troldesh | hxxps://github[.]com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom[.]zip

Resubmissions

21/07/2024, 11:29

240721-nlvl9aygqb 6

21/07/2024, 11:22

240721-ngvrfs1dkr 10

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3712-136-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-138-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-140-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-137-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-143-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1544-144-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1544-145-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1544-146-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4552-150-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4016-152-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-153-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4180-155-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4552-156-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4016-160-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4180-162-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-179-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-180-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com
114	camo.githubusercontent.com
115	camo.githubusercontent.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133660346349762864"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1868	msedge.exe
1868	msedge.exe
3532	msedge.exe
3532	msedge.exe
1740	identity_helper.exe
1740	identity_helper.exe
4152	msedge.exe
4152	msedge.exe
3712	[email protected]
3712	[email protected]
3712	[email protected]
3712	[email protected]
1544	[email protected]
1544	[email protected]
1544	[email protected]
1544	[email protected]
4552	[email protected]
4552	[email protected]
4552	[email protected]
4552	[email protected]
4016	[email protected]
4016	[email protected]
4016	[email protected]
4016	[email protected]
4180	[email protected]
4180	[email protected]
4180	[email protected]
4180	[email protected]
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
1908	chrome.exe
1908	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	taskmgr.exe
Token: SeSystemProfilePrivilege	2256	taskmgr.exe
Token: SeCreateGlobalPrivilege	2256	taskmgr.exe
Token: 33	2256	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2256	taskmgr.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 4076	3532	msedge.exe	84
PID 3532 wrote to memory of 4076	3532	msedge.exe	84
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 1868	3532	msedge.exe	86
PID 3532 wrote to memory of 1868	3532	msedge.exe	86
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff904346f8,0x7fff90434708,0x7fff90434718
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4188

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:916

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3712

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4180

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff80e0cc40,0x7fff80e0cc4c,0x7fff80e0cc58
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1740,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1736 /prefetch:2
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3392,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5324,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:6052

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows\csrss.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
78f3dd894aeb1530d2a97e2025476668

SHA1
aa855aeba1e4c1dd6d4c33c5617b4937374f178a

SHA256
8397c08ccff92c027d1b407d8f0d1fd474f0c39947a5a06e168a819f5c528bd7

SHA512
6f85af30dc07c98d1787cffba3a196108847e3a60cd73ed60109f3cff5cbd761e47173a64721a4b6af17220f50fe80770e21e4fb272f2afcc10655568ba0b77a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e93980c4122c2570bf17a0d1e2c890be

SHA1
14efc026bd1c58446e9788c98d57aa83d466d639

SHA256
fbb4f93711e0764d9da85564803f688cd89f5763d5ace9ea169ef4d9d7f9c5f0

SHA512
bead31cbc82774ceab7dda8c8219052588a0143d4a0c05905e9f798405175952eae07d795ce62600a3292860db2086888e00f6cf153d29cd102e59546a2fac52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
1d072a9db966275110a6ab4e93bc1e8e

SHA1
7b0cc49cc83429e774bc18d5b15c179a468acb4c

SHA256
e5848302d9f5c57add0e87f5a8d398ccbffca7d71df154ed3d8b7d3a470deb26

SHA512
164b2ac6fcd261f1f5b671273e7573a4803aae649002a440df0cffb73eee3731415b39973f2abc5b896dc56efbeb41fd8b28a105d001210b61bf0a464c46fdd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bdfa8584bc88b4cc74e522fe3c2846ab

SHA1
ab51b216e45ad6c5998a20bac4740d5997f2b648

SHA256
1a184fc12737f81de3bf36c18ac724605a4cde30acf781690b409f893eb8db80

SHA512
21c05950f71341e133395dc4cbb5aa3bc9cefd2e54dca22b6976ce58713c6de687264a0199c698a648f50032e413e7a5236d97c0a832f8fea72184f43b0c417b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
38c85ea21bf290989abc012517407dd9

SHA1
6acbf91a6e78b96f20f0dc99009d4ebc902b1cd7

SHA256
9d64dacc4c54b0e1340df77988b2cf01e6e98586d3bfc2bd04dc6cd0de73205f

SHA512
9c25bb2b34c522171063e8c497b27563cd35456640833671538a3d0db6399a743d5d70e0fd58785f56e60f0498ef2b108e20483873849c81848b7f768cae5016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5a7eec352961c379e07765e8964338c4

SHA1
a0dd1beecd3951b04d3ecd49b5541fdf5c397982

SHA256
6f5e0baa06bd019d8daf149c4a17e7d2ec3ba7809f0436efc6f01c72d6d77189

SHA512
6b37e5841f08a2154ce8dd23ddd7faf08d619ad3db77d18657bb60a788947f02fa3d5eccfba0fb1393d76322601108b98373af57a55a97cde3b7a5cb8cf085d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70abdfdef4ee4ffe9db904afc930f50b

