Analysis
-
max time kernel
99s -
max time network
107s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
28-07-2020 07:48
Static task
static1
Behavioral task
behavioral1
Sample
Aksip.bin.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
Aksip.bin.exe
Resource
win10v200722
General
-
Target
Aksip.bin.exe
-
Size
344KB
-
MD5
61506482ddd28756e443b3de05a3b1cf
-
SHA1
8d7effb5a456289d13f725486a30bed727a01be0
-
SHA256
15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50
-
SHA512
18a7178209e6e9edd15e22c97ad15b049370fe457fcec815fe702d75514014460f80326e3a4ae6ca496582467c57398cdb250bf826b76e62bf2c56e1f38efe46
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
msupport2019@protonmail.com
msupport@elude.in
Signatures
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 geoiptool.com -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Processes:
Aksip.bin.exelsass.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C Aksip.bin.exe Set value (data) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c190000000100000010000000ea6089055218053dd01e37e1d806eedf040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf91400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 Aksip.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 lsass.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Aksip.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Aksip.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Aksip.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Aksip.bin.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
Aksip.bin.exelsass.execmd.execmd.exedescription pid process target process PID 1000 wrote to memory of 1172 1000 Aksip.bin.exe lsass.exe PID 1000 wrote to memory of 1172 1000 Aksip.bin.exe lsass.exe PID 1000 wrote to memory of 1172 1000 Aksip.bin.exe lsass.exe PID 1000 wrote to memory of 1172 1000 Aksip.bin.exe lsass.exe PID 1000 wrote to memory of 1880 1000 Aksip.bin.exe notepad.exe PID 1000 wrote to memory of 1880 1000 Aksip.bin.exe notepad.exe PID 1000 wrote to memory of 1880 1000 Aksip.bin.exe notepad.exe PID 1000 wrote to memory of 1880 1000 Aksip.bin.exe notepad.exe PID 1000 wrote to memory of 1880 1000 Aksip.bin.exe notepad.exe PID 1000 wrote to memory of 1880 1000 Aksip.bin.exe notepad.exe PID 1000 wrote to memory of 1880 1000 Aksip.bin.exe notepad.exe PID 1172 wrote to memory of 1612 1172 lsass.exe lsass.exe PID 1172 wrote to memory of 1612 1172 lsass.exe lsass.exe PID 1172 wrote to memory of 1612 1172 lsass.exe lsass.exe PID 1172 wrote to memory of 1612 1172 lsass.exe lsass.exe PID 1172 wrote to memory of 1588 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1588 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1588 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1588 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1636 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1636 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1636 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1636 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1976 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1976 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1976 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1976 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1940 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1940 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1940 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1940 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 2032 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 2032 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 2032 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 2032 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1996 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1996 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1996 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1996 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1456 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1456 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1456 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1456 1172 lsass.exe cmd.exe PID 1456 wrote to memory of 480 1456 cmd.exe WMIC.exe PID 1456 wrote to memory of 480 1456 cmd.exe WMIC.exe PID 1456 wrote to memory of 480 1456 cmd.exe WMIC.exe PID 1456 wrote to memory of 480 1456 cmd.exe WMIC.exe PID 1172 wrote to memory of 1052 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1052 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1052 1172 lsass.exe cmd.exe PID 1172 wrote to memory of 1052 1172 lsass.exe cmd.exe PID 1052 wrote to memory of 1104 1052 cmd.exe vssadmin.exe PID 1052 wrote to memory of 1104 1052 cmd.exe vssadmin.exe PID 1052 wrote to memory of 1104 1052 cmd.exe vssadmin.exe PID 1052 wrote to memory of 1104 1052 cmd.exe vssadmin.exe PID 1172 wrote to memory of 1248 1172 lsass.exe notepad.exe PID 1172 wrote to memory of 1248 1172 lsass.exe notepad.exe PID 1172 wrote to memory of 1248 1172 lsass.exe notepad.exe PID 1172 wrote to memory of 1248 1172 lsass.exe notepad.exe PID 1172 wrote to memory of 1248 1172 lsass.exe notepad.exe PID 1172 wrote to memory of 1248 1172 lsass.exe notepad.exe PID 1172 wrote to memory of 1248 1172 lsass.exe notepad.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Aksip.bin.exelsass.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1000 Aksip.bin.exe Token: SeDebugPrivilege 1000 Aksip.bin.exe Token: SeDebugPrivilege 1172 lsass.exe Token: SeIncreaseQuotaPrivilege 480 WMIC.exe Token: SeSecurityPrivilege 480 WMIC.exe Token: SeTakeOwnershipPrivilege 480 WMIC.exe Token: SeLoadDriverPrivilege 480 WMIC.exe Token: SeSystemProfilePrivilege 480 WMIC.exe Token: SeSystemtimePrivilege 480 WMIC.exe Token: SeProfSingleProcessPrivilege 480 WMIC.exe Token: SeIncBasePriorityPrivilege 480 WMIC.exe Token: SeCreatePagefilePrivilege 480 WMIC.exe Token: SeBackupPrivilege 480 WMIC.exe Token: SeRestorePrivilege 480 WMIC.exe Token: SeShutdownPrivilege 480 WMIC.exe Token: SeDebugPrivilege 480 WMIC.exe Token: SeSystemEnvironmentPrivilege 480 WMIC.exe Token: SeRemoteShutdownPrivilege 480 WMIC.exe Token: SeUndockPrivilege 480 WMIC.exe Token: SeManageVolumePrivilege 480 WMIC.exe Token: 33 480 WMIC.exe Token: 34 480 WMIC.exe Token: 35 480 WMIC.exe Token: SeIncreaseQuotaPrivilege 480 WMIC.exe Token: SeSecurityPrivilege 480 WMIC.exe Token: SeTakeOwnershipPrivilege 480 WMIC.exe Token: SeLoadDriverPrivilege 480 WMIC.exe Token: SeSystemProfilePrivilege 480 WMIC.exe Token: SeSystemtimePrivilege 480 WMIC.exe Token: SeProfSingleProcessPrivilege 480 WMIC.exe Token: SeIncBasePriorityPrivilege 480 WMIC.exe Token: SeCreatePagefilePrivilege 480 WMIC.exe Token: SeBackupPrivilege 480 WMIC.exe Token: SeRestorePrivilege 480 WMIC.exe Token: SeShutdownPrivilege 480 WMIC.exe Token: SeDebugPrivilege 480 WMIC.exe Token: SeSystemEnvironmentPrivilege 480 WMIC.exe Token: SeRemoteShutdownPrivilege 480 WMIC.exe Token: SeUndockPrivilege 480 WMIC.exe Token: SeManageVolumePrivilege 480 WMIC.exe Token: 33 480 WMIC.exe Token: 34 480 WMIC.exe Token: 35 480 WMIC.exe Token: SeBackupPrivilege 1680 vssvc.exe Token: SeRestorePrivilege 1680 vssvc.exe Token: SeAuditPrivilege 1680 vssvc.exe Token: SeDebugPrivilege 1172 lsass.exe Token: SeDebugPrivilege 1172 lsass.exe -
