Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
23-05-2020 09:47
General
-
Target
2020-05-22_17-36-19.bin.exe
-
Size
448KB
-
MD5
412568f078ec521bdba6ae14b9f36823
-
SHA1
3e5a80fe286834f6d5f0aaf014a420ec40ebad7d
-
SHA256
e2c2a80cb4ecc511f30d72b3487cb9023b40a25f6bbe07a92f47230fb76544f4
-
SHA512
9e979c3873778991bfd05b22370fbab32f7ec16dd78b8c3f2b0f54ccfd26fcdfc84f881bdf4414d24228ad2a19ef00ecb062dd5e9e2e243966f1276698f1ff85
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\README_LOCK.TXT
Ransom Note
#############################################################
################# YOUR FILES WERE ENCRYPTED #################
############ AND MARKED BY EXTENSION .corona-lock ###########
#############################################################
--
DON'T WORRY! YOUR FILES ARE SAFE! ONLY MODIFIED :: ChaCha + AES
WE STRONGLY RECOMMEND you NOT to use any Decryption Tools.
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
--
To get RSA private key you have to contact us via email to:
---------------------------->> support@covidworldcry.com <<
and send us your id: >> 1598982272 <<
--
HOW to understand that we are NOT scammers?
You can ask SUPPORT for the TEST-decryption for ONE file!
--
#############################################################
################## LIST OF ENCRYPTED FILES ##################
-------------------------------------------------------------
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt 372682
C:\vcredist2010_x64.log.html 88914
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log 169690
C:\Program Files\Mozilla Firefox\precomplete 2865
C:\Program Files\Mozilla Firefox\removed-files 16
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log 197548
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log 171954
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log 193090
C:\Users\Admin\deployment.properties 1646
C:\Users\Admin\ntuser.dat.LOG1 0
C:\Users\Admin\ntuser.dat.LOG2 0
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 0
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms 0
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 0
C:\Users\Default\NTUSER.DAT.LOG 1024
C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log 120802
C:\Users\Default\NTUSER.DAT.LOG1 189440
C:\Users\Default\NTUSER.DAT.LOG2 0
C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 65536
C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log 131680
C:\Recovery\44e79742-8b20-11ea-a722-f2e765a3a928\boot.sdi 3170304
C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms 524288
C:\Program Files\Java\jre7\COPYRIGHT 3409
C:\Program Files\Java\jre7\LICENSE 41
C:\Program Files\Java\jre7\release 507
C:\Program Files (x86)\Common Files\Adobe AIR\sentinel 11
C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 524288
C:\Users\Admin\Contacts\Admin.contact 68374
C:\Users\Public\Libraries\RecordedTV.library-ms 876
C:\Users\Admin\Desktop\BackupComplete.rar 771573
C:\Users\Admin\Desktop\DebugComplete.wpl 483868
C:\Users\Admin\Desktop\DismountTest.001 1072326
C:\Users\Admin\Desktop\FormatDeny.dib 274628
C:\Users\Admin\Desktop\ImportApprove.odt 405403
C:\Users\Admin\Desktop\InvokeCopy.ocx 562333
C:\Users\Admin\Music\CompareOut.DVR-MS 837460
C:\Users\Admin\Desktop\LockStart.aiff 719263
C:\Users\Admin\Music\ComparePush.vst 657084
C:\Users\Admin\Music\CompressPush.crw 296332
C:\Users\Admin\Desktop\MeasureMount.dotm 510023
C:\Users\Admin\Desktop\MoveConvertFrom.mpv2 379248
C:\Users\Admin\Music\ConfirmOpen.MOD 708620
C:\Users\Admin\Music\CopySend.mht 605548
C:\Users\Admin\Desktop\ProtectStep.crw 457713
C:\Users\Admin\Downloads\AssertUse.ADT 595470
C:\Users\Admin\Documents\Are.docx 11525
C:\Users\Admin\Documents\CheckpointUnpublish.vsw 2166705
C:\Users\Admin\Documents\ClearWatch.vstx 1011129
C:\Users\Admin\Desktop\ReceiveResize.shtml 745418
C:\Users\Admin\Desktop\RemoveApprove.shtml 353093
C:\Users\Admin\Music\DenyRestart.MTS 760156
C:\Users\Admin\Desktop\RemoveUndo.ex_ 431558
C:\Users\Admin\Desktop\RevokeUnlock.bat 300783
C:\Users\Admin\Music\DismountReset.rtf 528244
C:\Users\Admin\Desktop\SearchDebug.php 666953
C:\Users\Admin\Desktop\SearchSuspend.lock 614643
C:\Users\Admin\Downloads\CheckpointRestart.mp2 297735
C:\Users\Admin\Downloads\CompleteResolve.xps 504855
C:\Users\Admin\Desktop\StepOut.pps 693108
C:\Users\Admin\Downloads\CompleteRestore.asx 543690
C:\Users\Admin\Downloads\CompressUnblock.wmv 271845
C:\Users\Admin\Downloads\CopySelect.wpl 440130
C:\Users\Admin\Pictures\ApproveExpand.emz 606800
C:\Users\Admin\Downloads\DebugMount.mhtml 336570
C:\Users\Admin\Music\EnableSubmit.avi 682852
C:\Users\Admin\Music\ImportSkip.vdx 399404
C:\Users\Admin\Music\PingWrite.mp3 450940
C:\Users\Admin\Music\ProtectCompare.mhtml 322100
C:\Users\Admin\Music\ReadResize.crw 554012
C:\Users\Admin\Downloads\DebugSend.wpl 284790
C:\Users\Admin\Downloads\DisableBlock.bmp 414240
C:\Users\Admin\Downloads\ExitDismount.mpg 569580
C:\Users\Admin\Downloads\ExitPush.eps 245955
C:\Users\Admin\Documents\DisableLimit.odt 1588917
C:\Users\Admin\Desktop\StopWatch.cfg 536178
C:\Users\Admin\Music\ReceiveFind.asx 785924
C:\Users\Admin\Music\RegisterSend.tif 373636
C:\Users\Admin\Desktop\UninstallSwitch.pptm 640798
C:\Users\Admin\Music\RepairConvertTo.nfo 734388
C:\Users\Admin\Documents\Files.docx 11551
C:\Users\Admin\Music\RepairNew.shtml 425172
C:\Users\Admin\Music\RestartResize.dotx 579780
C:\Users\Admin\Downloads\ExportInvoke.avi 466020
C:\Users\Admin\Downloads\FindSync.rle 310680
C:\Users\Admin\Documents\MeasureStep.html 1733364
C:\Users\Admin\Desktop\WriteResize.m3u 588488
C:\Users\Admin\Pictures\ConvertFromStop.svg 546120
C:\Users\Admin\Pictures\ConvertRepair.svgz 631072
C:\Users\Admin\Music\SelectInvoke.ogg 1159776
C:\Users\Admin\Music\SplitSelect.i64 811692
C:\Users\Admin\Music\TestSend.mht 476708
C:\Users\Admin\Downloads\FormatUndo.jpeg 427185
C:\Users\Admin\Downloads\HideGet.scf 608415
C:\Users\Admin\Downloads\ImportReset.otf 530745
C:\Users\Admin\Downloads\InstallOptimize.svg 349515
C:\Users\Admin\Downloads\MountSync.svgz 647250
C:\Users\Admin\Downloads\OptimizeConfirm.wpl 673140
C:\Users\Admin\Documents\MountSwitch.vsw 2022258
C:\Users\Admin\Music\UseUnblock.au3 347868
C:\Users\Admin\Music\WaitCopy.reg 631316
C:\Users\Admin\Downloads\ProtectCompare.csv 582525
C:\Users\Admin\Downloads\PushGet.iso 362460
C:\Users\Admin\Downloads\ReadDismount.xla 491910
C:\Users\Admin\Downloads\ReceiveEnable.reg 258900
C:\Users\Admin\Pictures\ConvertToFormat.emz 521848
C:\Users\Admin\Downloads\RegisterDeny.snd 621360
C:\Users\Admin\Pictures\CopyGroup.crw 254856
C:\Users\Admin\Downloads\ResizePush.mp4 453075
C:\Users\Admin\Pictures\DebugConnect.tiff 618936
C:\Users\Admin\Pictures\DismountSave.jpeg 533984
C:\Users\Admin\Downloads\ResumeUse.ps1 919591
C:\Users\Admin\Pictures\EnterAdd.tif 291264
C:\Users\Admin\Downloads\SelectDisconnect.wpl 478965
C:\Users\Admin\Pictures\ExitFind.emf 364080
C:\Users\Admin\Downloads\SendUndo.fon 401295
C:\Users\Admin\Downloads\ShowUpdate.3gpp 660195
C:\Users\Admin\Downloads\TraceRedo.potx 233010
C:\Users\Admin\Downloads\UndoSkip.emz 517800
C:\Users\Admin\Downloads\UnregisterRepair.odt 323625
C:\Users\Admin\Downloads\UnregisterUnpublish.html 388350
C:\Users\Admin\Downloads\WaitUse.DVR 375405
C:\Users\Admin\Documents\NewSubmit.odt 2311152
C:\Users\Admin\Downloads\WatchOut.au3 634305
