Analysis
-
max time kernel
151s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 16:06
Static task
static1
Behavioral task
behavioral1
Sample
b56a1f8a3ba9c5eb1a3b1a6aca398676.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b56a1f8a3ba9c5eb1a3b1a6aca398676.exe
Resource
win10v20201028
General
-
Target
b56a1f8a3ba9c5eb1a3b1a6aca398676.exe
-
Size
325KB
-
MD5
b56a1f8a3ba9c5eb1a3b1a6aca398676
-
SHA1
345a633366ec3dab7813924773377afc005cc5fc
-
SHA256
812e862c4c470d4728a408b64d1cff9dca2f302f2742ff5ec99aeb896870bc6e
-
SHA512
ee9f751e332d9cf2cc8cc42a3cc9e7b2e6671358623c9e5a00a45a9f3a86e648aa7e13a43001d69a516ea78579c98fe6f102d42b930199872134d17efa6e32e4
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
uspex1@cock.li
uspex2@cock.li
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 3 IoCs
Processes:
kjejdIHj.exeservices.exeservices.exepid process 636 kjejdIHj.exe 1732 services.exe 1744 services.exe -
Loads dropped DLL 4 IoCs
Processes:
b56a1f8a3ba9c5eb1a3b1a6aca398676.exekjejdIHj.exepid process 1776 b56a1f8a3ba9c5eb1a3b1a6aca398676.exe 1776 b56a1f8a3ba9c5eb1a3b1a6aca398676.exe 636 kjejdIHj.exe 636 kjejdIHj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
kjejdIHj.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run kjejdIHj.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start" kjejdIHj.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
services.exedescription ioc process File opened (read-only) \??\N: services.exe File opened (read-only) \??\H: services.exe File opened (read-only) \??\E: services.exe File opened (read-only) \??\Q: services.exe File opened (read-only) \??\P: services.exe File opened (read-only) \??\M: services.exe File opened (read-only) \??\L: services.exe File opened (read-only) \??\K: services.exe File opened (read-only) \??\J: services.exe File opened (read-only) \??\A: services.exe File opened (read-only) \??\Y: services.exe File opened (read-only) \??\V: services.exe File opened (read-only) \??\U: services.exe File opened (read-only) \??\T: services.exe File opened (read-only) \??\O: services.exe File opened (read-only) \??\I: services.exe File opened (read-only) \??\B: services.exe File opened (read-only) \??\W: services.exe File opened (read-only) \??\X: services.exe File opened (read-only) \??\S: services.exe File opened (read-only) \??\R: services.exe File opened (read-only) \??\G: services.exe File opened (read-only) \??\F: services.exe File opened (read-only) \??\Z: services.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 geoiptool.com -
Drops file in Program Files directory 9245 IoCs
Processes:
services.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qatar.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215709.WMF.10F-18C-8B1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar.10F-18C-8B1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.clusters.10F-18C-8B1 services.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\El_Salvador services.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac.10F-18C-8B1 services.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Moscow.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl.10F-18C-8B1 services.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt.10F-18C-8B1 services.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187837.WMF services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar services.exe File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00183_.WMF.10F-18C-8B1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.10F-18C-8B1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00426_.WMF.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt services.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Bogota.10F-18C-8B1 services.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00194_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212751.WMF.10F-18C-8B1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-visual.jar services.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Guatemala.10F-18C-8B1 services.