wannacry | 97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576

Analysis

max time kernel
84s
max time network
38s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe
Size

845KB
MD5

584c2211a059c4018d2eddf8f669d63d
SHA1

87f2c620b3b9374bc7dd1c4cb296bc4fdcd5da25
SHA256

97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576
SHA512

828f6c3a7fb7a8e339ce0a0d4a520132c7ded616b52f0598f7c2ec62dc20f648ad28e43c9a4edf9789f1824ed954f47d7d39d2bde6e02453411e6406d6a79086

Score

10^/10

wannacry discovery evasion ransomware upx worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe
Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

pid process

532 svchost.exe
1820 svchost.exe
1744 svchost.exe
2040 svchost.exe
Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

760 netsh.exe
1468 netsh.exe
1808 netsh.exe
1692 netsh.exe
Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1672 attrib.exe
1560 attrib.exe
1764 attrib.exe
1420 attrib.exe
1032 attrib.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

pid	process
532	svchost.exe
1820	svchost.exe
1744	svchost.exe
2040	svchost.exe

pid	process
760	netsh.exe
1468	netsh.exe
1808	netsh.exe
1692	netsh.exe

pid	process
1672	attrib.exe
1560	attrib.exe
1764	attrib.exe
1420	attrib.exe
1032	attrib.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1860-55-0x0000000000400000-0x0000000000558000-memory.dmp	upx
\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/532-81-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2040-82-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1744-83-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1820-84-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/532-90-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1860-112-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/1860-115-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

1664 WScript.exe
Loads dropped DLL 1 IoCs

Processes:

97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe

pid process

1860 97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

928 takeown.exe
Drops file in Program Files directory 1 IoCs

Processes:

attrib.exe

description ioc process

File opened for modification C:\program files (x86)\stormii attrib.exe

pid	process
1664	WScript.exe

pid	process
928	takeown.exe

description	ioc	process
File opened for modification	C:\program files (x86)\stormii	attrib.exe

Drops file in Windows directory 8 IoCs

Processes:

97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File created	\??\c:\windows\Fonts\svchost.exe	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe
File created	\??\c:\windows\Fonts\wininit.exe	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe
File opened for modification	\??\c:\windows\Fonts\wininit.exe	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe
File opened for modification	\??\c:\windows\Fonts\svchost.exe	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe
File created	\??\c:\windows\demo.bat	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\svchost.exe	attrib.exe
File opened for modification	C:\Windows\tasksche.exe	attrib.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1560 sc.exe
1404 sc.exe
2004 sc.exe
1940 sc.exe
948 sc.exe
1444 sc.exe
1656 sc.exe
1116 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

816 ipconfig.exe
Kills process with WMI 10 IoCs
evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

748 WMIC.exe
1412 WMIC.exe
1352 WMIC.exe
1704 WMIC.exe
1800 WMIC.exe
932 WMIC.exe
1684 WMIC.exe
1128 WMIC.exe
1792 WMIC.exe
1532 WMIC.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1756 taskkill.exe
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
1560	sc.exe
1404	sc.exe
2004	sc.exe
1940	sc.exe
948	sc.exe
1444	sc.exe
1656	sc.exe
1116	sc.exe

pid	process
816	ipconfig.exe

pid	process
748	WMIC.exe
1412	WMIC.exe
1352	WMIC.exe
1704	WMIC.exe
1800	WMIC.exe
932	WMIC.exe
1684	WMIC.exe
1128	WMIC.exe
1792	WMIC.exe
1532	WMIC.exe