C:\Users\Admin\Pictures\FindDisconnect.raw 558256
C:\Users\Admin\Documents\Opened.docx 11538
C:\Users\Admin\Pictures\FindSelect.svgz 400488
C:\Users\Admin\Pictures\FindSelect.tif 303400
C:\Users\Admin\Pictures\FormatConvert.tif 862040
C:\Users\Admin\Pictures\FormatOpen.jpg 242720
C:\Users\Admin\Pictures\GrantInvoke.gif 424760
C:\Users\Admin\Documents\ReadConvertTo.xla 2744493
C:\Users\Admin\Pictures\GrantUnprotect.tif 327672
C:\Users\Admin\Pictures\HideSync.gif 266992
C:\Users\Admin\Pictures\InitializeSearch.bmp 388352
C:\Users\Admin\Pictures\InstallUpdate.cr2 315536
C:\Users\Admin\Pictures\LimitClear.svg 485440
C:\Users\Admin\Documents\Recently.docx 11533
C:\Users\Admin\Documents\RenameResize.pps 1155576
C:\Users\Admin\Pictures\LockReset.crw 449032
C:\Users\Admin\Pictures\NewResize.crw 582528
C:\Users\Admin\Pictures\PublishWatch.dib 594664
C:\Users\Admin\Pictures\PushFormat.ico 570392
C:\Users\Admin\Searches\Everywhere.search-ms 248
C:\Users\Admin\Searches\Indexed Locations.search-ms 248
C:\Users\Admin\Pictures\PushWrite.gif 351944
C:\Users\Admin\Pictures\RenameInitialize.dxf 461168
C:\Users\Admin\Documents\RepairUninstall.xml 1444470
C:\Users\Admin\Pictures\RequestPop.crw 376216
C:\Users\Admin\Pictures\ResizeUnpublish.ico 279128
C:\Users\Admin\Pictures\ResolveEnable.svgz 230584
C:\Users\Admin\Pictures\RestartSuspend.svgz 509712
C:\Users\Admin\Pictures\SelectUnpublish.emz 473304
C:\Users\Admin\Pictures\SendProtect.png 218448
C:\Users\Admin\Pictures\SplitMount.bmp 412624
C:\Users\Admin\Pictures\WaitRequest.emz 339808
C:\Users\Admin\Pictures\WatchRename.wmf 436896
C:\Users\Admin\Documents\ResizeFind.vsdx 3900009
C:\Users\Admin\Pictures\WatchUninstall.svgz 497576
C:\Users\Admin\Documents\RestartSearch.pub 1877811
C:\Recovery\44e79742-8b20-11ea-a722-f2e765a3a928\Winre.wim 169213970
C:\Users\Admin\Documents\StartUnblock.xml 2455599
C:\Users\Admin\Documents\SuspendMeasure.mhtml 2600046
C:\Users\Admin\Documents\SwitchMove.html 1300023
C:\Users\Admin\Documents\These.docx 11462
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml 2424
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi 2503680
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml 1450
C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.msi 1992192
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi 2513920
C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml 4274
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml 1450
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab 16972987
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab 9958388
C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\OWOW32WW.cab 36233052
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml 1608
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi 2506240
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml 1565
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml 2296
C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms 715834
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi 873984
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml 1383
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi 868864
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml 811
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab 14819276
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml 5884
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi 2865664
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml 3186
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml 4207
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab 2928955
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml 2362
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab 43806141
C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi 2503680
C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml 1606
C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab 4095519
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi 2522624
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml 1800
C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\ProPlusWW.msi 27195904
C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi 2507776
C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml 913
C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml 1452
C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\ProPlusWW.xml 16850
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.msi 868864
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml 819
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml 596341
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml 2624
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest 1857
C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab 17456632
C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml 1988
C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab 18874884
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab 14127746
C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi 3124224
C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml 1231
C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml 1852
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.msi 3702272
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml 5557
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.msi 868864
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml 819
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm 27195
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm 67190
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml 9352
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\ShellUI.MST 3584
Emails
support@covidworldcry.com
Signatures
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Interacts with shadow copies 2 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious use of WriteProcessMemory 1023 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 63 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Drops Chrome extension 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Deletes itself 1 IoCs
-
Modifies service 2 TTPs 4 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Drops file in System32 directory 8 IoCs
-
Adds Run entry to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 824 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2020-05-22_17-36-19.bin.exe"C:\Users\Admin\AppData\Local\Temp\2020-05-22_17-36-19.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
- System policy modification
- Drops file in System32 directory
- Adds Run entry to start application
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2020-0~1.EXE >> NUL2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_LOCK.TXT1⤵
- Suspicious use of FindShellTrayWindow
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Drops Chrome extension
