wannacry | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7
submitted
03-09-2020 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Score

10^/10

ransomware worm wannacry discovery persistence spyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 16 IoCs

Processes:

taskdl.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exe

pid	process
1360	taskdl.exe
1772	@WanaDecryptor@.exe
1668	@WanaDecryptor@.exe
2020	taskhsvc.exe
1980	taskse.exe
1852	@WanaDecryptor@.exe
1856	taskdl.exe
1184	taskse.exe
2036	@WanaDecryptor@.exe
1964	taskdl.exe
1708	taskse.exe
1560	@WanaDecryptor@.exe
1884	taskdl.exe
692	taskse.exe
884	@WanaDecryptor@.exe
1412	taskdl.exe

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ConvertFromStop.raw.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromStop.raw.WNCRYT => C:\Users\Admin\Pictures\ConvertFromStop.raw.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromStop.raw.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\Pictures\InstallDisable.raw.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\InstallDisable.raw.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Pictures\SkipRemove.png.WNCRYT => C:\Users\Admin\Pictures\SkipRemove.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Pictures\InstallDisable.raw.WNCRYT => C:\Users\Admin\Pictures\InstallDisable.raw.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\Pictures\SkipRemove.png.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\SkipRemove.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\Pictures\UnprotectSwitch.tiff.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Pictures\UnprotectSwitch.tiff.WNCRYT => C:\Users\Admin\Pictures\UnprotectSwitch.tiff.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectSwitch.tiff.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectSwitch.tiff	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2A45.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2A49.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Loads dropped DLL 39 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execscript.execmd.exe@WanaDecryptor@.exetaskhsvc.exe

pid	process
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1032	cscript.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1940	cmd.exe
1940	cmd.exe
1772	@WanaDecryptor@.exe
1772	@WanaDecryptor@.exe
2020	taskhsvc.exe
2020	taskhsvc.exe
2020	taskhsvc.exe
2020	taskhsvc.exe
2020	taskhsvc.exe
2020	taskhsvc.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1900 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1900	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pzkqrqnhucon571 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

JavaScript code in executable 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe	js
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe	js
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe	js
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll	js
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll	js

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@WanaDecryptor@.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1980 ipconfig.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2036 vssadmin.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1168 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

324 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

taskhsvc.exe

pid process

2020 taskhsvc.exe
2020 taskhsvc.exe
2020 taskhsvc.exe

pid	process
1980	ipconfig.exe

pid	process
2036	vssadmin.exe

pid	process
1168	reg.exe

pid	process
324	PING.EXE

pid	process
2020	taskhsvc.exe
2020	taskhsvc.exe
2020	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

vssvc.exeWMIC.exetaskse.exeAUDIODG.EXEtaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeBackupPrivilege	2024	vssvc.exe
Token: SeRestorePrivilege	2024	vssvc.exe
Token: SeAuditPrivilege	2024	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1440	WMIC.exe
Token: SeSecurityPrivilege	1440	WMIC.exe
Token: SeTakeOwnershipPrivilege	1440	WMIC.exe
Token: SeLoadDriverPrivilege	1440	WMIC.exe
Token: SeSystemProfilePrivilege	1440	WMIC.exe
Token: SeSystemtimePrivilege	1440	WMIC.exe
Token: SeProfSingleProcessPrivilege	1440	WMIC.exe
Token: SeIncBasePriorityPrivilege	1440	WMIC.exe
Token: SeCreatePagefilePrivilege	1440	WMIC.exe
Token: SeBackupPrivilege	1440	WMIC.exe
Token: SeRestorePrivilege	1440	WMIC.exe
Token: SeShutdownPrivilege	1440	WMIC.exe
Token: SeDebugPrivilege	1440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1440	WMIC.exe
Token: SeRemoteShutdownPrivilege	1440	WMIC.exe
Token: SeUndockPrivilege	1440	WMIC.exe
Token: SeManageVolumePrivilege	1440	WMIC.exe
Token: 33	1440	WMIC.exe
Token: 34	1440	WMIC.exe
Token: 35	1440	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1440	WMIC.exe
Token: SeSecurityPrivilege	1440	WMIC.exe
Token: SeTakeOwnershipPrivilege	1440	WMIC.exe
Token: SeLoadDriverPrivilege	1440	WMIC.exe
Token: SeSystemProfilePrivilege	1440	WMIC.exe
Token: SeSystemtimePrivilege	1440	WMIC.exe
Token: SeProfSingleProcessPrivilege	1440	WMIC.exe
Token: SeIncBasePriorityPrivilege	1440	WMIC.exe
Token: SeCreatePagefilePrivilege	1440	WMIC.exe
Token: SeBackupPrivilege	1440	WMIC.exe
Token: SeRestorePrivilege	1440	WMIC.exe
Token: SeShutdownPrivilege	1440	WMIC.exe
Token: SeDebugPrivilege	1440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1440	WMIC.exe
Token: SeRemoteShutdownPrivilege	1440	WMIC.exe
Token: SeUndockPrivilege	1440	WMIC.exe
Token: SeManageVolumePrivilege	1440	WMIC.exe
Token: 33	1440	WMIC.exe
Token: 34	1440	WMIC.exe
Token: 35	1440	WMIC.exe
Token: SeTcbPrivilege	1980	taskse.exe
Token: SeTcbPrivilege	1980	taskse.exe
Token: 33	996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	996	AUDIODG.EXE
Token: 33	996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	996	AUDIODG.EXE
Token: SeTcbPrivilege	1184	taskse.exe
Token: SeTcbPrivilege	1184	taskse.exe
Token: SeTcbPrivilege	1708	taskse.exe
Token: SeTcbPrivilege	1708	taskse.exe
Token: SeTcbPrivilege	692	taskse.exe
Token: SeTcbPrivilege	692	taskse.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe

