troldesh | f0a8e42a481ab22db1aa9299045a857b41f3d916440e5399e542052356d94a8e

Resubmissions

15-02-2024 20:59

240215-zszekagc5v 10

15-02-2024 20:56

240215-zq1jvagh53 6

Analysis

max time kernel
150s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
15-02-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

V.docx
Size

6KB
MD5

171f53d37a70eeaeeb5a9338afe3b320
SHA1

14d5d03abf1e54145ff2710e304bb3024f1d812e
SHA256

f0a8e42a481ab22db1aa9299045a857b41f3d916440e5399e542052356d94a8e
SHA512

16a8879fb796dc6ba1f730345ca18c732d9ffce2b9458e358a5cc861249eb031271818353df992eb861d95674456e08bcd9912c6cfaf04037d9a1ae421dfe6e8
SSDEEP

96:SxMTwP5dVjNrRRFPg7Z3RqXRKTLSQojwRBbaQPWnIwa0G5Zc7+7yRf+l5Ra6:wkIVj3Ru3tL/sg8xFc67+7yR6h

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1704	NoMoreRansom.exe
5048	NoMoreRansom.exe
2064	NoMoreRansom.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1704-566-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1704-567-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1704-568-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1704-569-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1704-570-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1704-583-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5048-585-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5048-586-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5048-587-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1704-588-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5048-592-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1704-597-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1704-625-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2064-629-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-751003968-2436847326-2055497515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
40	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-751003968-2436847326-2055497515-1000\{67C185DE-35E9-4416-A788-826F77142D6D}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 331072.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4740	WINWORD.EXE
4740	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
2488	msedge.exe
2488	msedge.exe
1088	msedge.exe
1088	msedge.exe
4552	identity_helper.exe
4552	identity_helper.exe
1084	msedge.exe
1084	msedge.exe
2188	msedge.exe
2188	msedge.exe
1704	NoMoreRansom.exe
1704	NoMoreRansom.exe
1704	NoMoreRansom.exe
1704	NoMoreRansom.exe
5048	NoMoreRansom.exe
5048	NoMoreRansom.exe
5048	NoMoreRansom.exe
5048	NoMoreRansom.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1156	1672	msedge.exe	81
PID 1672 wrote to memory of 1156	1672	msedge.exe	81
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 3628	1672	msedge.exe	82
PID 1672 wrote to memory of 2488	1672	msedge.exe	84
PID 1672 wrote to memory of 2488	1672	msedge.exe	84
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83
PID 1672 wrote to memory of 5016	1672	msedge.exe	83

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\V.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe3ca83cb8,0x7ffe3ca83cc8,0x7ffe3ca83cd8
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2496 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6392 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1768,87563173690018364,4655362508719467540,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6528 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:772

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd0e8690afb6cc94da2feb0e0443dc81

SHA1
ece9da10c445c54071e1224bb1dc25e8a15b089f

SHA256
14d81c4f4672dd9503f4d137a36a107f1b662cff748a1edb15b53aabcec2074e

SHA512
c04a5aa810668fc5549961c866e18ad6d3e7bc7cd252239713cc0dda77266267f008d3b452d4afb91695a2ff44c30eb727a8ffcbb38ce7e75085461f617ddf5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8dcc785a-e119-4584-8b31-7c8b2b261f93.tmp

Filesize
6KB

MD5
c487e49a5e9feab7a0666247bc42f0b0

SHA1
ba2a8899c7848a83fd8cb05ba6fe9ea271616e8f

SHA256
6da1889feb87213647c5bc8e0c0b1e95625e9bfdb2a811e093c9eca78b6c173e

SHA512
12b74796f720ada36303479b8f0d8faae1d96c8dead8f89831f5d12fa684abeb98f1afa1b67fb2604e1fada542c0b8d275772339b6984d16695c51c9250dd1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
b74328ac605de97417a72c47d131868f

SHA1
034dbc955d6548a142423a0701c762d2cfd534fe

SHA256
3e22f44d763f74434ee52523b40e97aff8acb0c94499db97749b6b4b363136a9

SHA512
671ef2d2cb6841b55b7501338bfa5739324477426eac87834c5bb7890a899f0f2eb0ea47ed418c564c6cc2b3cfa405d1e4d7c664296d705f95d9511a055d867b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
572249e10e40cf682c409eff422e8b5d

SHA1
0c7253beca253eb9c4e7923fa34df9c6e64cbcda

SHA256
c6f34e1de9c1f5f77d8fbdbc10fada2403051dad3a220f579ea707080d237094

SHA512
857c9fddad92f7611a47f81e40b559198f70f4850abe262b05073b6b72dc43719fd2db89742fff68d4db17db566cdbfbcf9bb5b27ee9d6c0ed4d8b28f1f56458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
853B

