buran | d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a

Analysis

max time kernel
157s
max time network
160s
platform
windows10_x64
resource
win10v20210408
submitted
29/08/2021, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eee4f13fdcdbeba5471c7bf29dd5f182.exe
Size

213KB
MD5

eee4f13fdcdbeba5471c7bf29dd5f182
SHA1

714422588a4841a5dd84cbb1586521de2af67a7a
SHA256

d01b3ea3b793e2d269f00eadf0de7c751a2a2e08ad8373b8f025eff5d77dbb8a
SHA512

2ba10fe8e8291a10353be17b1f0e76bdacb535f2eb469438f88b658282166784528dd0a25dd9514f32a9a17edcb6501716b9ebb797236bbc84b68f9783f16257

Score

10^/10

buran raccoon smokeloader d02c5d65069fc7ce1993e7c52edf0c9c4c195c81 backdoor discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 590$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 789-C30-943 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

d02c5d65069fc7ce1993e7c52edf0c9c4c195c81

Attributes

url4cnc
https://telete.in/open3entershift

rc4.plain

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4328 created 2868	4328	WerFault.exe	79

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2868	DE6F.exe
1476	DF4B.exe
3308	E1CC.exe
2248	smss.exe
2228	smss.exe
4456	ceavehh
4488	ceavehh

Deletes itself 1 IoCs

pid	Process
1964	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
2868	DE6F.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	DF4B.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	DF4B.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\U:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3308	E1CC.exe
3308	E1CC.exe
3308	E1CC.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 516 set thread context of 3164	516	eee4f13fdcdbeba5471c7bf29dd5f182.exe	77
PID 4456 set thread context of 4488	4456	ceavehh	125

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileLargeSquare.scale-200.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_10h.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5478_32x32x32.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-100.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyFolder_160.svg.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-selector.js.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-180.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\326_24x24x32.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\CinemagraphDelegate\CinemagraphControl.xaml	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2475_20x20x32.png	smss.exe
File opened for modification	C:\Program Files\ConnectInitialize.jfif	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms	smss.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_SaveAutomatically_RTL_Phone.mp4	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-white_scale-100.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.tree.dat.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\holoLens\en-US\doc_offline_wifi.xml	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyStateCCFiles_280x192.svg	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\PlayStore_icon.svg	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr.gif.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CONCRETE.INF.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo1.targetsize-16.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\uz_60x42.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-200.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-64_altform-unplated.png	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\wordvisi.ttf.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6124_20x20x32.png	smss.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jvm.lib.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_24x24x32.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\ui-strings.js	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\US_export_policy.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-48.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\pyramid\Theres_a_Timed-Mode_.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\KnownGameList.bin	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.payfast.789-C30-943	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-white.png	smss.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1916	2868	WerFault.exe	79
1340	2868	WerFault.exe	79
3700	2868	WerFault.exe	79
3884	2868	WerFault.exe	79
3692	2868	WerFault.exe	79
524	2868	WerFault.exe	79
2656	2868	WerFault.exe	79
3132	2868	WerFault.exe	79
3992	2868	WerFault.exe	79
2040	2868	WerFault.exe	79
4184	2868	WerFault.exe	79
4308	2868	WerFault.exe	79
4328	2868	WerFault.exe	79

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ceavehh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ceavehh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eee4f13fdcdbeba5471c7bf29dd5f182.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eee4f13fdcdbeba5471c7bf29dd5f182.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eee4f13fdcdbeba5471c7bf29dd5f182.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ceavehh

