Analysis

  • max time kernel
    244s
  • max time network
    246s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-11-2024 19:25

Errors

Reason
Machine shutdown

General

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Signatures

  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • Crimsonrat family
  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Dharma family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (556) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Downloads MZ/PE file
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 17 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 11 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • NTFS ADS 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://google.com
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a8e43cb8,0x7ff9a8e43cc8,0x7ff9a8e43cd8
      2⤵
        PID:3648
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
        2⤵
          PID:3628
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3184
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
          2⤵
            PID:3872
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
            2⤵
              PID:3040
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
              2⤵
                PID:4884
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
                2⤵
                  PID:3340
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
                  2⤵
                    PID:3208
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
                    2⤵
                      PID:2808
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
                      2⤵
                        PID:2740
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
                        2⤵
                          PID:3272
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2136
                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:572
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
                          2⤵
                            PID:4612
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
                            2⤵
                              PID:1152
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
                              2⤵
                                PID:1988
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
                                2⤵
                                  PID:2164
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
                                  2⤵
                                    PID:1972
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
                                    2⤵
                                      PID:4952
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
                                      2⤵
                                        PID:4260
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
                                        2⤵
                                          PID:432
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
                                          2⤵
                                            PID:72
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
                                            2⤵
                                              PID:4916
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
                                              2⤵
                                                PID:1536
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
                                                2⤵
                                                  PID:2016
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6568 /prefetch:8
                                                  2⤵
                                                    PID:5052
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8
                                                    2⤵
                                                    • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                    • NTFS ADS
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:1784
                                                  • C:\Users\Admin\Downloads\CrimsonRAT.exe
                                                    "C:\Users\Admin\Downloads\CrimsonRAT.exe"
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:3572
                                                    • C:\ProgramData\Hdlharas\dlrarhsiva.exe
                                                      "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
                                                      3⤵
                                                      • Executes dropped EXE
                                                      • Adds Run key to start application
                                                      PID:3508
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4808 /prefetch:2
                                                    2⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:5744
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1212 /prefetch:1
                                                    2⤵
                                                      PID:5924
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6192 /prefetch:8
                                                      2⤵
                                                        PID:6036
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
                                                        2⤵
                                                        • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                        • NTFS ADS
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:3260
                                                      • C:\Users\Admin\Downloads\CoronaVirus.exe
                                                        "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                                        2⤵
                                                        • Drops startup file
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        • Drops desktop.ini file(s)
                                                        • Drops file in System32 directory
                                                        • Drops file in Program Files directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:1828
                                                        • C:\Windows\system32\cmd.exe
                                                          "C:\Windows\system32\cmd.exe"
                                                          3⤵
                                                            PID:5508
                                                            • C:\Windows\system32\mode.com
                                                              mode con cp select=1251
                                                              4⤵
                                                                PID:18248
                                                              • C:\Windows\system32\vssadmin.exe
                                                                vssadmin delete shadows /all /quiet
                                                                4⤵
                                                                • Interacts with shadow copies
                                                                PID:32812
                                                            • C:\Windows\system32\cmd.exe
                                                              "C:\Windows\system32\cmd.exe"
                                                              3⤵
                                                                PID:33348
                                                                • C:\Windows\system32\mode.com
                                                                  mode con cp select=1251
                                                                  4⤵
                                                                    PID:24608
                                                                  • C:\Windows\system32\vssadmin.exe
                                                                    vssadmin delete shadows /all /quiet
                                                                    4⤵
                                                                    • Interacts with shadow copies
                                                                    PID:17904
                                                                • C:\Windows\System32\mshta.exe
                                                                  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                                                  3⤵
                                                                    PID:22160
                                                                  • C:\Windows\System32\mshta.exe
                                                                    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                                                    3⤵
                                                                      PID:28836
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
                                                                    2⤵
                                                                      PID:30060
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:20956
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:1
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:22212
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7040 /prefetch:8