pid	process
1756	taskkill.exe

pid	process
464

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	748	WMIC.exe
Token: SeSecurityPrivilege	748	WMIC.exe
Token: SeTakeOwnershipPrivilege	748	WMIC.exe
Token: SeLoadDriverPrivilege	748	WMIC.exe
Token: SeSystemProfilePrivilege	748	WMIC.exe
Token: SeSystemtimePrivilege	748	WMIC.exe
Token: SeProfSingleProcessPrivilege	748	WMIC.exe
Token: SeIncBasePriorityPrivilege	748	WMIC.exe
Token: SeCreatePagefilePrivilege	748	WMIC.exe
Token: SeBackupPrivilege	748	WMIC.exe
Token: SeRestorePrivilege	748	WMIC.exe
Token: SeShutdownPrivilege	748	WMIC.exe
Token: SeDebugPrivilege	748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	748	WMIC.exe
Token: SeRemoteShutdownPrivilege	748	WMIC.exe
Token: SeUndockPrivilege	748	WMIC.exe
Token: SeManageVolumePrivilege	748	WMIC.exe
Token: 33	748	WMIC.exe
Token: 34	748	WMIC.exe
Token: 35	748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	748	WMIC.exe
Token: SeSecurityPrivilege	748	WMIC.exe
Token: SeTakeOwnershipPrivilege	748	WMIC.exe
Token: SeLoadDriverPrivilege	748	WMIC.exe
Token: SeSystemProfilePrivilege	748	WMIC.exe
Token: SeSystemtimePrivilege	748	WMIC.exe
Token: SeProfSingleProcessPrivilege	748	WMIC.exe
Token: SeIncBasePriorityPrivilege	748	WMIC.exe
Token: SeCreatePagefilePrivilege	748	WMIC.exe
Token: SeBackupPrivilege	748	WMIC.exe
Token: SeRestorePrivilege	748	WMIC.exe
Token: SeShutdownPrivilege	748	WMIC.exe
Token: SeDebugPrivilege	748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	748	WMIC.exe
Token: SeRemoteShutdownPrivilege	748	WMIC.exe
Token: SeUndockPrivilege	748	WMIC.exe
Token: SeManageVolumePrivilege	748	WMIC.exe
Token: 33	748	WMIC.exe
Token: 34	748	WMIC.exe
Token: 35	748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe

pid	process
1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe
1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.execmd.exe

description	pid	process	target process
PID 1860 wrote to memory of 888	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	cmd.exe
PID 1860 wrote to memory of 888	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	cmd.exe
PID 1860 wrote to memory of 888	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	cmd.exe
PID 1860 wrote to memory of 888	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	cmd.exe
PID 1860 wrote to memory of 1244	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1244	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1244	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1244	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1940	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1940	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1940	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1940	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 948	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 948	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 948	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 948	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1968	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1968	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1968	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1968	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1444	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1444	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1444	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1444	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 900	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 900	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 900	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 900	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1656	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1656	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1656	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1656	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 692	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 692	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 692	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 692	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 888 wrote to memory of 748	888	cmd.exe	attrib.exe
PID 888 wrote to memory of 748	888	cmd.exe	attrib.exe
PID 888 wrote to memory of 748	888	cmd.exe	attrib.exe
PID 888 wrote to memory of 748	888	cmd.exe	attrib.exe
PID 1860 wrote to memory of 1116	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1116	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1116	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1116	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1856	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1856	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1856	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1856	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	net.exe
PID 1860 wrote to memory of 1560	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1560	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1560	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 1560	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	sc.exe
PID 1860 wrote to memory of 532	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	svchost.exe
PID 1860 wrote to memory of 532	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	svchost.exe
PID 1860 wrote to memory of 532	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	svchost.exe
PID 1860 wrote to memory of 532	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	svchost.exe
PID 1860 wrote to memory of 1820	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	svchost.exe
PID 1860 wrote to memory of 1820	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	svchost.exe
PID 1860 wrote to memory of 1820	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	svchost.exe
PID 1860 wrote to memory of 1820	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	svchost.exe
PID 1860 wrote to memory of 1744	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	svchost.exe
PID 1860 wrote to memory of 1744	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	svchost.exe
PID 1860 wrote to memory of 1744	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	svchost.exe
PID 1860 wrote to memory of 1744	1860	97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe	svchost.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

748 attrib.exe
1128 attrib.exe
1032 attrib.exe
904 attrib.exe
1672 attrib.exe
1560 attrib.exe
1764 attrib.exe
1420 attrib.exe

pid	process
748	attrib.exe
1128	attrib.exe
1032	attrib.exe
904	attrib.exe
1672	attrib.exe
1560	attrib.exe
1764	attrib.exe
1420	attrib.exe