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena.10F-18C-8B1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.10F-18C-8B1 services.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00648_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01163_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02264_.WMF services.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\VideoLAN\VLC\VideoLAN Website.url.10F-18C-8B1 services.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Java\jre7\lib\management\management.properties services.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01637_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199465.WMF.10F-18C-8B1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.10F-18C-8B1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml.10F-18C-8B1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00414_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet services.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf.10F-18C-8B1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.10F-18C-8B1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196364.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00096_.WMF services.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1540 vssadmin.exe 2028 vssadmin.exe -
Processes:
services.exekjejdIHj.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 kjejdIHj.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e kjejdIHj.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e kjejdIHj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 services.exe -
Suspicious use of AdjustPrivilegeToken 85 IoCs
Processes:
kjejdIHj.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 636 kjejdIHj.exe Token: SeDebugPrivilege 636 kjejdIHj.exe Token: SeIncreaseQuotaPrivilege 756 WMIC.exe Token: SeSecurityPrivilege 756 WMIC.exe Token: SeTakeOwnershipPrivilege 756 WMIC.exe Token: SeLoadDriverPrivilege 756 WMIC.exe Token: SeSystemProfilePrivilege 756 WMIC.exe Token: SeSystemtimePrivilege 756 WMIC.exe Token: SeProfSingleProcessPrivilege 756 WMIC.exe Token: SeIncBasePriorityPrivilege 756 WMIC.exe Token: SeCreatePagefilePrivilege 756 WMIC.exe Token: SeBackupPrivilege 756 WMIC.exe Token: SeRestorePrivilege 756 WMIC.exe Token: SeShutdownPrivilege 756 WMIC.exe Token: SeDebugPrivilege 756 WMIC.exe Token: SeSystemEnvironmentPrivilege 756 WMIC.exe Token: SeRemoteShutdownPrivilege 756 WMIC.exe Token: SeUndockPrivilege 756 WMIC.exe Token: SeManageVolumePrivilege 756 WMIC.exe Token: 33 756 WMIC.exe Token: 34 756 WMIC.exe Token: 35 756 WMIC.exe Token: SeIncreaseQuotaPrivilege 792 WMIC.exe Token: SeSecurityPrivilege 792 WMIC.exe Token: SeTakeOwnershipPrivilege 792 WMIC.exe Token: SeLoadDriverPrivilege 792 WMIC.exe Token: SeSystemProfilePrivilege 792 WMIC.exe Token: SeSystemtimePrivilege 792 WMIC.exe Token: SeProfSingleProcessPrivilege 792 WMIC.exe Token: SeIncBasePriorityPrivilege 792 WMIC.exe Token: SeCreatePagefilePrivilege 792 WMIC.exe Token: SeBackupPrivilege 792 WMIC.exe Token: SeRestorePrivilege 792 WMIC.exe Token: SeShutdownPrivilege 792 WMIC.exe Token: SeDebugPrivilege 792 WMIC.exe Token: SeSystemEnvironmentPrivilege 792 WMIC.exe Token: SeRemoteShutdownPrivilege 792 WMIC.exe Token: SeUndockPrivilege 792 WMIC.exe Token: SeManageVolumePrivilege 792 WMIC.exe Token: 33 792 WMIC.exe Token: 34 792 WMIC.exe Token: 35 792 WMIC.exe Token: SeBackupPrivilege 328 vssvc.exe Token: SeRestorePrivilege 328 vssvc.exe Token: SeAuditPrivilege 328 vssvc.exe Token: SeIncreaseQuotaPrivilege 756 WMIC.exe Token: SeSecurityPrivilege 756 WMIC.exe Token: SeTakeOwnershipPrivilege 756 WMIC.exe Token: SeLoadDriverPrivilege 756 WMIC.exe Token: SeSystemProfilePrivilege 756 WMIC.exe Token: SeSystemtimePrivilege 756 WMIC.exe Token: SeProfSingleProcessPrivilege 756 WMIC.exe Token: SeIncBasePriorityPrivilege 756 WMIC.exe Token: SeCreatePagefilePrivilege 756 WMIC.exe Token: SeBackupPrivilege 756 WMIC.exe Token: SeRestorePrivilege 756 WMIC.exe Token: SeShutdownPrivilege 756 WMIC.exe Token: SeDebugPrivilege 756 WMIC.exe Token: SeSystemEnvironmentPrivilege 756 WMIC.exe Token: SeRemoteShutdownPrivilege 756 WMIC.exe Token: SeUndockPrivilege 756 WMIC.exe Token: SeManageVolumePrivilege 756 WMIC.exe Token: 33 756 WMIC.exe Token: 34 756 WMIC.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