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:26868
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                      • NTFS ADS
                                                                      PID:18252
                                                                    • C:\Users\Admin\Downloads\Annabelle.exe
                                                                      "C:\Users\Admin\Downloads\Annabelle.exe"
                                                                      2⤵
                                                                      • Modifies WinLogon for persistence
                                                                      • Modifies Windows Defender Real-time Protection settings
                                                                      • UAC bypass
                                                                      • Disables RegEdit via registry modification
                                                                      • Event Triggered Execution: Image File Execution Options Injection
                                                                      • Executes dropped EXE
                                                                      • Impair Defenses: Safe Mode Boot
                                                                      • Adds Run key to start application
                                                                      • Checks whether UAC is enabled
                                                                      • System policy modification
                                                                      PID:18976
                                                                      • C:\Windows\SYSTEM32\vssadmin.exe
                                                                        vssadmin delete shadows /all /quiet
                                                                        3⤵
                                                                        • Interacts with shadow copies
                                                                        PID:21716
                                                                      • C:\Windows\SYSTEM32\vssadmin.exe
                                                                        vssadmin delete shadows /all /quiet
                                                                        3⤵
                                                                        • Interacts with shadow copies
                                                                        PID:21744
                                                                      • C:\Windows\SYSTEM32\vssadmin.exe
                                                                        vssadmin delete shadows /all /quiet
                                                                        3⤵
                                                                        • Interacts with shadow copies
                                                                        PID:21772
                                                                      • C:\Windows\SYSTEM32\NetSh.exe
                                                                        NetSh Advfirewall set allprofiles state off
                                                                        3⤵
                                                                        • Modifies Windows Firewall
                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                        PID:21876
                                                                      • C:\Windows\System32\shutdown.exe
                                                                        "C:\Windows\System32\shutdown.exe" -r -t 00 -f
                                                                        3⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:21936
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:19676
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7448 /prefetch:8
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:20720
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7332 /prefetch:8
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:20792
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:25540
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6972 /prefetch:8
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:24896
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,13377858611659023731,12046535139977913747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 /prefetch:8
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                      • NTFS ADS
                                                                      PID:26252
                                                                    • C:\Users\Admin\Downloads\PolyRansom.exe
                                                                      "C:\Users\Admin\Downloads\PolyRansom.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Adds Run key to start application
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:27948
                                                                      • C:\Users\Admin\RAgMUoIw\IuYwMYUA.exe
                                                                        "C:\Users\Admin\RAgMUoIw\IuYwMYUA.exe"
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • Adds Run key to start application
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:19092
                                                                      • C:\ProgramData\QCYMskQc\iAMgoccQ.exe
                                                                        "C:\ProgramData\QCYMskQc\iAMgoccQ.exe"
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • Adds Run key to start application
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:19444
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Modifies registry key
                                                                        PID:18916
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Modifies registry key
                                                                        PID:16588
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Modifies registry key
                                                                        PID:16556
                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                    1⤵
                                                                      PID:2848
                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                      1⤵
                                                                        PID:1784
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                                                        1⤵
                                                                          PID:3792
                                                                        • C:\Windows\System32\oobe\UserOOBEBroker.exe
                                                                          C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
                                                                          1⤵
                                                                          • Drops file in Windows directory
                                                                          PID:4168
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
                                                                          C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
                                                                          1⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:5132
                                                                        • C:\Windows\system32\BackgroundTransferHost.exe
                                                                          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
                                                                          1⤵
                                                                          • Modifies registry class
                                                                          PID:5308
                                                                        • C:\Windows\system32\OpenWith.exe
                                                                          C:\Windows\system32\OpenWith.exe -Embedding
                                                                          1⤵
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:5492
                                                                        • C:\Windows\system32\OpenWith.exe
                                                                          C:\Windows\system32\OpenWith.exe -Embedding
                                                                          1⤵
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:5568
                                                                        • C:\Windows\system32\vssvc.exe
                                                                          C:\Windows\system32\vssvc.exe
                                                                          1⤵
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2460
                                                                        • C:\Windows\system32\LogonUI.exe
                                                                          "LogonUI.exe" /flags:0x4 /state0:0xa39cc855 /state1:0x41c64e6d
                                                                          1⤵
                                                                          • Modifies data under HKEY_USERS
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:20160