pid	process
1772	@WanaDecryptor@.exe
1668	@WanaDecryptor@.exe
1772	@WanaDecryptor@.exe
1668	@WanaDecryptor@.exe
1852	@WanaDecryptor@.exe
1852	@WanaDecryptor@.exe
2036	@WanaDecryptor@.exe
1560	@WanaDecryptor@.exe
884	@WanaDecryptor@.exe

Suspicious use of WriteProcessMemory 110 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execmd.execmd.execmd.exe@WanaDecryptor@.exe@WanaDecryptor@.execmd.exe

description	pid	process	target process
PID 1156 wrote to memory of 1888	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 1156 wrote to memory of 1888	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 1156 wrote to memory of 1888	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 1156 wrote to memory of 1888	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 1156 wrote to memory of 1900	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 1156 wrote to memory of 1900	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 1156 wrote to memory of 1900	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 1156 wrote to memory of 1900	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 1156 wrote to memory of 1360	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1156 wrote to memory of 1360	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1156 wrote to memory of 1360	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1156 wrote to memory of 1360	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1156 wrote to memory of 1424	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1156 wrote to memory of 1424	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1156 wrote to memory of 1424	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1156 wrote to memory of 1424	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1424 wrote to memory of 1032	1424	cmd.exe	cscript.exe
PID 1424 wrote to memory of 1032	1424	cmd.exe	cscript.exe
PID 1424 wrote to memory of 1032	1424	cmd.exe	cscript.exe
PID 1424 wrote to memory of 1032	1424	cmd.exe	cscript.exe
PID 1944 wrote to memory of 1980	1944	cmd.exe	ipconfig.exe
PID 1944 wrote to memory of 1980	1944	cmd.exe	ipconfig.exe
PID 1944 wrote to memory of 1980	1944	cmd.exe	ipconfig.exe
PID 1156 wrote to memory of 1772	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1156 wrote to memory of 1772	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1156 wrote to memory of 1772	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1156 wrote to memory of 1772	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1156 wrote to memory of 1940	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1156 wrote to memory of 1940	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1156 wrote to memory of 1940	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1156 wrote to memory of 1940	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1940 wrote to memory of 1668	1940	cmd.exe	@WanaDecryptor@.exe
PID 1940 wrote to memory of 1668	1940	cmd.exe	@WanaDecryptor@.exe
PID 1940 wrote to memory of 1668	1940	cmd.exe	@WanaDecryptor@.exe
PID 1940 wrote to memory of 1668	1940	cmd.exe	@WanaDecryptor@.exe
PID 1772 wrote to memory of 2020	1772	@WanaDecryptor@.exe	taskhsvc.exe
PID 1772 wrote to memory of 2020	1772	@WanaDecryptor@.exe	taskhsvc.exe
PID 1772 wrote to memory of 2020	1772	@WanaDecryptor@.exe	taskhsvc.exe
PID 1772 wrote to memory of 2020	1772	@WanaDecryptor@.exe	taskhsvc.exe
PID 1668 wrote to memory of 328	1668	@WanaDecryptor@.exe	cmd.exe
PID 1668 wrote to memory of 328	1668	@WanaDecryptor@.exe	cmd.exe
PID 1668 wrote to memory of 328	1668	@WanaDecryptor@.exe	cmd.exe
PID 1668 wrote to memory of 328	1668	@WanaDecryptor@.exe	cmd.exe
PID 328 wrote to memory of 2036	328	cmd.exe	vssadmin.exe
PID 328 wrote to memory of 2036	328	cmd.exe	vssadmin.exe
PID 328 wrote to memory of 2036	328	cmd.exe	vssadmin.exe
PID 328 wrote to memory of 2036	328	cmd.exe	vssadmin.exe
PID 328 wrote to memory of 1440	328	cmd.exe	WMIC.exe
PID 328 wrote to memory of 1440	328	cmd.exe	WMIC.exe
PID 328 wrote to memory of 1440	328	cmd.exe	WMIC.exe
PID 328 wrote to memory of 1440	328	cmd.exe	WMIC.exe
PID 1156 wrote to memory of 1980	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 1156 wrote to memory of 1980	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 1156 wrote to memory of 1980	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 1156 wrote to memory of 1980	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 1156 wrote to memory of 1852	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1156 wrote to memory of 1852	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1156 wrote to memory of 1852	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1156 wrote to memory of 1852	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1156 wrote to memory of 1632	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1156 wrote to memory of 1632	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1156 wrote to memory of 1632	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1156 wrote to memory of 1632	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1156 wrote to memory of 1856	1156	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1888 attrib.exe