b56a1f8a3ba9c5eb1a3b1a6aca398676.exekjejdIHj.exeservices.execmd.execmd.execmd.exedescription pid process target process PID 1776 wrote to memory of 636 1776 b56a1f8a3ba9c5eb1a3b1a6aca398676.exe kjejdIHj.exe PID 1776 wrote to memory of 636 1776 b56a1f8a3ba9c5eb1a3b1a6aca398676.exe kjejdIHj.exe PID 1776 wrote to memory of 636 1776 b56a1f8a3ba9c5eb1a3b1a6aca398676.exe kjejdIHj.exe PID 1776 wrote to memory of 636 1776 b56a1f8a3ba9c5eb1a3b1a6aca398676.exe kjejdIHj.exe PID 636 wrote to memory of 1732 636 kjejdIHj.exe services.exe PID 636 wrote to memory of 1732 636 kjejdIHj.exe services.exe PID 636 wrote to memory of 1732 636 kjejdIHj.exe services.exe PID 636 wrote to memory of 1732 636 kjejdIHj.exe services.exe PID 636 wrote to memory of 1324 636 kjejdIHj.exe notepad.exe PID 636 wrote to memory of 1324 636 kjejdIHj.exe notepad.exe PID 636 wrote to memory of 1324 636 kjejdIHj.exe notepad.exe PID 636 wrote to memory of 1324 636 kjejdIHj.exe notepad.exe PID 636 wrote to memory of 1324 636 kjejdIHj.exe notepad.exe PID 636 wrote to memory of 1324 636 kjejdIHj.exe notepad.exe PID 636 wrote to memory of 1324 636 kjejdIHj.exe notepad.exe PID 1732 wrote to memory of 1896 1732 services.exe cmd.exe PID 1732 wrote to memory of 1896 1732 services.exe cmd.exe PID 1732 wrote to memory of 1896 1732 services.exe cmd.exe PID 1732 wrote to memory of 1896 1732 services.exe cmd.exe PID 1732 wrote to memory of 1636 1732 services.exe cmd.exe PID 1732 wrote to memory of 1636 1732 services.exe cmd.exe PID 1732 wrote to memory of 1636 1732 services.exe cmd.exe PID 1732 wrote to memory of 1636 1732 services.exe cmd.exe PID 1732 wrote to memory of 1664 1732 services.exe cmd.exe PID 1732 wrote to memory of 1664 1732 services.exe cmd.exe PID 1732 wrote to memory of 1664 1732 services.exe cmd.exe PID 1732 wrote to memory of 1664 1732 services.exe cmd.exe PID 1732 wrote to memory of 1660 1732 services.exe cmd.exe PID 1732 wrote to memory of 1660 1732 services.exe cmd.exe PID 1732 wrote to memory of 1660 1732 services.exe cmd.exe PID 1732 wrote to memory of 1660 1732 services.exe cmd.exe PID 1732 wrote to memory of 1844 1732 services.exe cmd.exe PID 1732 wrote to memory of 1844 1732 services.exe cmd.exe PID 1732 wrote to memory of 1844 1732 services.exe cmd.exe PID 1732 wrote to memory of 1844 1732 services.exe cmd.exe PID 1732 wrote to memory of 1008 1732 services.exe cmd.exe PID 1732 wrote to memory of 1008 1732 services.exe cmd.exe PID 1732 wrote to memory of 1008 1732 services.exe cmd.exe PID 1732 wrote to memory of 1008 1732 services.exe cmd.exe PID 1732 wrote to memory of 1744 1732 services.exe services.exe PID 1732 wrote to memory of 1744 1732 services.exe services.exe PID 1732 wrote to memory of 1744 1732 services.exe services.exe PID 1732 wrote to memory of 1744 1732 services.exe services.exe PID 1844 wrote to memory of 1540 1844 cmd.exe vssadmin.exe PID 1844 wrote to memory of 1540 1844 cmd.exe vssadmin.exe PID 1844 wrote to memory of 1540 1844 cmd.exe vssadmin.exe PID 1844 wrote to memory of 1540 1844 cmd.exe vssadmin.exe PID 1896 wrote to memory of 756 1896 cmd.exe WMIC.exe PID 1896 wrote to memory of 756 1896 cmd.exe WMIC.exe PID 1896 wrote to memory of 756 1896 cmd.exe WMIC.exe PID 1896 wrote to memory of 756 1896 cmd.exe WMIC.exe PID 1008 wrote to memory of 792 1008 cmd.exe WMIC.exe PID 1008 wrote to memory of 792 1008 cmd.exe WMIC.exe PID 1008 wrote to memory of 792 1008 cmd.exe WMIC.exe PID 1008 wrote to memory of 792 1008 cmd.exe WMIC.exe PID 1008 wrote to memory of 2028 1008 cmd.exe vssadmin.exe PID 1008 wrote to memory of 2028 1008 cmd.exe vssadmin.exe PID 1008 wrote to memory of 2028 1008 cmd.exe vssadmin.exe PID 1008 wrote to memory of 2028 1008 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b56a1f8a3ba9c5eb1a3b1a6aca398676.exe"C:\Users\Admin\AppData\Local\Temp\b56a1f8a3ba9c5eb1a3b1a6aca398676.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kjejdIHj.exe"C:\Users\Admin\AppData\Local\Temp\kjejdIHj.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start3⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 04⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