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v15

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-0A8822F1.[[email protected]].ncov

                                                                          Filesize

                                                                          2.7MB

                                                                          MD5

                                                                          2bb7326002d32264141135aa2acbec65

                                                                          SHA1

                                                                          9cd1fbfc2eb5fe5efdaa25f1af4bc2095dbe1e1c

                                                                          SHA256

                                                                          b8cb711f03f27d23b43e419c74944bd64faac179619dedbfc10bea8c4ebe3175

                                                                          SHA512

                                                                          cb5c6f6e6081444caa344dd3e2da68048019c83eda351bdc4f26cb2d99b67cdbd8c47b7d2b0a5af58c0ac1c3b031bfeb18ef343f9ab323f60c45ebd654df8356

                                                                        • C:\ProgramData\Hdlharas\dlrarhsiva.exe

                                                                          Filesize

                                                                          9.1MB

                                                                          MD5

                                                                          64261d5f3b07671f15b7f10f2f78da3f

                                                                          SHA1

                                                                          d4f978177394024bb4d0e5b6b972a5f72f830181

                                                                          SHA256

                                                                          87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

                                                                          SHA512

                                                                          3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

                                                                        • C:\ProgramData\Hdlharas\mdkhm.zip

                                                                          Filesize

                                                                          56KB

                                                                          MD5

                                                                          b635f6f767e485c7e17833411d567712

                                                                          SHA1

                                                                          5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

                                                                          SHA256

                                                                          6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

                                                                          SHA512

                                                                          551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                          Filesize

                                                                          152B

                                                                          MD5

                                                                          003b92b33b2eb97e6c1a0929121829b8

                                                                          SHA1

                                                                          6f18e96c7a2e07fb5a80acb3c9916748fd48827a

                                                                          SHA256

                                                                          8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

                                                                          SHA512

                                                                          18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                          Filesize

                                                                          152B

                                                                          MD5

                                                                          051a939f60dced99602add88b5b71f58

                                                                          SHA1

                                                                          a71acd61be911ff6ff7e5a9e5965597c8c7c0765

                                                                          SHA256

                                                                          2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

                                                                          SHA512

                                                                          a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\226d8f4f-b67f-4f8b-97a1-3a50f39a680b.tmp

                                                                          Filesize

                                                                          5KB

                                                                          MD5

                                                                          8e74f404721306260b0893478a94b3ec

                                                                          SHA1

                                                                          529bbeebb44a1d7af4b49f7dcb041ba1b7bd29ae

                                                                          SHA256

                                                                          a2def4d4456cce914e34bea8ac7e508ccd1a707cd6e3cec00d135acb5a606d68

                                                                          SHA512

                                                                          9a841a3eb7b2f2c14a5da2cacaef041ba904b15a0fb06268d37a7ab1383b27c0c565e4944d901198ef857cc1a45d9d9b64b0e9a9a73da1d122bc97c6b9eebed4

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

                                                                          Filesize

                                                                          215KB

                                                                          MD5

                                                                          e579aca9a74ae76669750d8879e16bf3

                                                                          SHA1

                                                                          0b8f462b46ec2b2dbaa728bea79d611411bae752

                                                                          SHA256

                                                                          6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

                                                                          SHA512

                                                                          df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                          Filesize

                                                                          3KB

                                                                          MD5

                                                                          a294e61262857188cefb439de68f564b

                                                                          SHA1

                                                                          5e742e21194b9bb2553aac62b19b72b4b86efddb

                                                                          SHA256

                                                                          26627a6c8c3877df647b9d84f95eb2b1de83b79c4e60c4cb7fd65fd923874124

                                                                          SHA512

                                                                          100b076607d4479a369dd4b94173b1a11bbe1dd7929b298a19a22ac1e87c886c9546102e9bad6abf294de62cf4e5ab689cd58692122fb19eab265274e1a99b48

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                          Filesize

                                                                          3KB

                                                                          MD5

                                                                          5a878bd86f252ff245b63afb225a9db7

                                                                          SHA1

                                                                          22c8f97375b57c509a9be0bdc566aac931e80b2d

                                                                          SHA256

                                                                          a151d05e569d1b4dfcdc84f7ba826c2c57428d43f75f5608691afdd308f4e5a9

                                                                          SHA512

                                                                          723eadb3fad7acc1374704cb0236ab35100cc513e78bbc3f486fa5d232a5fb3f6950cb90f10190d74ba2fea843aa9f1b145609a35294c9d91e4a327bd376f5af