MD5
124bd1e3377fb208df0c6f47997488a4

SHA1
83ca4fe2e640673fabdc6ad242d37b6e515a2170

SHA256
fc7f5ee5f74c523920674afaf7012e5cc9cd36e28c5ef1f7c8b3482ba7242fa0

SHA512
540e587789d1cc54499832371d137e4d709c52479124b7db697b77f38b8f58ad6865712c30ed579851203f0ede1ca051e2178440a4e550c47da9c01c455bd935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
310b1fccac4de35a48c5546f4519858a

SHA1
3f1869e621f4a856efff82fe69d1382109f78ef1

SHA256
a5aad3346b6a369e30ec9ac0653b43dbaa78ee9bffc33b36e36674c95a9940d5

SHA512
18df7d333d606b8d363ccc9f746bdf332e565b25f3dedbb134ce13ad21b4dcc4c4bd9258c3f633c2a6e669098e97169a4834ccbaf8e18796707982f30c9cc5b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6d905e7096ebabb92ae6a596728e3ac6

SHA1
8ac4c499643e8704610ea306635d9096ebca22e9

SHA256
a05be5cc223377a22eeb9852282a2f9d98a573d4c7dbf697ea97f700a421dc70

SHA512
0f8ef5a4cdb4eca3cc033baed5bf34c36cd73978d09d27fa69c7cf6753fc21a9e16d252ef742b0894de46f0fb78c5466d47d734c8d6160992f45362b79c54f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
77d15dac1017e64f563c3707c96d4e15

SHA1
7add49077f5cb61c240e5c1f35e2e40e5f0617ca

SHA256
f432b627f1c6b54227390ba6fb044a553444bd555351ac12ca76d7c949e67177

SHA512
07dd79a0fbde47712d9d4793b7455740084a2f2d9d288466e026825baa97089a0aeb55010e7ca76c10dcfe404b3fefe849fcc8e8de047a6209b80bc97fb58714

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ba28f2b4bafcca10dcb2ec10be36eb59

SHA1
f01331e315bda15a2196c415ada0aa93ad353267

SHA256
a874a1539b949ac2c6a4b32a64ea66448129c746d8324bc6eef54ebb51d327da

SHA512
a40c7c6d45f80fecd3fc1a00929b6e9bfb4f1f6371d74ac3709ccc850c77c130561980ebae3f3c0a061cd8e2deb4533e919de33a0b8d338cf1472e0024fd315e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
48e41a74721244f1e16fbdce14b2065a

SHA1
5439786776815e24b8ea53a7cf7d006760d8e690

SHA256
2a2f0a846989680ba5cfbb585bd339b25b9df8fcdbe38466d0c370666dedeaf9

SHA512
a1d725d38333f1d4c97f45d8473a10199d1c21cc026ddbae8ae789b5e7e00d9a4eb3f7977b290ef78a5a6ab27a547aba24dbfefb3f5744b89d2faf6e1c9cdb29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
ee749e7f1e4889f30e18bcf8097ffcd5

SHA1
85630218fd3fccc00faaa4ad98595cbeefe0c026

SHA256
69279ff724bf5c30735b79d0ed740d89a9fae97514bf98924e258d6bd1b24c12

SHA512
60d13b2dda4d06b5150ccfa41b2b69eceaba6be608068546ac47cfe7e0a701736d097a5ef8b7614800b55efd273fe480f34f43d75e68e83573169b86e3a19284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e1fb7da059f358f2c165ef251ffdccc3

SHA1
aac78af29800dd0c3ffba5a93405437b9df0a2a5

SHA256
bbf1678ae09c73f645756beb723a318eb76c18a7dcacf7034dbb62f0993e7737

SHA512
949db42f089b90fa430391bcb3afe282e2383cc70bdadc6168a09053a7f2da6f1a72c63e82b5a23ec4a3c5ae7549c467d32ccf23d614f1bb73555b0a843e8c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
53342b1bfc7999d36aa3bbc1197aa183

SHA1
9a20715237c8835ad5a1d3cfc6b2459e688dedc6

SHA256
614d15e722565f5a1d6f0a7e3a14a2aab14fb5e1b2d46e22f7f441bad6d198b8

SHA512
89f11295882fd18fd460ee52d34364223457cbc7d1aac12957e7a908dcab76602638c2f811abef56f3afd2116b70439d0cfe1eae19c3d42cf6dc59e4326ed4bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
245407dcbab8008709d3a07f69de0176

SHA1
7786626c2e93069c79d7cccbfcbad7e8b3ede437

SHA256
25a5be9a460538a4487c4f748edc07bf69480c5cd1bb9c2e74525b6c1bde4ed4

SHA512
d1d6810801fc3fceaa4850272dc047fb4fbbc15cf4d7a2a7d0ba2299a333e7f5b88c8705f402a481b2bf57dffb2097ed94806ba835861c0119b758441b01965a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e942ba3b616cd992c893e13e7dc85669

