wannacry | 72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Resubmissions

13-11-2019 07:33

191113-s6xvalyd5a 0

12-11-2019 15:34

191112-9te2mt6rbs 0

04-11-2019 16:22

191104-pvpshym7va 0

Analysis

max time kernel
140s
max time network
152s
resource
win10v191014

Sharing

Copy URL

Twitter E-mail

General

Target

test.zip
Sample

191112-9te2mt6rbs
SHA256

72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score

N/A

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4900	taskhsvc.exe

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

Inhibit System Recovery

T1490

pid	Process
1088	vssadmin.exe
1440	WMIC.exe

Wannacry file encrypt 64 IoCs

description	ioc	pid	Process
File renamed	C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRYT => C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\WritePop.pptx.WNCRYT => C:\Users\Admin\Desktop\WritePop.pptx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\WritePop.pptx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRYT => C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\DismountHide.php.WNCRYT => C:\Users\Admin\Desktop\DismountHide.php.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\DismountHide.php.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\JoinPush.wmv.WNCRYT => C:\Users\Admin\Desktop\JoinPush.wmv.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\JoinPush.wmv.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRYT => C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRYT => C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\StartLock.zip.WNCRYT => C:\Users\Admin\Desktop\StartLock.zip.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StartLock.zip.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\StopBlock.bat.WNCRYT => C:\Users\Admin\Desktop\StopBlock.bat.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StopBlock.bat.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRYT => C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Are.docx.WNCRYT => C:\Users\Admin\Documents\Are.docx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\MergeStep.vsdx.WNCRYT => C:\Users\Admin\Documents\MergeStep.vsdx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\MergeStep.vsdx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRYT => C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRYT => C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\These.docx.WNCRYT => C:\Users\Admin\Documents\These.docx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UnblockExport.csv.WNCRYT => C:\Users\Admin\Documents\UnblockExport.csv.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnblockExport.csv.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRYT => C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\AddDismount.pptm.WNCRYT => C:\Users\Admin\Documents\AddDismount.pptm.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\AddDismount.pptm.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRYT => C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\CloseLock.potx.WNCRYT => C:\Users\Admin\Documents\CloseLock.potx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\CloseLock.potx.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRYT => C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\DismountUse.odp.WNCRYT => C:\Users\Admin\Documents\DismountUse.odp.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DismountUse.odp.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRYT => C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\OutConvert.docm.WNCRYT => C:\Users\Admin\Documents\OutConvert.docm.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\OutConvert.docm.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRYT => C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UnregisterRead.ods.WNCRYT => C:\Users\Admin\Documents\UnregisterRead.ods.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnregisterRead.ods.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRY	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops startup file 6 IoCs

description	ioc	pid	Process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB335.tmp	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB335.tmp	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB335.tmp	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB34C.tmp	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB34C.tmp	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB34C.tmp	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3208	reg.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeTcbPrivilege	3036	taskse.exe
Token: SeBackupPrivilege	1260	vssvc.exe
Token: SeRestorePrivilege	1260	vssvc.exe
Token: SeAuditPrivilege	1260	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1440	WMIC.exe
Token: SeSecurityPrivilege	1440	WMIC.exe
Token: SeTakeOwnershipPrivilege	1440	WMIC.exe
Token: SeLoadDriverPrivilege	1440	WMIC.exe
Token: SeSystemProfilePrivilege	1440	WMIC.exe
Token: SeSystemtimePrivilege	1440	WMIC.exe
Token: SeProfSingleProcessPrivilege	1440	WMIC.exe
Token: SeIncBasePriorityPrivilege	1440	WMIC.exe
Token: SeCreatePagefilePrivilege	1440	WMIC.exe
Token: SeBackupPrivilege	1440	WMIC.exe
Token: SeRestorePrivilege	1440	WMIC.exe
Token: SeShutdownPrivilege	1440	WMIC.exe
Token: SeDebugPrivilege	1440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1440	WMIC.exe
Token: SeRemoteShutdownPrivilege	1440	WMIC.exe
Token: SeUndockPrivilege	1440	WMIC.exe
Token: SeManageVolumePrivilege	1440	WMIC.exe
Token: 33	1440	WMIC.exe
Token: 34	1440	WMIC.exe
Token: 35	1440	WMIC.exe
Token: 36	1440	WMIC.exe
Token: SeTcbPrivilege	2604	taskse.exe
Token: SeTcbPrivilege	1432	taskse.exe
Token: SeTcbPrivilege	760	taskse.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4060	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4060	svchost.exe