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4116	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	DF4B.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DF4B.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3164	eee4f13fdcdbeba5471c7bf29dd5f182.exe
3164	eee4f13fdcdbeba5471c7bf29dd5f182.exe
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1964	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
3164	eee4f13fdcdbeba5471c7bf29dd5f182.exe
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1964	Process not Found
Token: SeCreatePagefilePrivilege	1964	Process not Found
Token: SeShutdownPrivilege	1964	Process not Found
Token: SeCreatePagefilePrivilege	1964	Process not Found
Token: SeShutdownPrivilege	1964	Process not Found
Token: SeCreatePagefilePrivilege	1964	Process not Found
Token: SeShutdownPrivilege	1964	Process not Found
Token: SeCreatePagefilePrivilege	1964	Process not Found
Token: SeRestorePrivilege	1916	WerFault.exe
Token: SeBackupPrivilege	1916	WerFault.exe
Token: SeDebugPrivilege	1916	WerFault.exe
Token: SeDebugPrivilege	1340	WerFault.exe
Token: SeDebugPrivilege	3700	WerFault.exe
Token: SeDebugPrivilege	3884	WerFault.exe
Token: SeDebugPrivilege	3692	WerFault.exe
Token: SeDebugPrivilege	3308	E1CC.exe
Token: SeDebugPrivilege	524	WerFault.exe
Token: SeDebugPrivilege	2656	WerFault.exe
Token: SeDebugPrivilege	3132	WerFault.exe
Token: SeDebugPrivilege	3992	WerFault.exe
Token: SeDebugPrivilege	2040	WerFault.exe
Token: SeIncreaseQuotaPrivilege	4044	WMIC.exe
Token: SeSecurityPrivilege	4044	WMIC.exe
Token: SeTakeOwnershipPrivilege	4044	WMIC.exe
Token: SeLoadDriverPrivilege	4044	WMIC.exe
Token: SeSystemProfilePrivilege	4044	WMIC.exe
Token: SeSystemtimePrivilege	4044	WMIC.exe
Token: SeProfSingleProcessPrivilege	4044	WMIC.exe
Token: SeIncBasePriorityPrivilege	4044	WMIC.exe
Token: SeCreatePagefilePrivilege	4044	WMIC.exe
Token: SeBackupPrivilege	4044	WMIC.exe
Token: SeRestorePrivilege	4044	WMIC.exe
Token: SeShutdownPrivilege	4044	WMIC.exe
Token: SeDebugPrivilege	4044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4044	WMIC.exe
Token: SeRemoteShutdownPrivilege	4044	WMIC.exe
Token: SeUndockPrivilege	4044	WMIC.exe
Token: SeManageVolumePrivilege	4044	WMIC.exe
Token: 33	4044	WMIC.exe
Token: 34	4044	WMIC.exe
Token: 35	4044	WMIC.exe
Token: 36	4044	WMIC.exe
Token: SeShutdownPrivilege	1964	Process not Found
Token: SeCreatePagefilePrivilege	1964	Process not Found
Token: SeShutdownPrivilege	1964	Process not Found
Token: SeCreatePagefilePrivilege	1964	Process not Found
Token: SeShutdownPrivilege	1964	Process not Found
Token: SeCreatePagefilePrivilege	1964	Process not Found
Token: SeDebugPrivilege	4184	WerFault.exe
Token: SeBackupPrivilege	4168	vssvc.exe
Token: SeRestorePrivilege	4168	vssvc.exe
Token: SeAuditPrivilege	4168	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4044	WMIC.exe
Token: SeSecurityPrivilege	4044	WMIC.exe
Token: SeTakeOwnershipPrivilege	4044	WMIC.exe
Token: SeLoadDriverPrivilege	4044	WMIC.exe
Token: SeSystemProfilePrivilege	4044	WMIC.exe
Token: SeSystemtimePrivilege	4044	WMIC.exe
Token: SeProfSingleProcessPrivilege	4044	WMIC.exe
Token: SeIncBasePriorityPrivilege	4044	WMIC.exe
Token: SeCreatePagefilePrivilege	4044	WMIC.exe
Token: SeBackupPrivilege	4044	WMIC.exe
Token: SeRestorePrivilege	4044	WMIC.exe
Token: SeShutdownPrivilege	4044	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3308	E1CC.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1964	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 3164	516	eee4f13fdcdbeba5471c7bf29dd5f182.exe	77
PID 516 wrote to memory of 3164	516	eee4f13fdcdbeba5471c7bf29dd5f182.exe	77