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          6d83ffe9488a051d08fd96e11c05429f

                                                                          SHA1

                                                                          e053e355c4b2564d5181941ec9663614c5ea2bbd

                                                                          SHA256

                                                                          2ed535f49060258bb3880c5e8aa432c7e07d594613ab636495190953ff21505a

                                                                          SHA512

                                                                          f32ebd563c0e71a809dbb7ea818cfcf86f7a01ff5cc7c4978fe4a52d9d65b7435d2f63e51e40a24bf4a5c67a87b9955cf3bdb4103116cd43169dad6bc48708f3

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          83f673fe1da5b623e8f27ad582c55b18

                                                                          SHA1

                                                                          f0311299e5fb6b762428324a3068812d2ba978b2

                                                                          SHA256

                                                                          5c23eb5710b37e6ba51fcf9a0c1965ef5e1710f3bd6700db3e1a00ef9084170d

                                                                          SHA512

                                                                          2f5e11e5660af9c92407b95bd923fd6c4ee83497fbfa090f0c75fd784298801d988da242d6eeca392dbff12945f4a730497a7158b2e048b10c40c9df2319df90

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          e8963e67634e52b4fc60dd651514e4ea

                                                                          SHA1

                                                                          19062ee1ad84edd481d1c631ae9e1325911ab090

                                                                          SHA256

                                                                          9d68c56433f6f7e249bc8027d3c135658547a17ae2c8d91349315581c6770968

                                                                          SHA512

                                                                          d9378376808bd8205ff191db976f52cb9544bba2f0b58d27b1ea11befc482207bace2965d58f86e32eeff75bd13dfbc44d652fe27408408e2a46dfaff78316d9

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          580b764276c3ecad4b5c054ffe4b5f0f

                                                                          SHA1

                                                                          cd076b2b3078cea05086ade74d9f1ce3435ce521

                                                                          SHA256

                                                                          b9a52bc064d2b5f03c764c664467eb8988f6960f5d86b5b55fa1b0fe5ff63d52

                                                                          SHA512

                                                                          123fc35c9099b8c6de03194f907f330f223e7322a4508d16b220884c9ef2fa95acfcbddcc4eb271c9215e2e39e393ba802a776e562d391a6ecdfd5e6ce8942a2

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          8c72b8662241a623f757563247eebb23

                                                                          SHA1

                                                                          990bdd3d1cfa398bc408fdf6d81b8b31fc4a06d7

                                                                          SHA256

                                                                          886b18b3d6fc78f9d0755ca4444517aea4c5a1d8492c04bfb56a9afd5370937e

                                                                          SHA512

                                                                          bf9600a37860ad2d49b6c4d6011a6fc0631f8d7a9a2cabde7adbd26a8d8140410229457667ca0083416260d942ed588253c9f50c4b96aacdae0a5f64f0a37757

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          50a25ae051c51bcd5299099bb0bb6715

                                                                          SHA1

                                                                          d66f4bc7ad755076c8d7fd2df375468dced962c6

                                                                          SHA256

                                                                          e9e41710df3d342ad5e8b575b1e5208f75491d23ed16f81c2030356dfbe2d50a

                                                                          SHA512

                                                                          6e56f158a4f22b60889275614336679f171584c16d93f1e3f72828e93c466cb38e383fd8b3e4ed7215e01fef754650483a43e6fc3670ac9dbd87eb87091862bd

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          89561db37de01712a2bc4916de6ad807

                                                                          SHA1

                                                                          32865f256202bee8648955967619d19fbfbeec69

                                                                          SHA256

                                                                          396dff2b96d7789c9f4bd173c7c9f64c3b691419cfe9df45ad39a8c41f6603e4

                                                                          SHA512

                                                                          2cd2c60bbbf0325d108eb8a15d7bb34d30763d1a79c421cf47930a9fb13609573a1d4f6628c348d053a413c8f3929221bf60bab65ed4000a673a4d25cc72ef11

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          28af4d32a921abe6b341e77f3b6248a7