SHA1
31964586279c7a0c8399ba2ebdc595c31152ce45

SHA256
db7bc923e10fdbb24d642e91b60e1e8d160ba0871dac229406a508415af20f4e

SHA512
b3a0561e7a8669dfd5661ef52f99e5d89e6ea21ab065a02fa6805504831cfc42619c9267b714da59081ab91b33eb78ca5bf7b731a0cb296fb2eeb3646e093de7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dbd27c0b90fa4e98dec670ea00f87e34

SHA1
439aa9ca3420a76ddb55fa22ffc747be3673dba8

SHA256
07701406c637a10f479139b88abec60dcaf23af188d6d35a228aaf9aae1c2ffa

SHA512
c895d76d56fca02aba53f3ccdd4e5b78b3bb509c3a26a0d9808d9eb28768fee319e45713fda2456f779d477d7630d2600480ea976a0914a0e62516ab3de7e1fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6883dc81f7876e35e7be9a6b25af53a4

SHA1
fbc94714a05e5a33fc2f81702ba6ce30365ed2af

SHA256
fdd313f03d764d84a2bdcc60a9bf04db113068c949c8dcacc87a62d54c0c469d

SHA512
0365e0f065dfcfa32c4469fc74d15add7300d8d8e8aba6f36d0b5a7edb9e0366f258ee7aa073540dd3016d03afd5d255f10708720dd37ff09a8de872192b5de0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
abb43758e5ac28dda6ad6d8421570e92

SHA1
9b47f0a008d0d94e111c83f864739c1147ed4bda

SHA256
f4a42650461cd31db49ecfb078975a085f29dd4b20e338bbc5dca418cad6a3f0

SHA512
82a913e86cabfe0112ef3e21f1b73d1c40206d9790c3840ebaa0cb47f089fc5086f784e58cbf186a6767087c9ebeeb216ae8f5363ea62759caf49aad43fb3fbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
baf30fdd36390395e08110764b8fbbdc

SHA1
06369c38c1b47364551d111310e1d11076e28539

SHA256
a64b40162f91b3d5a550c6a395dc00ba95ddddb62b5811a190953606b8d89689

SHA512
856d2088e53666612522c4bb49fc44a8940bff0445596e93140063b10241585a523563221f5e02583381012706eb5a184d6c4c0ce05ae533aabe1f0dc0bf62fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
72dc1b00cbd8678c7ef6f4562ca80259

SHA1
6b1a342a7b9c10f8c3d4c97ddab3ad666df2cee7

SHA256
105cfe13a8390f50fdbec81c990a9b8487b44fc4202bd3362084cf365c484e30

SHA512
5a84d16b20fefefcf1489bda0e1bfc9c1aaf1bb1d93a2f199fd39697c34a7b0b8c56275378ee854c4c7a947c864419783c6f880169164025b0cace7079fd4df8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b99802bb4191f6b47189af3f3c6be246

SHA1
0ec187ef3ec6582fb1c64499d96c14327cbd4e5f

SHA256
b9341e55e1dc1140bc45194a9003ff7869480b1918eeb1a995cfceb923f754db

SHA512
b0329ea1a833893a23af1e35fe082a41f6ad1706b259835e4a285b97e78c8f5c7ee6186da342d2b1a4d60da265c20cfb48aeb0fb32deb495caf3200d33fac28a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b09b426565ba8b55629190172c064da

SHA1
fa747fd4f2c6281849b1c09af533d04cd48fa1e8

SHA256
6b49de4270bde53964dbd511ad702cef468b15798b8cf820a44333c1d22caada

SHA512
d2727f8375f68d3dc4f28825cb9b4643ed382e8c78e25177a878a444c39dd3e1010d78783b66c216a5dbbf457157b89d40753b18e5a2bf8a836ce197c2ce03d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3ae48bbc68774b383d41127bc30a06b3

SHA1
3777df8d86439ef625c86eaa1cc44e31ba309529

SHA256
cf7edd55aa5ba4ec4a69b9d9be220d8a485b0a1c9fed6c35e427da29c3d95781

SHA512
bd6448c7432c4c77e06d5ceff72bc2ccd894a8182a0f467c85e5876a3f78432074b473c36acbd0866053b9aafb10db2328e1b5f5aa53ed84105806572968e7a0

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
memory/1544-145-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1544-146-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1544-144-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2256-165-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-177-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-176-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-175-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-174-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-173-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-172-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-171-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-167-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-166-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/3712-137-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-143-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-179-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-136-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-138-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-140-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-180-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-153-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4016-152-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4016-160-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4180-155-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4180-162-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4552-150-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4552-156-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download