b70dc0d32e75295574887a1eb8e8824d
SHA11c7aadf97657f25a66e2b26ffce20fae35a81b71
SHA2569ba2afab5c73c6c8fef834f724b2b729553020c44495b12f87e5779d94354cd9
SHA5124396416ab54ea4c5f50c3b9fa6c0679bb9ec3a5549ba0d729ef54266404a6ebbffdca86da989b17b6357f9bce3fcc0b8f43727d56adae84beac48e1fc7740dc8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
ee6f44b70b1b952cca185c9c42455e50
SHA1304e0d9730b1e2c36d42b12ff8ebb8ce12d2557b
SHA256e61cbb508cf8bd896994b1feea6912f2d4319d6a382d9554ee43c9e44d76443c
SHA512f0c69c3d063cc4aeb65467cb06b6a9a2f1fb56b9ca7419f3ad83a61725ab71ab7a0b0964eef422d11fb47bff7573ad18a5f6f004db7ddab829cb5b49c0897297
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
a79f29048b133ca17588ca54c6519db9
SHA145854963cb24a79f8b582fd13c6916d9bacf60b4
SHA256164f85824da0142ecb22e5f6903e6b0628dc50c9425aac6a4819b9dd340a565d
SHA5129da9eed3123c84d81fa784ec38c7b975ca8be47037d5d137d1d9124c2a35cb3f067cffd083e449fe5ce2547d9c31fa36409b9fe312a95b20d0dbc8c9c4ed8034
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
de85a10419d30f347c7b0b0ed3b71fac
SHA1231b7c6f43006b02aaaf9632e5d6e533dc458658
SHA256d40a2a5ba83459adf8c01f628f3437908494b7c9d5aa8599830411bcb06d44b7
SHA51262a9fccb7a7cf6d61f60e67053b2795c4cb39f1f5f7f9fe715d8c30ddc02058d5bb368a06ffebd78f98a82ec71fde6ea4c04c4a23b47e3fb526f531be8dfc2ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
fb3cba406b7db4427a2448a301472029
SHA181043fa56af65e0ed46f3ad04c630c16b338aa79
SHA256845f01a62d34797f262348d1c43c1efc1a661657cc1ce428e1a1f10cfd728233
SHA512ca1809a172057098ae49c5c73c36f84fef196988a75b90b3a8fb937cfeb71ddc76a260dc01027060687b372caac7582ff2981053efae8c5452057be4daf00287
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
2c3dab0ad9bdb538c770fdd2e0bc3598
SHA109fdafd2260d72481a62bae68601f9c641d3e0f4
SHA25695c9ccad463037cf97f342766826ef0c69a9473b1b06ebf850f7cbc76829559b
SHA512ac87f24f8e90f02a15cc16a4d0a7dbaf6ab70ffc3d8352dc7d98a86e045b260d740cd2e6a46dcbc9943bd067ebb3499ad03bd2d706032cba77e874ab55c8145c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
491f17226e33cc9923f02e57de5dd8d0
SHA10d3f124234d9ff5777c5cdf68471f43ba0695b68
SHA256b6127714c001a28a2530677954ad351252b881b5344dcde3cba9823d5b6423ee
SHA512e1d8248c01a4152e48443ae39a1fe72642b346911b750c29450c756e2d09560269a1aeaef5fbca9ad594086ccd18161f4e566749453fe0181a32fbd45dbcbb6a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\L4MFWJEK.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I4HTQEUG\IC1KCPPZ.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Temp\kjejdIHj.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\AppData\Local\Temp\kjejdIHj.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
\Users\Admin\AppData\Local\Temp\kjejdIHj.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
\Users\Admin\AppData\Local\Temp\kjejdIHj.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
memory/636-5-0x0000000000000000-mapping.dmp
-
memory/672-2-0x000007FEF6B20000-0x000007FEF6D9A000-memory.dmpFilesize
2.5MB
-
memory/756-34-0x0000000000000000-mapping.dmp
-
memory/792-35-0x0000000000000000-mapping.dmp
-
memory/1008-28-0x0000000000000000-mapping.dmp
-
memory/1324-14-0x0000000000000000-mapping.dmp
-
memory/1324-13-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1540-32-0x0000000000000000-mapping.dmp
-
memory/1636-24-0x0000000000000000-mapping.dmp
-
memory/1660-26-0x0000000000000000-mapping.dmp
-
memory/1664-25-0x0000000000000000-mapping.dmp
-
memory/1732-10-0x0000000000000000-mapping.dmp
-
memory/1744-30-0x0000000000000000-mapping.dmp
-
memory/1844-27-0x0000000000000000-mapping.dmp
-
memory/1896-23-0x0000000000000000-mapping.dmp
-
memory/2028-36-0x0000000000000000-mapping.dmp