C:\Users\Admin\AppData\Local\Temp\97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe
"C:\Users\Admin\AppData\Local\Temp\97777b89eac81ccb0d81cbfcd605c12b91469109b9550700148d43b3be725576.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -h -r -a C:\Windows\Fonts
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:748
- C:\Windows\SysWOW64\net.exe
  net stop lanmanserver /y
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop lanmanserver /y
    3⤵
    PID:1668
- C:\Windows\SysWOW64\sc.exe
  sc config lanmanserver start= DISABLED 2>nul
  2⤵
  - Launches sc.exe
  PID:1940
- C:\Windows\SysWOW64\sc.exe
  sc delete lanmanserver
  2⤵
  - Launches sc.exe
  PID:948
- C:\Windows\SysWOW64\net.exe
  net stop mssecsvc2.0
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mssecsvc2.0
    3⤵
    PID:1612
- C:\Windows\SysWOW64\sc.exe
  sc delete mssecsvc2.0
  2⤵
  - Launches sc.exe
  PID:1444
- C:\Windows\SysWOW64\net.exe
  net stop mssecsvc2.1
  2⤵
  PID:900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mssecsvc2.1
    3⤵
    PID:1692
- C:\Windows\SysWOW64\sc.exe
  sc delete mssecsvc2.1
  2⤵
  - Launches sc.exe
  PID:1656
- C:\Windows\SysWOW64\net.exe
  net stop Natihial
  2⤵
  PID:692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Natihial
    3⤵
    PID:1580
- C:\Windows\SysWOW64\sc.exe
  sc delete Natihial
  2⤵
  - Launches sc.exe
  PID:1116
- C:\Windows\SysWOW64\net.exe
  net stop RpcEptManger
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RpcEptManger
    3⤵
    PID:1604
- C:\Windows\SysWOW64\sc.exe
  sc delete RpcEptManger
  2⤵
  - Launches sc.exe
  PID:1560
- \??\c:\windows\Fonts\svchost.exe
  c:\windows\Fonts\svchost.exe install RpcEptManger c:\windows\Fonts\wininit.exe
  2⤵
  - Executes dropped EXE
  PID:532
- \??\c:\windows\Fonts\svchost.exe
  c:\windows\Fonts\svchost.exe set RpcEptManger DisplayName RPC Endpoint Manger
  2⤵
  - Executes dropped EXE
  PID:1820
- \??\c:\windows\Fonts\svchost.exe
  c:\windows\Fonts\svchost.exe set RpcEptManger Description RPC performance library information from Windows Management.
  2⤵
  - Executes dropped EXE
  PID:1744
- \??\c:\windows\Fonts\svchost.exe
  c:\windows\Fonts\svchost.exe start RpcEptManger
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\demo.bat
  2⤵
  - Drops file in Drivers directory
  PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\Drivers\etc\hosts /a
    3⤵
    - Modifies file permissions
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:952
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\Drivers\etc\hosts /g users:f
    3⤵
    PID:908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts
    3⤵
    - Views/modifies file attributes
    PID:1128
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\Drivers\etc\hosts /g system:f
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -h -r -a C:\ProgramData
    3⤵
    - Views/modifies file attributes
    PID:904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData\Natihial\svshostr.exe /d everyone
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData\new\csrss.exe /d everyone
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData\Microsoft\Natihial\cmd.exe /d everyone
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData\expl0rer.exe /d everyone
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:820
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\windows\svchost.exe /d everyone
    3⤵
    PID:960
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    Wmic Process Where "Name='cmd.exe' And ExecutablePath='C:\\ProgramData\\Microsoft\\Natihial\\cmd.exe'" Call Terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "Adobe Flash Player Updaters" /f
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\new\\csrss.exe'" call Terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate
    3⤵
    - Kills process with WMI
    PID:1128
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\dll\\svchost.exe'" call Terminate
    3⤵
    - Kills process with WMI
    PID:1412
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\dll\\csrss.exe'" call Terminate
    3⤵
    - Kills process with WMI
    PID:1792
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\Natioanl\\svchostr.exe'" call Terminate
    3⤵
    - Kills process with WMI
    PID:1352
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\Natioanl\\csrss..exe'" call Terminate
    3⤵
    - Kills process with WMI
    PID:1704
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\nm\\winlogin.exe'" call Terminate
    3⤵
    - Kills process with WMI
    PID:1800
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r C:\Windows\svchost.exe
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\svchost.exe /d everyone
    3⤵
    PID:980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /t /im tasksche.exe
    3⤵
    - Kills process with taskkill
    PID:1756
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r C:\Windows\tasksche.exe
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\tasksche.exe /d everyone
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r +a C:\ProgramData
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1764
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='server.exe' and ExecutablePath='C:\\program files (x86)\\stormii\\server.exe'" call Terminate
    3⤵
    - Kills process with WMI
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\program files (x86)\stormii\server.exe" /d everyone
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r +a "C:\program files (x86)\stormii"
    3⤵
    - Sets file to hidden
    - Drops file in Program Files directory
    - Views/modifies file attributes
    PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\program files (x86)\stormii" /d everyone
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='conhost.exe' and ExecutablePath='C:\\program files (x86)\\windows nt\\conhost.exe'" call Terminate
    3⤵
    - Kills process with WMI
    PID:932
- - C:\Windows\SysWOW64\sc.exe
    sc delete SuperProServerST
    3⤵
    - Launches sc.exe
    PID:1404
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= auto
    3⤵
    - Launches sc.exe
    PID:2004
- - C:\Windows\SysWOW64\net.exe
    net start MpsSvc
    3⤵
    PID:1744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start MpsSvc
      4⤵
      PID:1664
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:760
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
    3⤵
    - Modifies Windows Firewall
    PID:1468
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block
    3⤵
    - Modifies Windows Firewall
    PID:1808
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow
    3⤵
    - Modifies Windows Firewall
    PID:1692
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add policy name=win
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add filterlist name=Allowlist
    3⤵
    PID:564
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add filterlist name=denylist
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
    3⤵
    PID:436
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add filteraction name=Allow action=permit
    3⤵
    PID:316
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add filteraction name=deny action=block
    3⤵
    PID:972
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static set policy name=win assign=y
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ver "
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\find.exe
    find "5.1."
    3⤵
    PID:1744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  - Deletes itself
  PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
275B