PID 516 wrote to memory of 3164	516	eee4f13fdcdbeba5471c7bf29dd5f182.exe	77
PID 516 wrote to memory of 3164	516	eee4f13fdcdbeba5471c7bf29dd5f182.exe	77
PID 516 wrote to memory of 3164	516	eee4f13fdcdbeba5471c7bf29dd5f182.exe	77
PID 516 wrote to memory of 3164	516	eee4f13fdcdbeba5471c7bf29dd5f182.exe	77
PID 1964 wrote to memory of 2868	1964	Process not Found	79
PID 1964 wrote to memory of 2868	1964	Process not Found	79
PID 1964 wrote to memory of 2868	1964	Process not Found	79
PID 1964 wrote to memory of 1476	1964	Process not Found	80
PID 1964 wrote to memory of 1476	1964	Process not Found	80
PID 1964 wrote to memory of 1476	1964	Process not Found	80
PID 1964 wrote to memory of 3308	1964	Process not Found	81
PID 1964 wrote to memory of 3308	1964	Process not Found	81
PID 1964 wrote to memory of 3308	1964	Process not Found	81
PID 1964 wrote to memory of 744	1964	Process not Found	83
PID 1964 wrote to memory of 744	1964	Process not Found	83
PID 1964 wrote to memory of 744	1964	Process not Found	83
PID 1964 wrote to memory of 744	1964	Process not Found	83
PID 1964 wrote to memory of 3900	1964	Process not Found	84
PID 1964 wrote to memory of 3900	1964	Process not Found	84
PID 1964 wrote to memory of 3900	1964	Process not Found	84
PID 1964 wrote to memory of 2308	1964	Process not Found	85
PID 1964 wrote to memory of 2308	1964	Process not Found	85
PID 1964 wrote to memory of 2308	1964	Process not Found	85
PID 1964 wrote to memory of 2308	1964	Process not Found	85
PID 1476 wrote to memory of 2248	1476	DF4B.exe	86
PID 1476 wrote to memory of 2248	1476	DF4B.exe	86
PID 1476 wrote to memory of 2248	1476	DF4B.exe	86
PID 1964 wrote to memory of 4012	1964	Process not Found	87
PID 1964 wrote to memory of 4012	1964	Process not Found	87
PID 1964 wrote to memory of 4012	1964	Process not Found	87
PID 1964 wrote to memory of 656	1964	Process not Found	88
PID 1964 wrote to memory of 656	1964	Process not Found	88
PID 1964 wrote to memory of 656	1964	Process not Found	88
PID 1964 wrote to memory of 656	1964	Process not Found	88
PID 1964 wrote to memory of 196	1964	Process not Found	89
PID 1964 wrote to memory of 196	1964	Process not Found	89
PID 1964 wrote to memory of 196	1964	Process not Found	89
PID 1964 wrote to memory of 1404	1964	Process not Found	92
PID 1964 wrote to memory of 1404	1964	Process not Found	92
PID 1964 wrote to memory of 1404	1964	Process not Found	92
PID 1964 wrote to memory of 1404	1964	Process not Found	92
PID 1964 wrote to memory of 704	1964	Process not Found	96
PID 1964 wrote to memory of 704	1964	Process not Found	96
PID 1964 wrote to memory of 704	1964	Process not Found	96
PID 1964 wrote to memory of 2772	1964	Process not Found	98
PID 1964 wrote to memory of 2772	1964	Process not Found	98
PID 1964 wrote to memory of 2772	1964	Process not Found	98
PID 1964 wrote to memory of 2772	1964	Process not Found	98
PID 2248 wrote to memory of 1340	2248	smss.exe	104
PID 2248 wrote to memory of 1340	2248	smss.exe	104
PID 2248 wrote to memory of 1340	2248	smss.exe	104
PID 2248 wrote to memory of 1356	2248	smss.exe	105
PID 2248 wrote to memory of 1356	2248	smss.exe	105
PID 2248 wrote to memory of 1356	2248	smss.exe	105
PID 2248 wrote to memory of 2124	2248	smss.exe	106
PID 2248 wrote to memory of 2124	2248	smss.exe	106
PID 2248 wrote to memory of 2124	2248	smss.exe	106
PID 2248 wrote to memory of 2296	2248	smss.exe	113
PID 2248 wrote to memory of 2296	2248	smss.exe	113
PID 2248 wrote to memory of 2296	2248	smss.exe	113
PID 2248 wrote to memory of 3196	2248	smss.exe	112
PID 2248 wrote to memory of 3196	2248	smss.exe	112