wannacry family
family wannacry

Drops Office document 29 IoCs

dropper exploiter maldoc

description	ioc	pid	Process
File opened for modification	C:\Users\Admin\Desktop\WritePop.pptx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\OpenSplit.xltx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SkipUnlock.xltx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SuspendAssert.xlsm	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SubmitDebug.ppt	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WriteDismount.xlsx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\AddDismount.pptm	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ApproveMeasure.docm	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\CloseLock.potx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DisconnectCompare.xltm	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\NewUnprotect.xltm	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\OutConvert.docm	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ReceiveEnable.pot	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\ExpandPing.doc	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Downloads\SwitchLock.docx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Downloads\TraceUninstall.xls	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\UninstallGet.docx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\CompleteInvoke.ppsm	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\OpenTest.dotm	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\StopPop.xltm	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Downloads\TraceWatch.xlsb	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\RestartPublish.docm	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops file in system dir 5 IoCs

description	ioc	pid	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	4948	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4948	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4948	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4948	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4948	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	3836	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	3836	svchost.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

pid	Process
4896	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification

T1222

pid	Process
4904	icacls.exe

Executes dropped EXE 16 IoCs

pid	Process
4220	taskdl.exe
4316	@[email protected]
3800	@[email protected]
3676	taskdl.exe
3036	taskse.exe
1872	@[email protected]
4900	taskhsvc.exe
2516	taskdl.exe
2604	taskse.exe
3128	@[email protected]
1432	taskse.exe
372	@[email protected]
3648	taskdl.exe
760	taskse.exe
828	@[email protected]
4916	taskdl.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1872	@[email protected]
4316	@[email protected]
3800	@[email protected]
3128	@[email protected]
372	@[email protected]
828	@[email protected]

Loads dropped DLL 1 IoCs

pid	Process
4900	taskhsvc.exe

Uses Volume Shadow Copy Service COM API 13 IoCs

ransomware

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1088	vssadmin.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}	1088	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs	1088	vssadmin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\	1088	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32	1088	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler	1088	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1260	vssvc.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}	1260	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs	1260	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\	1260	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocServer32	1260	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32	1260	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler	1260	vssvc.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4896	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	72
PID 4880 wrote to memory of 4904	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	73
PID 4880 wrote to memory of 4220	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	77
PID 4880 wrote to memory of 68	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	78
PID 68 wrote to memory of 4196	68	cmd.exe	80
PID 4880 wrote to memory of 4316	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	85
PID 4880 wrote to memory of 4300	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	86
PID 4300 wrote to memory of 3800	4300	cmd.exe	88
PID 4880 wrote to memory of 3676	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	89
PID 4880 wrote to memory of 3036	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	90
PID 4880 wrote to memory of 1872	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	91
PID 4880 wrote to memory of 3020	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	92
PID 3020 wrote to memory of 3208	3020	cmd.exe	94
PID 4516 wrote to memory of 4552	4516	SppExtComObj.exe	97
PID 4316 wrote to memory of 4900	4316	@[email protected]	98
PID 3800 wrote to memory of 1032	3800	@[email protected]	101
PID 1032 wrote to memory of 1088	1032	cmd.exe	103
PID 1032 wrote to memory of 1440	1032	cmd.exe	105
PID 4880 wrote to memory of 2516	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	108
PID 4880 wrote to memory of 2604	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	109
PID 4880 wrote to memory of 3128	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	110
PID 4880 wrote to memory of 1432	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	114
PID 4880 wrote to memory of 372	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	115
PID 4880 wrote to memory of 3648	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	116
PID 4880 wrote to memory of 760	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	122
PID 4880 wrote to memory of 828	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	123
PID 4880 wrote to memory of 4916	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	124

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	1872	@[email protected]

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nmsqcsinudawe237 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	3208	reg.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Wannacry file encrypt
- Drops startup file
- Drops Office document
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
PID:4880

C:\Windows\SysWOW64\attrib.exe
attrib +h .
1⤵
- Views/modifies file attributes
PID:4896

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
1⤵
- Modifies file permissions
PID:4904

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 65891573632598.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:68

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
1⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:3676

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:3036

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Sets desktop wallpaper using registry
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Modifies registry key
- Adds Run entry to start application
PID:3208

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Loads dropped DLL
PID:4900

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
1⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Deletes shadow copies
- Uses Volume Shadow Copy Service COM API
PID:1088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Uses Volume Shadow Copy Service COM API
PID:1260

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Deletes shadow copies
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:2604

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3128

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:4948

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1432

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:372

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:3648

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:4060

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:4268

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:3836

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:760

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:828

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

MITRE ATT&CK Additional techniques

T1107
T1089
T1158
T1060

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4880-36-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4900-257-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4900-233-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4900-68-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/4900-67-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4900-70-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4900-85-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4900-119-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4900-122-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4900-164-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4900-176-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4900-211-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4900-231-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4900-232-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/4900-69-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4900-397-0x0000000003EC0000-0x0000000003EC1000-memory.dmp

Filesize
4KB

Download
memory/4900-396-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/4900-549-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/4900-548-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/4900-544-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/4900-534-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/4900-530-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/4900-524-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/4900-509-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/4900-445-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/4900-399-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download