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=81.0.4044.129 --initial-client-data=0xa4,0xa8,0xac,0x78,0xb0,0x7fef66ebd28,0x7fef66ebd38,0x7fef66ebd482⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1928 --on-initialized-event-handle=352 --parent-handle=356 /prefetch:62⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1076 --ignored=" --type=renderer " /prefetch:22⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:12⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1960 /prefetch:12⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --extension-process --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:12⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --extension-process --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:12⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --extension-process --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:12⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --extension-process --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2572 /prefetch:12⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2792 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1404 --ignored=" --type=renderer " /prefetch:22⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=4008 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=4076 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=4028 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=4108 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=4172 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=4352 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=4340 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --disable-gpu-compositing --lang=en-US --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:12⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3972 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3940 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --disable-gpu-compositing --lang=en-US --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1288 /prefetch:12⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=1464 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3504 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,5025793382944344297,13817387903702670012,131072 --disable-gpu-compositing --lang=en-US --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:12⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\README_LOCK.TXT
-
C:\Users\Admin\Desktop\README_LOCK.TXT
-
\??\pipe\crashpad_1688_KUKODPKARTLXDTFO
-
memory/600-29-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-108-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-117-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-124-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-116-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-113-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-16-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/600-112-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-27-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-82-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-109-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-121-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-105-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-104-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-101-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-100-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-97-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-96-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-93-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-92-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-89-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-88-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-86-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/600-83-0x000000000A2C0000-0x000000000A2D1000-memory.dmpFilesize
68KB
-
memory/644-214-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-226-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-216-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-215-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-235-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-213-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-212-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-211-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-210-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-187-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-186-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-185-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-184-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-183-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-182-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-181-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-180-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-179-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-178-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-177-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-176-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-175-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-174-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-173-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-172-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-171-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-234-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-170-0x0000000009BB0000-0x0000000009BC1000-memory.dmpFilesize
68KB
-
memory/644-169-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-8-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/644-233-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-232-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-231-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-230-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-218-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-219-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-229-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-228-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-220-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-227-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-221-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-222-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-217-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-225-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-223-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/644-224-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1492-0-0x0000000002E4B000-0x0000000002E4C000-memory.dmpFilesize
4KB
-
memory/1492-1-0x0000000004510000-0x0000000004521000-memory.dmpFilesize
68KB
-
memory/1516-118-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-102-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-98-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-99-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-87-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-85-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-158-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-103-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-84-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-81-0x0000000009A80000-0x0000000009A91000-memory.dmpFilesize
68KB
-