                                                                          SHA1

                                                                          eefa8572e91050e57297bf14f3766ead0539effd

                                                                          SHA256

                                                                          c2a521464dc8d7eea338193a9a8752e70fd15fe5ce56e9fee55cc0f21d0e5424

                                                                          SHA512

                                                                          47642c4d889d6876c997328bbc3f5bba84c432dffcf2b0086cfa17824695fca0bf006430c677b6dc0f239ce1add8356e33e6d8534b07ad941fd3f3ea1404eed1

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          16005915486cc55d82459cacaf60aab9

                                                                          SHA1

                                                                          f902c22bea19bd6301b95d9ba54a676fc02c4fbb

                                                                          SHA256

                                                                          ca51cd3b62fb72237946c92b5dd159376258bcc3ed33bf91518fce70b262dafa

                                                                          SHA512

                                                                          1342857b44e4230f1bc586d58c25d086f6e97db1d8c3b027509c8325a30d851031f5d9c36d5a61fd793ebb0966671820cd05d0f64d3073ec48af678355a0da8d

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          0462469284c6bcda3e4767178733c030

                                                                          SHA1

                                                                          4faa3837a09f6e8edef6b616bdf51d380d5cbf4c

                                                                          SHA256

                                                                          72ec4820d9477e6ea9a821cb7541b633e20aca3e59ff73c45281c71d4e58622b

                                                                          SHA512

                                                                          a20d034869ee94baed82d47e52e24daa2bcbea0de3e3c94aafdc0a6830288a07fffa65b633859b1c054c7f98bc2798e6a74b28283adab5d2e0cabf27619efab5

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          02b2c9fd8c7e23673cbdcf2c394afac5

                                                                          SHA1

                                                                          822b0e7937bfd35aa228d9f5713fb1e83d907a86

                                                                          SHA256

                                                                          adb57e61c19c2e2d8273172f1c12de006fd7d21c21eccf377ca01c6d0d860012

                                                                          SHA512

                                                                          2bb75c48f739f8015918fea3453d5cf3dea2a821865c1220b6520c38f975164bcbfec7fefb719653a78d92ab0c31fb6067d8fcea5c48c23b35925ef32b9e1aec

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          8573ee26a537bfcc5fae2e8d865c1141

                                                                          SHA1

                                                                          7730d406e4a02075cf30dc1400f5d9a9649cfecb

                                                                          SHA256

                                                                          b18d3240998b1564e0047f028e90d46b4039f87163537a6d11f7d5d80fcc0592

                                                                          SHA512

                                                                          3f783ace47285def892c454e47f1b603dc79d99ec0e36f14903dd5be67c652c6dd20878a983accb3346579825d7ea009d39d6411fce1aa0467aaff400e22d96a

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          bc550603f3845a8cb7a26defae9871fa

                                                                          SHA1

                                                                          c9368d7ede65ba9134f0e93932ae84704d8d404b

                                                                          SHA256

                                                                          23bd63f728854e0f9ffe9af93ab735aa21be99ca7883cca955f7f53297b7a233

                                                                          SHA512

                                                                          9b5abcb6bb67f9465f0aa5fb1ca286437f61fe777ecd2bc6dfcf5207517872736ca254f6e31a227597b4e4981f65c66982a5547a4b4951c944cb9093ed68cfb0

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          22538e7b2d55e32f3272dd2f219ae00c

                                                                          SHA1

                                                                          ee8f9ef739d3d243bc9737a882d6998c049fb3fd

                                                                          SHA256

                                                                          43e6b0212f5627464a3ac43f7dcfef32907aa1287988bc8f8115c08d98854907

                                                                          SHA512

                                                                          b19a9fee3d1e64c0c1dfab64a08e5c72e749f245ca6258cf1753a73a2fcee2f8484108a27724c706df240d496f91e4602c54d360a03ce58313593d6d03f17fb6

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58120c.TMP

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          655ec1c27bd9445450dfdb409cf55812

                                                                          SHA1

                                                                          7d544d7b3b9835beccd01f085eb42fe55067c1d3

                                                                          SHA256

                                                                          c07c33c425fc756cf7d5e7c587249f0059983dc1dd277364f66a90962f0f3f7f

                                                                          SHA512

                                                                          3519a03db136d441788a5539b6ea0875b0a0eb270a92d26eed680ae049a1553fd01f2a29d56f40f7d70259e176d7715cf7400548802e5c0c0db14f4701aebfd8