MD5
832ba0698d66506d3b2a0b31f3f5b029

SHA1
84c03c4eb4debfdacc6a4372f367101db20f6e99

SHA256
8143bd86cedbb6a3f85a8ee2d7e548ec0236044766107f4f30347a5add2e1ddf

SHA512
db6e36ee4d38bc9012b0f5f82c48e3fdaa82467010f543058882fbe6819bf48d7aaba3b9e90d29d19d9548f84dec59e7eefe2f669e21ef0c37797a051f43d28c

Download Submit
C:\Windows\Fonts\svchost.exe

Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe

Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe

Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe

Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\system32\Drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
\??\c:\windows\demo.bat

Filesize
4KB

MD5
33576f7335f2415e0399b7981234026c

SHA1
2302ea2cec37abe1022b9f928922b1cff9ced461

SHA256
54194bd2737b9b8c1c190d0362da270571bda661d1c3b2844d71ba2fbc94f264

SHA512
2f13652a4b79c760ab69be5e7ae92bf9b9a500d05d4c1031868e31c517929e00690e0c4a46f520b581e6e07136b49f63eff94bc02a6dd35d7694535bc02dbe55

Download Submit
\Windows\Fonts\svchost.exe

Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
memory/532-81-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/532-90-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/532-70-0x0000000000000000-mapping.dmp