SHA1
32dc5634fe72b873b989869997de65a90cf8fa7c

SHA256
4af7f87c94c8fe159c278507b7cdde1521e802e8289bad0070ff8e639a46e355

SHA512
1d22f58be27b424bab929b9e122d87bda75fa00349696777c63ec8edf8959eb87aa0cd37a37acc2e0b0cfb2c8eb1a271b262824c60ed7bdab24f4811a0dadbc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587da7.TMP

Filesize
538B

MD5
2b1a6f766d1f3dccddb84d197f5d82b4

SHA1
2a650fcb243c7aac009d61193e7a13cf363ccad0

SHA256
877cebcaddadabccea5599c8878ed533977007120dc9af2ab8c2d93fbfadb961

SHA512
0057cb4937becb9fc92cf2862b8d8a2844b546ccfa080de00e91661b297d3cd0c78e49030045499f2bd658bfe4c420b7b96589021c79059f4b4147247023c88f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
529f794ba9d0a5178dff9a161f8dfbe2

SHA1
47bfb33328b1e24e17b62a8de0daad9159b54ca9

SHA256
f34038b8c876dd6fc230694959884871cb12e7cd9ab3042a1ee29d64c04f1e7c

SHA512
928f19138574ed0caf9fdd1a98029ca119234b385ad69b0a82e6a880efe420c1ba70d536eb854c7ea13e7a76d7b9604514753e4bbd60c6e71aa0c2217d5b4a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
27047c2a3c2a9d069f2d12a2512b47bf

SHA1
da876ce20ea8ec654a3e46d7fb308be54c2ca8e4

SHA256
153d1a9ba9c83521f3de59620b08f255d5a0ddf9bf6ff754284a0d8eff823c62

SHA512
a3f60df9443e261e7407a57b9a6651febf7de1d1ece4450a01b26bae36af737188f67b3639f6bbe776b6e16d953312aba53f40b71d3f4c238974ede55fa52c07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0129fce3e6fcebd2218924b279fa80a2

SHA1
f342b67c2dd10168b8d240ea8c2194d8cd85a38a

SHA256
cee85bcdd705dff61cb07e781b970e801de185803338bddbc7b38ac55656a893

SHA512
5e5965872111829a8257c2d0dd6c8e5cd5cca3f333bcf4dff3eef179d380b6d98f974d30d1d11e785a5eb4071ab1a8f52d5f6b9937722962d3ce7dfe9f6cb705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6baee42da824b264cf6095e9bdc1b7b0

SHA1
86b35d10feabf96939f5d0113b7fb8b2491470a5

SHA256
4d4dcd25570ac753c90345e6017a8ee8ea545cdd8054edd786881dd6a96aef1a

SHA512
26846bdf5bda2871da2d03bbe37351c6d292a35b53052c362cf6a4e596c05bd63fce33e1b9a5200686539a41393ea93023b9086c6bd7df48ba599646581f833c

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 331072.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
memory/1704-565-0x00000000024B0000-0x000000000257E000-memory.dmp

Filesize
824KB

Download
memory/1704-566-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1704-625-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1704-597-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1704-588-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1704-583-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1704-570-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1704-569-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1704-568-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1704-567-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2064-629-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4740-6-0x00007FFE24EF0000-0x00007FFE24F00000-memory.dmp

Filesize
64KB

Download
memory/4740-18-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-14-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-12-0x00007FFE22890000-0x00007FFE228A0000-memory.dmp

Filesize
64KB

Download
memory/4740-11-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-10-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-9-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-8-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-7-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-1-0x00007FFE24EF0000-0x00007FFE24F00000-memory.dmp

Filesize
64KB

Download
memory/4740-19-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-0-0x00007FFE24EF0000-0x00007FFE24F00000-memory.dmp

Filesize
64KB

Download
memory/4740-16-0x00007FFE22890000-0x00007FFE228A0000-memory.dmp

Filesize
64KB

Download
memory/4740-15-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-17-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-13-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-5-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-233-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-20-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-25-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-21-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-2-0x00007FFE24EF0000-0x00007FFE24F00000-memory.dmp

Filesize
64KB

Download
memory/4740-22-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/4740-4-0x00007FFE24EF0000-0x00007FFE24F00000-memory.dmp

Filesize
64KB

Download
memory/4740-23-0x00007FFE636F0000-0x00007FFE637AD000-memory.dmp

Filesize
756KB

Download
memory/4740-3-0x00007FFE64E60000-0x00007FFE65069000-memory.dmp

Filesize
2.0MB

Download
memory/5048-592-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5048-587-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5048-586-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5048-585-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download