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5abba0.TMP

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          ab2a62b6d002c2b6a2241c56ddb6fddb

                                                                          SHA1

                                                                          ce7e8d235012c2fa4fd4d290d1d7a163331117b2

                                                                          SHA256

                                                                          94fd8e01b87aa1c514589c7828d8afbf6cb826f52f212551d17a9832c69787b1

                                                                          SHA512

                                                                          803807b77511ac8e50200710776e0fd4907d648454ece65ef103ecd9eb6012baf07ab267a0960f0bf7b852b362a73f25a975ca3073de109a1d6721a54ac79299

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\9514c48a-a780-4599-8d25-151a58984d35\2

                                                                          Filesize

                                                                          10.9MB

                                                                          MD5

                                                                          c2c4450dd9dd82f2214c555cead43118

                                                                          SHA1

                                                                          af8f5b2955f2f1976128d08045b35d6c939495f5

                                                                          SHA256

                                                                          838fa0b08fba45c99233254dd2e1b02840c6f2c842a3848ee1fd343d0f3dc6b7

                                                                          SHA512

                                                                          6e30efbaab63f33776e263a72a42a52fa15cf145edee80b129b50ac80be97411285dc1263cb4609896be6150ba49ba59fae3f906e9cdf55f8539da0d79837de9

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          206702161f94c5cd39fadd03f4014d98

                                                                          SHA1

                                                                          bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                          SHA256

                                                                          1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                          SHA512

                                                                          0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          46295cac801e5d4857d09837238a6394

                                                                          SHA1

                                                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                          SHA256

                                                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                          SHA512

                                                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

                                                                          Filesize

                                                                          16KB

                                                                          MD5

                                                                          9a8e0fb6cf4941534771c38bb54a76be

                                                                          SHA1

                                                                          92d45ac2cc921f6733e68b454dc171426ec43c1c

                                                                          SHA256

                                                                          9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

                                                                          SHA512

                                                                          12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

                                                                          Filesize

                                                                          16KB

                                                                          MD5

                                                                          d926f072b41774f50da6b28384e0fed1

                                                                          SHA1

                                                                          237dfa5fa72af61f8c38a1e46618a4de59bd6f10

                                                                          SHA256

                                                                          4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

                                                                          SHA512

                                                                          a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                          Filesize

                                                                          11KB

                                                                          MD5

                                                                          4c96271a870d562a306ede65e3b29514

                                                                          SHA1

                                                                          7e79c69e537293a8a72036fce9385605bda18b17

                                                                          SHA256

                                                                          5ecae7372c07c2112ae437dfebb24794f4967604cd1a62689688419647834e9d

                                                                          SHA512

                                                                          835429310791ce01a450664fcf836ea53ed4e7c91a21f9b9210f6c164e9dc6b09a34dec5147945c6aba57cd096a0d5b1e072384b540869c078b35b59589c82f5

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                          Filesize

                                                                          11KB

                                                                          MD5

                                                                          8ce046396a48b9d527a3d6a3eae1ab56

                                                                          SHA1

                                                                          06b2a09bbdeecde0cd4b27eaf4270f003934cd2b

                                                                          SHA256

                                                                          5fc4ea1b22b0da31e7eb549e9a9b59209fc43feef74bb872d5625c535109c3d7

                                                                          SHA512

                                                                          99e36a14c367e5b4462d42a49d0b4b5187536e0f9c72792a9702b538580ccc87940413749ae166aee49d95be7527016d2fad6d2e5eda93b70137177cec10ab9b

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                          Filesize

                                                                          10KB

                                                                          MD5

                                                                          5917e56b86b07870399fa9fbd4a7ace6

                                                                          SHA1

                                                                          8c091a0cd6672688e1c80fa3758fd86de9101b95

                                                                          SHA256

                                                                          137ce687a614ea7608d6518dc08a2d5a86deb2a335b0de365f19c1d21663df5f

                                                                          SHA512

                                                                          715b11472e27f2f8e9866e60a493489ba763228f134fb5321e476183223c41689e2b5446f85877a18f0a2a0832a0d5b54cab2600e82a73225a538ced75f2f8be