pid	process
1888	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:1888

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1900

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1360

C:\Windows\SysWOW64\cmd.exe
cmd /c 53311599143526.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
- Loads dropped DLL
PID:1032

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe co
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @WanaDecryptor@.exe vs
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2036

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pzkqrqnhucon571" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
2⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pzkqrqnhucon571" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1168

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1856

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1964

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:884

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1412

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\ipconfig.exe
ipconfig
2⤵
- Gathers network information
PID:1980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1272

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1672

C:\Windows\system32\PING.EXE
ping 8.8.8.8
2⤵
- Runs ping.exe
PID:324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\53311599143526.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe.lnk

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wnry

Download Submit
C:\Users\Admin\Desktop\@WanaDecryptor@.bmp

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
memory/324-770-0x0000000000000000-mapping.dmp

Download
memory/328-707-0x0000000000000000-mapping.dmp

Download
memory/692-773-0x0000000000000000-mapping.dmp

Download
memory/884-777-0x0000000000000000-mapping.dmp

Download
memory/1032-50-0x00000000027D0000-0x00000000027D4000-memory.dmp

Filesize
16KB

Download
memory/1032-45-0x0000000000000000-mapping.dmp

Download
memory/1156-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1168-723-0x0000000000000000-mapping.dmp

Download
memory/1184-728-0x0000000000000000-mapping.dmp

Download
memory/1360-41-0x0000000000000000-mapping.dmp

Download
memory/1412-781-0x0000000000000000-mapping.dmp

Download
memory/1424-43-0x0000000000000000-mapping.dmp

Download
memory/1440-709-0x0000000000000000-mapping.dmp

Download
memory/1560-744-0x0000000000000000-mapping.dmp

Download
memory/1632-717-0x0000000000000000-mapping.dmp

Download
memory/1668-60-0x0000000000000000-mapping.dmp

Download
memory/1668-59-0x0000000000000000-mapping.dmp

Download
memory/1708-740-0x0000000000000000-mapping.dmp

Download
memory/1772-54-0x0000000000000000-mapping.dmp

Download
memory/1852-716-0x0000000000000000-mapping.dmp

Download
memory/1856-721-0x0000000000000000-mapping.dmp

Download
memory/1884-748-0x0000000000000000-mapping.dmp

Download
memory/1888-0-0x0000000000000000-mapping.dmp

Download
memory/1900-1-0x0000000000000000-mapping.dmp

Download
memory/1940-56-0x0000000000000000-mapping.dmp

Download
memory/1964-736-0x0000000000000000-mapping.dmp

Download
memory/1980-712-0x0000000000000000-mapping.dmp

Download
memory/1980-51-0x0000000000000000-mapping.dmp

Download
memory/2020-80-0x0000000002E30000-0x0000000002E41000-memory.dmp

Filesize
68KB

Download
memory/2020-414-0x0000000003470000-0x0000000003481000-memory.dmp

Filesize
68KB

Download
memory/2020-415-0x0000000003060000-0x0000000003071000-memory.dmp

Filesize
68KB

Download
memory/2020-81-0x0000000002A20000-0x0000000002A31000-memory.dmp

Filesize
68KB

Download
memory/2020-79-0x0000000002A20000-0x0000000002A31000-memory.dmp

Filesize
68KB

Download
memory/2020-413-0x0000000003060000-0x0000000003071000-memory.dmp

Filesize
68KB

Download
memory/2020-248-0x0000000002A20000-0x0000000002A31000-memory.dmp

Filesize
68KB

Download
memory/2020-247-0x0000000002E30000-0x0000000002E41000-memory.dmp

Filesize
68KB

Download
memory/2020-65-0x0000000000000000-mapping.dmp

Download
memory/2020-246-0x0000000002A20000-0x0000000002A31000-memory.dmp

Filesize
68KB

Download
memory/2036-708-0x0000000000000000-mapping.dmp

Download
memory/2036-732-0x0000000000000000-mapping.dmp

Download