memory/1516-106-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-123-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-80-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-30-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-110-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-111-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-166-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-167-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-114-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-115-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-120-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-91-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-94-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-157-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-168-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-90-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-107-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-95-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-165-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-164-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-163-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-156-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-155-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-162-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-161-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-160-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-159-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-146-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-147-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-148-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-149-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-150-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-151-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-152-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-153-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1516-154-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1616-139-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1616-137-0x0000000009F10000-0x0000000009F21000-memory.dmpFilesize
68KB
-
memory/1616-119-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/1680-73-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-47-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-77-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-76-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-12-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/1680-24-0x0000027000040000-0x0000027000041000-memory.dmpFilesize
4KB
-
memory/1680-75-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-74-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-72-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-71-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-70-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-69-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-68-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-67-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-66-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-65-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-64-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-63-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-62-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-61-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-60-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-59-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-58-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-57-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-56-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-34-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-35-0x0000000009D90000-0x0000000009DA1000-memory.dmpFilesize
68KB
-
memory/1680-36-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-37-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-38-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-39-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-40-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-41-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-42-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-43-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-44-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-45-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-55-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-54-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-53-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-52-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-51-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-50-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-49-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-48-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-78-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1680-46-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1688-240-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-241-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-248-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-245-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-251-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-275-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-274-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-243-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-242-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-268-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-250-0x000000001A8B0000-0x000000001A8D3000-memory.dmpFilesize
140KB
-
memory/1688-256-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-203-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-276-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-272-0x00000000218A0000-0x00000000218C3000-memory.dmpFilesize
140KB
-
memory/1688-239-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/1688-237-0x000000001F860000-0x000000001F871000-memory.dmpFilesize
68KB
-
memory/2028-4-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2028-5-0x0000000077600000-0x0000000077601000-memory.dmpFilesize
4KB
-
memory/2028-3-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/2144-207-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2160-205-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2332-271-0x0000000007FA0000-0x0000000007FB1000-memory.dmpFilesize
68KB
-
memory/2332-246-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2364-254-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2420-141-0x0000000009810000-0x0000000009821000-memory.dmpFilesize
68KB
-
memory/2420-144-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/2420-143-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/2420-127-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2420-145-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/2468-130-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2476-260-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2504-135-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2516-277-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/2516-263-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2880-189-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2924-192-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2940-194-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/2960-198-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/3024-286-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/3040-280-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B
-
memory/3064-283-0x000000013FE40FC0-0x000000013FE41110-memory.dmpFilesize
336B