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                          Filesize

                                                                          11KB

                                                                          MD5

                                                                          0852f674cc5409cd6c4d339c4b9be3c8

                                                                          SHA1

                                                                          1876c3fc8668254eeb6b87fbe45ff3816ac2170c

                                                                          SHA256

                                                                          c6634468523c19ad7c42839ca7a73ac35f6feb35416df0dcf514bbe5791d7702

                                                                          SHA512

                                                                          8ef38701023e702c3b22ace52409febe25632fb1998b9f181292c4be63ea71ed41a2987f8dc752d9842734dd7912a6b9ab81ad7b7098e44bd0ff3882e4459187

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State~RFe5a9c41.TMP

                                                                          Filesize

                                                                          11KB

                                                                          MD5

                                                                          5c4ab0059132befb4ab816ce9cb804d5

                                                                          SHA1

                                                                          e1257828bb6f02900a48bb0c12dda08630ecf2c7

                                                                          SHA256

                                                                          1de1f96065b193744656454bf134d1ecc353c9775d6e416ec6b26edca693a165

                                                                          SHA512

                                                                          667bf8950777008362fc980f501a3eeb052062db885504e651dbe79556271e18c777689c5f47a3ddb438eb668550ee57c1fcc4ea5ab6c899113750ce4149e93f

                                                                        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8c95ae1c-de35-4521-aef3-83d6093dbaa8.down_data

                                                                          Filesize

                                                                          555KB

                                                                          MD5

                                                                          5683c0028832cae4ef93ca39c8ac5029

                                                                          SHA1

                                                                          248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                                                                          SHA256

                                                                          855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                                                                          SHA512

                                                                          aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          fdf451b6b86a14d5b5753aded5e36ae0

                                                                          SHA1

                                                                          d5c1b005a2df717a7bca58feea5284764c5d0c28

                                                                          SHA256

                                                                          532fa63728421ea6d086d42bbc52aa750eca65f85ac9d3d1bba4da665c6dd3f0

                                                                          SHA512

                                                                          d8c61a8dc53e13834a75c585fb479df8c81b5b36008ed4e276dc7c1b6037d1935a35a444ffb37ccc93da8918ba05d549a7d47b73c5150570e72794e612ceab88

                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

                                                                          Filesize

                                                                          8KB

                                                                          MD5

                                                                          46d82ea0d8499926e014ddb694e9619b

                                                                          SHA1

                                                                          21e9e2246aa298c42767d9c5039d97cd0e177c6f

                                                                          SHA256

                                                                          616d570e7f91e4d6b68c0a3d5454b65e0113678fc4ff2edb759389fc4b1fe3f2

                                                                          SHA512

                                                                          d1e0cfeea19df4e468bf9248df84b58620db2d4d4915ef6e2fc5a5c14c56a85ba9ceeb1e0b7be6cf3a5390cb33c5b90c282c049941cdbb22a5670c3467babcc9

                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

                                                                          Filesize

                                                                          5KB

                                                                          MD5

                                                                          c686dd8292987d228a6283fc4fccd865

                                                                          SHA1

                                                                          bdf87955cee8e50f8b34b2966a956560632bbcc0

                                                                          SHA256

                                                                          85444c4e2a0e285b0388d7760ca1c0b351ab4d9a6297345fbcc3020ff81f0efc

                                                                          SHA512

                                                                          428f12ddf8cb5b5933d94603ec289a7355b2b4ad8e59ba5dbffff055e0f7667962f965576f586b672b601c7ff79bb3552e5f8b75787e31dcf0ff78bdb8bb17bd

