1826e4788bc0980966d467cdc664d8

                                                                                        SHA512

                                                                                        3e1061c5cbdc04a9979835043bae7c0c2ef2c465899e920772ba1fec163b8c29f4433d9ad64159fd8d2d381033dfd2733c8d83ae61e1258c620887d5b85ab60b

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
                                                                                        Filesize

                                                                                        2B

                                                                                        MD5

                                                                                        f3b25701fe362ec84616a93a45ce9998

                                                                                        SHA1

                                                                                        d62636d8caec13f04e28442a0a6fa1afeb024bbb

                                                                                        SHA256

                                                                                        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                                                                                        SHA512

                                                                                        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe:SmartScreen
                                                                                        Filesize

                                                                                        7B

                                                                                        MD5

                                                                                        4047530ecbc0170039e76fe1657bdb01

                                                                                        SHA1

                                                                                        32db7d5e662ebccdd1d71de285f907e3a1c68ac5

                                                                                        SHA256

                                                                                        82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

                                                                                        SHA512

                                                                                        8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\Downloads\11d30e6f-31e4-4d62-8d86-dd98a4f1fb31.tmp
                                                                                        Filesize

                                                                                        338KB

                                                                                        MD5

                                                                                        04fb36199787f2e3e2135611a38321eb

                                                                                        SHA1

                                                                                        65559245709fe98052eb284577f1fd61c01ad20d

                                                                                        SHA256

                                                                                        d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

                                                                                        SHA512

                                                                                        533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\Downloads\Unconfirmed 163272.crdownload
                                                                                        Filesize

                                                                                        431KB

                                                                                        MD5

                                                                                        fbbdc39af1139aebba4da004475e8839

                                                                                        SHA1

                                                                                        de5c8d858e6e41da715dca1c019df0bfb92d32c0

                                                                                        SHA256

                                                                                        630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

                                                                                        SHA512

                                                                                        74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\Downloads\Unconfirmed 357584.crdownload
                                                                                        Filesize

                                                                                        1.0MB

                                                                                        MD5

                                                                                        055d1462f66a350d9886542d4d79bc2b

                                                                                        SHA1

                                                                                        f1086d2f667d807dbb1aa362a7a809ea119f2565

                                                                                        SHA256

                                                                                        dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

                                                                                        SHA512

                                                                                        2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\Downloads\Unconfirmed 641726.crdownload
                                                                                        Filesize

                                                                                        136KB

                                                                                        MD5

                                                                                        70108103a53123201ceb2e921fcfe83c

                                                                                        SHA1

                                                                                        c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

                                                                                        SHA256

                                                                                        9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

                                                                                        SHA512

                                                                                        996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

                                                                                        Download Submit

                                                                                      • C:\Windows\BD.tmp
                                                                                        Filesize

                                                                                        60KB

                                                                                        MD5

                                                                                        347ac3b6b791054de3e5720a7144a977

                                                                                        SHA1

                                                                                        413eba3973a15c1a6429d9f170f3e8287f98c21c

                                                                                        SHA256

                                                                                        301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

                                                                                        SHA512

                                                                                        9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

                                                                                        Download Submit

                                                                                      • C:\Windows\infpub.dat
                                                                                        Filesize

                                                                                        401KB

                                                                                        MD5

                                                                                        1d724f95c61f1055f0d02c2154bbccd3

                                                                                        SHA1

                                                                                        79116fe99f2b421c52ef64097f0f39b815b20907

                                                                                        SHA256

                                                                                        579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

                                                                                        SHA512

                                                                                        f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

                                                                                        Download Submit

                                                                                      • C:\Windows\infpub.dat
                                                                                        Filesize

                                                                                        401KB

                                                                                        MD5

                                                                                        c4f26ed277b51ef45fa180be597d96e8

                                                                                        SHA1

                                                                                        e9efc622924fb965d4a14bdb6223834d9a9007e7

                                                                                        SHA256

                                                                                        14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958

                                                                                        SHA512

                                                                                        afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e

                                                                                        Download Submit

                                                                                      • \??\pipe\LOCAL\crashpad_3184_PLLHKCMDJBLVNQBW
                                                                                        MD5

                                                                                        d41d8cd98f00b204e9800998ecf8427e

                                                                                        SHA1

                                                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                        SHA256

                                                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                        SHA512

                                                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                        Download Submit

                                                                                      • memory/804-1146-0x0000000002260000-0x00000000022C8000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/2012-1022-0x0000000002A10000-0x0000000002A78000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/2012-1051-0x0000000002A10000-0x0000000002A78000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/2012-1030-0x0000000002A10000-0x0000000002A78000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/2704-5568-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        Download

                                                                                      • memory/2704-1114-0x00000000023B0000-0x0000000002418000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/2704-1106-0x00000000023B0000-0x0000000002418000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/3128-26880-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        Download

                                                                                      • memory/3128-1255-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        Download

                                                                                      • memory/3204-9290-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        Download

                                                                                      • memory/3700-7817-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        Download

                                                                                      • memory/3700-1261-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        Download

                                                                                      • memory/3872-1140-0x00000000005F0000-0x0000000000658000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/3872-1132-0x00000000005F0000-0x0000000000658000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/3944-1101-0x0000000002FE0000-0x0000000003048000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/3944-1093-0x0000000002FE0000-0x0000000003048000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/3988-1259-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        Download

                                                                                      • memory/3988-5571-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        Download

                                                                                      • memory/4344-1260-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        Download

                                                                                      • memory/4344-7112-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        Download

                                                                                      • memory/4352-1127-0x0000000002DB0000-0x0000000002E18000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/4352-1120-0x0000000002DB0000-0x0000000002E18000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/4788-1088-0x0000000001220000-0x0000000001288000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/4788-1080-0x0000000001220000-0x0000000001288000-memory.dmp

                                                                                        Filesize

                                                                                        416KB

                                                                                        Download

                                                                                      • memory/5024-5572-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        Download

                                                                                      • memory/5572-26930-0x000000002AA00000-0x000000002AA24000-memory.dmp

                                                                                        Filesize

                                                                                        144KB

                                                                                        Download

                                                                                      • memory/5572-26935-0x000000002AA00000-0x000000002AA24000-memory.dmp

                                                                                        Filesize

                                                                                        144KB

                                                                                        Download