C:\Users\Admin\AppData\Local\Temp\eee4f13fdcdbeba5471c7bf29dd5f182.exe
"C:\Users\Admin\AppData\Local\Temp\eee4f13fdcdbeba5471c7bf29dd5f182.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\AppData\Local\Temp\eee4f13fdcdbeba5471c7bf29dd5f182.exe
  "C:\Users\Admin\AppData\Local\Temp\eee4f13fdcdbeba5471c7bf29dd5f182.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3164

C:\Users\Admin\AppData\Local\Temp\DE6F.exe
C:\Users\Admin\AppData\Local\Temp\DE6F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 736
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 748
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 848
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 884
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1188
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1224
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1176
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1204
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1236
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1176
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1228
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 796
  2⤵
  - Program crash
  PID:4308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1268
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:4328

C:\Users\Admin\AppData\Local\Temp\DF4B.exe
C:\Users\Admin\AppData\Local\Temp\DF4B.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:1340
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2124
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3196
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2296

C:\Users\Admin\AppData\Local\Temp\E1CC.exe
C:\Users\Admin\AppData\Local\Temp\E1CC.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3308

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:744

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3900

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2308

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:656

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1404

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4376

C:\Users\Admin\AppData\Roaming\ceavehh
C:\Users\Admin\AppData\Roaming\ceavehh
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4456
- C:\Users\Admin\AppData\Roaming\ceavehh
  C:\Users\Admin\AppData\Roaming\ceavehh
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-164-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

Filesize
48KB

Download
memory/196-163-0x0000000000DF0000-0x0000000000DF6000-memory.dmp

Filesize
24KB

Download
memory/516-116-0x0000000001D90000-0x0000000001EDA000-memory.dmp

Filesize
1.3MB

Download
memory/656-160-0x0000000000660000-0x0000000000665000-memory.dmp

Filesize
20KB

Download
memory/656-161-0x0000000000650000-0x0000000000659000-memory.dmp

Filesize
36KB

Download
memory/704-172-0x0000000000F00000-0x0000000000F09000-memory.dmp

Filesize
36KB

Download
memory/704-171-0x0000000000F10000-0x0000000000F15000-memory.dmp

Filesize
20KB

Download
memory/744-137-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/744-136-0x0000000000470000-0x00000000004E4000-memory.dmp

Filesize
464KB

Download
memory/1404-168-0x0000000000BC0000-0x0000000000BC4000-memory.dmp

Filesize
16KB

Download
memory/1404-169-0x0000000000BB0000-0x0000000000BB9000-memory.dmp

Filesize
36KB

Download
memory/1964-117-0x0000000001300000-0x0000000001316000-memory.dmp

Filesize
88KB

Download
memory/2308-144-0x0000000000FF0000-0x0000000000FFB000-memory.dmp

Filesize
44KB

Download
memory/2308-143-0x0000000003640000-0x0000000003647000-memory.dmp

Filesize
28KB

Download
memory/2772-175-0x0000000000AF0000-0x0000000000AF9000-memory.dmp

Filesize
36KB

Download
memory/2772-174-0x0000000000B00000-0x0000000000B05000-memory.dmp

Filesize
20KB

Download
memory/2868-165-0x0000000003A80000-0x0000000003B0F000-memory.dmp

Filesize
572KB

Download
memory/2868-167-0x0000000000400000-0x0000000001DB7000-memory.dmp

Filesize
25.7MB

Download
memory/3164-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3308-134-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/3308-138-0x0000000006BB0000-0x00000000071B6000-memory.dmp

Filesize
6.0MB

Download
memory/3308-141-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/3308-176-0x0000000008ED0000-0x0000000008ED1000-memory.dmp

Filesize
4KB

Download
memory/3308-177-0x00000000095D0000-0x00000000095D1000-memory.dmp

Filesize
4KB

Download
memory/3308-178-0x0000000008E00000-0x0000000008E01000-memory.dmp

Filesize
4KB

Download
memory/3308-187-0x0000000009330000-0x0000000009331000-memory.dmp

Filesize
4KB

Download
memory/3308-192-0x00000000094F0000-0x00000000094F1000-memory.dmp

Filesize
4KB

Download
memory/3308-133-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/3308-132-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/3308-185-0x000000000A000000-0x000000000A001000-memory.dmp

Filesize
4KB

Download
memory/3308-189-0x0000000009450000-0x0000000009451000-memory.dmp

Filesize
4KB

Download
memory/3308-131-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/3308-129-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download
memory/3308-128-0x000000007E8D0000-0x000000007ECA1000-memory.dmp

Filesize
3.8MB

Download
memory/3900-140-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/3900-139-0x0000000000D00000-0x0000000000D07000-memory.dmp

Filesize
28KB

Download
memory/4012-151-0x0000000000F80000-0x0000000000F8F000-memory.dmp

Filesize
60KB

Download
memory/4012-150-0x0000000000F90000-0x0000000000F99000-memory.dmp

Filesize
36KB

Download
memory/4456-198-0x0000000001FC0000-0x0000000001FCA000-memory.dmp

Filesize
40KB

Download