                                                                        • C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier

                                                                          Filesize

                                                                          55B

                                                                          MD5

                                                                          0f98a5550abe0fb880568b1480c96a1c

                                                                          SHA1

                                                                          d2ce9f7057b201d31f79f3aee2225d89f36be07d

                                                                          SHA256

                                                                          2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

                                                                          SHA512

                                                                          dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

                                                                        • C:\Users\Admin\Downloads\Unconfirmed 344900.crdownload

                                                                          Filesize

                                                                          1.0MB

                                                                          MD5

                                                                          055d1462f66a350d9886542d4d79bc2b

                                                                          SHA1

                                                                          f1086d2f667d807dbb1aa362a7a809ea119f2565

                                                                          SHA256

                                                                          dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

                                                                          SHA512

                                                                          2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

                                                                        • C:\Users\Admin\Downloads\Unconfirmed 416234.crdownload

                                                                          Filesize

                                                                          15.9MB

                                                                          MD5

                                                                          0f743287c9911b4b1c726c7c7edcaf7d

                                                                          SHA1

                                                                          9760579e73095455fcbaddfe1e7e98a2bb28bfe0

                                                                          SHA256

                                                                          716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

                                                                          SHA512

                                                                          2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

                                                                        • C:\Users\Admin\Downloads\Unconfirmed 559521.crdownload

                                                                          Filesize

                                                                          220KB

                                                                          MD5

                                                                          3ed3fb296a477156bc51aba43d825fc0

                                                                          SHA1

                                                                          9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

                                                                          SHA256

                                                                          1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

                                                                          SHA512

                                                                          dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

                                                                        • C:\Users\Admin\Downloads\Unconfirmed 630797.crdownload

                                                                          Filesize

                                                                          84KB

                                                                          MD5

                                                                          b6e148ee1a2a3b460dd2a0adbf1dd39c

                                                                          SHA1

                                                                          ec0efbe8fd2fa5300164e9e4eded0d40da549c60

                                                                          SHA256

                                                                          dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

                                                                          SHA512

                                                                          4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

                                                                        • C:\Users\Admin\Downloads\Unconfirmed 853504.crdownload.ANNABELLE

                                                                          Filesize

                                                                          15.9MB

                                                                          MD5

                                                                          b429600464ab2475f871129aae4303a8

                                                                          SHA1

                                                                          8040d1dfbc29194b491f2dcc505c4590299d8680

                                                                          SHA256

                                                                          e7295f1b2e60cb142eef3be1c85d29d6259fe9d7f314ab81c58deb40d0e77a56

                                                                          SHA512

                                                                          4ab197e831e142db89e0aa95b40fbde7f66c0c83da36ae8dba31325da5bb4eaab8b446063a547b81907581e370d80c43c9b8c54f21a5b8f949615ccc07be71fc

                                                                        • C:\Users\Admin\Downloads\Unconfirmed 894846.crdownload:SmartScreen

                                                                          Filesize

                                                                          7B

                                                                          MD5

                                                                          4047530ecbc0170039e76fe1657bdb01

                                                                          SHA1

                                                                          32db7d5e662ebccdd1d71de285f907e3a1c68ac5

                                                                          SHA256

                                                                          82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

                                                                          SHA512

                                                                          8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

                                                                        • memory/1828-671-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                          Filesize

                                                                          1.4MB

                                                                        • memory/1828-5908-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                          Filesize

                                                                          1.4MB

                                                                        • memory/1828-692-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                          Filesize

                                                                          1.4MB

                                                                        • memory/3508-527-0x000001D9F0490000-0x000001D9F0DA4000-memory.dmp

                                                                          Filesize

                                                                          9.1MB

                                                                        • memory/3572-488-0x0000019D43E20000-0x0000019D43E3E000-memory.dmp

                                                                          Filesize

                                                                          120KB

                                                                        • memory/18976-26279-0x000002B0E5080000-0x000002B0E660E000-memory.dmp

                                                                          Filesize

                                                                          21.6MB

                                                                        • memory/18976-26194-0x000002B0C9950000-0x000002B0CA944000-memory.dmp

                                                                          Filesize

                                                                          16.0MB

                                                                        • memory/19092-26492-0x0000000000400000-0x0000000000431000-memory.dmp

                                                                          Filesize

                                                                          196KB

                                                                        • memory/19092-26582-0x0000000000400000-0x0000000000431000-memory.dmp

                                                                          Filesize

                                                                          196KB

                                                                        • memory/19444-26493-0x0000000000400000-0x0000000000433000-memory.dmp

                                                                          Filesize

                                                                          204KB

                                                                        • memory/19444-26585-0x0000000000400000-0x0000000000433000-memory.dmp

                                                                          Filesize

                                                                          204KB

                                                                        • memory/27948-26473-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                        • memory/27948-26499-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                          Filesize

                                                                          228KB