Download
memory/692-64-0x0000000000000000-mapping.dmp

Download
memory/748-113-0x0000000000000000-mapping.dmp

Download
memory/748-65-0x0000000000000000-mapping.dmp

Download
memory/816-99-0x0000000000000000-mapping.dmp

Download
memory/820-110-0x0000000000000000-mapping.dmp

Download
memory/888-56-0x0000000000000000-mapping.dmp

Download
memory/900-62-0x0000000000000000-mapping.dmp

Download
memory/904-101-0x0000000000000000-mapping.dmp

Download
memory/908-91-0x0000000000000000-mapping.dmp

Download
memory/928-85-0x0000000000000000-mapping.dmp

Download
memory/948-59-0x0000000000000000-mapping.dmp

Download
memory/952-89-0x0000000000000000-mapping.dmp

Download
memory/960-111-0x0000000000000000-mapping.dmp

Download
memory/980-128-0x0000000000000000-mapping.dmp

Download
memory/1032-95-0x0000000000000000-mapping.dmp

Download
memory/1048-107-0x0000000000000000-mapping.dmp

Download
memory/1116-66-0x0000000000000000-mapping.dmp

Download
memory/1128-94-0x0000000000000000-mapping.dmp

Download
memory/1128-120-0x0000000000000000-mapping.dmp

Download
memory/1156-118-0x0000000000000000-mapping.dmp

Download
memory/1244-57-0x0000000000000000-mapping.dmp

Download
memory/1348-131-0x0000000000000000-mapping.dmp

Download
memory/1352-123-0x0000000000000000-mapping.dmp

Download
memory/1356-135-0x0000000000000000-mapping.dmp

Download
memory/1412-121-0x0000000000000000-mapping.dmp

Download
memory/1420-137-0x0000000000000000-mapping.dmp

Download
memory/1444-127-0x0000000000000000-mapping.dmp

Download
memory/1444-61-0x0000000000000000-mapping.dmp

Download
memory/1464-97-0x0000000000000000-mapping.dmp

Download
memory/1476-106-0x0000000000000000-mapping.dmp

Download
memory/1480-96-0x0000000000000000-mapping.dmp

Download
memory/1484-104-0x0000000000000000-mapping.dmp

Download
memory/1532-134-0x0000000000000000-mapping.dmp

Download
memory/1560-109-0x0000000000000000-mapping.dmp

Download
memory/1560-130-0x0000000000000000-mapping.dmp

Download
memory/1560-68-0x0000000000000000-mapping.dmp

Download
memory/1580-88-0x0000000000000000-mapping.dmp

Download
memory/1604-86-0x0000000000000000-mapping.dmp

Download
memory/1612-92-0x0000000000000000-mapping.dmp

Download
memory/1656-132-0x0000000000000000-mapping.dmp

Download
memory/1656-63-0x0000000000000000-mapping.dmp

Download
memory/1664-114-0x0000000000000000-mapping.dmp

Download
memory/1668-93-0x0000000000000000-mapping.dmp

Download
memory/1672-103-0x0000000000000000-mapping.dmp

Download
memory/1672-126-0x0000000000000000-mapping.dmp

Download
memory/1684-119-0x0000000000000000-mapping.dmp

Download
memory/1692-87-0x0000000000000000-mapping.dmp

Download
memory/1704-124-0x0000000000000000-mapping.dmp

Download
memory/1744-83-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1744-73-0x0000000000000000-mapping.dmp

Download
memory/1756-129-0x0000000000000000-mapping.dmp

Download
memory/1760-102-0x0000000000000000-mapping.dmp

Download
memory/1764-133-0x0000000000000000-mapping.dmp

Download
memory/1772-108-0x0000000000000000-mapping.dmp

Download
memory/1792-122-0x0000000000000000-mapping.dmp

Download
memory/1800-125-0x0000000000000000-mapping.dmp

Download
memory/1820-72-0x0000000000000000-mapping.dmp

Download
memory/1820-84-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1828-105-0x0000000000000000-mapping.dmp

Download
memory/1856-67-0x0000000000000000-mapping.dmp

Download
memory/1860-80-0x0000000000370000-0x00000000003C3000-memory.dmp

Filesize
332KB

Download
memory/1860-55-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1860-136-0x0000000000000000-mapping.dmp

Download
memory/1860-115-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1860-112-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1860-54-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download
memory/1908-78-0x0000000000000000-mapping.dmp

Download
memory/1940-58-0x0000000000000000-mapping.dmp

Download
memory/1968-60-0x0000000000000000-mapping.dmp

Download
memory/2040-82-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2040-75-0x0000000000000000-mapping.dmp

Download