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Aksip.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run Aksip.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start" Aksip.bin.exe -
Loads dropped DLL 2 IoCs
Processes:
Aksip.bin.exepid process 1000 Aksip.bin.exe 1000 Aksip.bin.exe -
Executes dropped EXE 2 IoCs
Processes:
lsass.exelsass.exepid process 1172 lsass.exe 1612 lsass.exe -
Drops file in Program Files directory 15796 IoCs
Processes:
lsass.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF.1A4-8A1-A5A lsass.exe File created C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00231_.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15021_.GIF lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\TASKDECS.ICO lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSPUB.EXE.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\ONELEV.EXE.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.DPV lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar lsass.exe File created C:\Program Files\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\Access\Students.accdt lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE06450_.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21518_.GIF.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PARNT_07.MID lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\INFOMS.ICO lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN01164_.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_over.gif lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME53.CSS lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8 lsass.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD21340_.GIF.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR37F.GIF.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\ENV11.POC lsass.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\.zeppelin lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00126_.GIF lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0090390.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18203_.WMF.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG lsass.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\art\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File created C:\Program Files\.zeppelin lsass.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0233070.WMF.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\IPIRM.XML.1A4-8A1-A5A lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0240175.WMF.1A4-8A1-A5A lsass.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1880 notepad.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1104 vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Aksip.bin.exe"C:\Users\Admin\AppData\Local\Temp\Aksip.bin.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:03⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete backup3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAP7GNEB\SAECS561.htm
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UJFO0ABC\S18E8TDX.htm
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
-
C:\Users\Admin\Desktop\ApproveSelect.dwfx.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\CompressMeasure.search-ms.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\DisableUninstall.emf.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\EnterFormat.ppsx.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\ExpandSet.jpg.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\FindInvoke.mp3.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\InvokeRepair.dxf.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\LockDisable.odt.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\MountGroup.xla.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\OpenImport.mov.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\ReceivePush.docm.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\ResetPop.txt.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\RestoreClose.ps1.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\SaveDeny.bmp.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\SelectRemove.ttc.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\SetRestart.vsw.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\SuspendRestore.docm.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\TestUnlock.MOD.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\WaitInitialize.crw.1A4-8A1-A5A
-
C:\Users\Admin\Desktop\WatchUnblock.mpg.1A4-8A1-A5A
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
-
memory/480-30-0x0000000000000000-mapping.dmp
-
memory/1000-1-0x0000000001D80000-0x0000000001D91000-memory.dmpFilesize
68KB
-
memory/1000-0-0x000000000070B000-0x000000000070C000-memory.dmpFilesize
4KB
-
memory/1052-31-0x0000000000000000-mapping.dmp
-
memory/1104-32-0x0000000000000000-mapping.dmp
-
memory/1172-7-0x000000000066B000-0x000000000066C000-memory.dmpFilesize
4KB
-
memory/1172-8-0x0000000001EE0000-0x0000000001EF1000-memory.dmpFilesize
68KB
-
memory/1172-4-0x0000000000000000-mapping.dmp
-
memory/1248-53-0x0000000000000000-mapping.dmp
-
memory/1456-29-0x0000000000000000-mapping.dmp
-
memory/1588-21-0x0000000000000000-mapping.dmp
-
memory/1612-19-0x0000000000000000-mapping.dmp
-
memory/1612-25-0x0000000001FC0000-0x0000000001FD1000-memory.dmpFilesize
68KB
-
memory/1612-24-0x000000000065B000-0x000000000065C000-memory.dmpFilesize
4KB
-
memory/1636-22-0x0000000000000000-mapping.dmp
-
memory/1880-6-0x0000000000000000-mapping.dmp
-
memory/1940-26-0x0000000000000000-mapping.dmp
-
memory/1976-23-0x0000000000000000-mapping.dmp
-
memory/1996-28-0x0000000000000000-mapping.dmp
-
memory/2032-27-0x0000000000000000-mapping.dmp