buran | c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c

Analysis

max time kernel
156s
max time network
127s
platform
windows10_x64
resource
win10v20210408
submitted
30-08-2021 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe
Size

211KB
MD5

3f180ec284fad029c3be0801537f7ca4
SHA1

95595bb4ed18e2b00b9328b98066b9b5c47c9276
SHA256

c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c
SHA512

25dbd0ca473056c8ebb0a666b20b5dc7b2d5379cfbd584cfaf108aa12492e2ebfe24bf0917ca2f7787b66e837dc075dea9e6fb556e2c8fcebb7057c75a9f2380

Score

10^/10

buran smokeloader backdoor persistence ransomware trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 590$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 1DA-859-EE1 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 4 IoCs

Processes:

BADA.execsrss.execsrss.exevuegjsf

pid	Process
1484	BADA.exe
1588	csrss.exe
644	csrss.exe
1172	vuegjsf

Deletes itself 1 IoCs

Processes:

pid	Process
3024

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BADA.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	BADA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	BADA.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	Process
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\F:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
24	geoiptool.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe

description	pid	Process	procid_target
PID 2228 set thread context of 2328	2228	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe	77

Drops file in Program Files directory 64 IoCs

Processes:

csrss.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\cacerts	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.payfast.1DA-859-EE1	csrss.exe
File created	C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png.payfast.1DA-859-EE1	csrss.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.payfast.1DA-859-EE1	csrss.exe
File created	C:\Program Files\Microsoft Office\Office16\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core.jar.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\classlist.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-io.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301.payfast.1DA-859-EE1	csrss.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.payfast.1DA-859-EE1	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-util-enumerations.jar.payfast.1DA-859-EE1	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
2544	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

BADA.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	BADA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	BADA.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe

pid	Process
2328	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe
2328	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3024

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe

pid	Process
2328	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeBackupPrivilege	3164	vssvc.exe
Token: SeRestorePrivilege	3164	vssvc.exe
Token: SeAuditPrivilege	3164	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3552	WMIC.exe
Token: SeSecurityPrivilege	3552	WMIC.exe
Token: SeTakeOwnershipPrivilege	3552	WMIC.exe
Token: SeLoadDriverPrivilege	3552	WMIC.exe
Token: SeSystemProfilePrivilege	3552	WMIC.exe
Token: SeSystemtimePrivilege	3552	WMIC.exe
Token: SeProfSingleProcessPrivilege	3552	WMIC.exe
Token: SeIncBasePriorityPrivilege	3552	WMIC.exe
Token: SeCreatePagefilePrivilege	3552	WMIC.exe
Token: SeBackupPrivilege	3552	WMIC.exe
Token: SeRestorePrivilege	3552	WMIC.exe
Token: SeShutdownPrivilege	3552	WMIC.exe
Token: SeDebugPrivilege	3552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3552	WMIC.exe
Token: SeRemoteShutdownPrivilege	3552	WMIC.exe
Token: SeUndockPrivilege	3552	WMIC.exe
Token: SeManageVolumePrivilege	3552	WMIC.exe
Token: 33	3552	WMIC.exe
Token: 34	3552	WMIC.exe
Token: 35	3552	WMIC.exe
Token: 36	3552	WMIC.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeIncreaseQuotaPrivilege	3552	WMIC.exe
Token: SeSecurityPrivilege	3552	WMIC.exe
Token: SeTakeOwnershipPrivilege	3552	WMIC.exe
Token: SeLoadDriverPrivilege	3552	WMIC.exe
Token: SeSystemProfilePrivilege	3552	WMIC.exe
Token: SeSystemtimePrivilege	3552	WMIC.exe
Token: SeProfSingleProcessPrivilege	3552	WMIC.exe
Token: SeIncBasePriorityPrivilege	3552	WMIC.exe
Token: SeCreatePagefilePrivilege	3552	WMIC.exe
Token: SeBackupPrivilege	3552	WMIC.exe
Token: SeRestorePrivilege	3552	WMIC.exe
Token: SeShutdownPrivilege	3552	WMIC.exe
Token: SeDebugPrivilege	3552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3552	WMIC.exe
Token: SeRemoteShutdownPrivilege	3552	WMIC.exe
Token: SeUndockPrivilege	3552	WMIC.exe
Token: SeManageVolumePrivilege	3552	WMIC.exe
Token: 33	3552	WMIC.exe
Token: 34	3552	WMIC.exe
Token: 35	3552	WMIC.exe
Token: 36	3552	WMIC.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3024

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exeBADA.execsrss.execmd.exe

description	pid	Process	procid_target
PID 2228 wrote to memory of 2328	2228	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe	77
PID 2228 wrote to memory of 2328	2228	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe	77
PID 2228 wrote to memory of 2328	2228	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe	77
PID 2228 wrote to memory of 2328	2228	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe	77
PID 2228 wrote to memory of 2328	2228	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe	77
PID 2228 wrote to memory of 2328	2228	c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe	77
PID 3024 wrote to memory of 1484	3024		79
PID 3024 wrote to memory of 1484	3024		79
PID 3024 wrote to memory of 1484	3024		79
PID 3024 wrote to memory of 3156	3024		80
PID 3024 wrote to memory of 3156	3024		80
PID 3024 wrote to memory of 3156	3024		80
PID 3024 wrote to memory of 3156	3024		80
PID 3024 wrote to memory of 2132	3024		81
PID 3024 wrote to memory of 2132	3024		81
PID 3024 wrote to memory of 2132	3024		81
PID 3024 wrote to memory of 2096	3024		82
PID 3024 wrote to memory of 2096	3024		82
PID 3024 wrote to memory of 2096	3024		82
PID 3024 wrote to memory of 2096	3024		82
PID 3024 wrote to memory of 3704	3024		83
PID 3024 wrote to memory of 3704	3024		83
PID 3024 wrote to memory of 3704	3024		83
PID 3024 wrote to memory of 2360	3024		84
PID 3024 wrote to memory of 2360	3024		84
PID 3024 wrote to memory of 2360	3024		84
PID 3024 wrote to memory of 2360	3024		84
PID 3024 wrote to memory of 2884	3024		85
PID 3024 wrote to memory of 2884	3024		85
PID 3024 wrote to memory of 2884	3024		85
PID 3024 wrote to memory of 1800	3024		86
PID 3024 wrote to memory of 1800	3024		86
PID 3024 wrote to memory of 1800	3024		86
PID 3024 wrote to memory of 1800	3024		86
PID 3024 wrote to memory of 2500	3024		87
PID 3024 wrote to memory of 2500	3024		87
PID 3024 wrote to memory of 2500	3024		87
PID 3024 wrote to memory of 2428	3024		88
PID 3024 wrote to memory of 2428	3024		88
PID 3024 wrote to memory of 2428	3024		88
PID 3024 wrote to memory of 2428	3024		88
PID 1484 wrote to memory of 1588	1484	BADA.exe	89
PID 1484 wrote to memory of 1588	1484	BADA.exe	89
PID 1484 wrote to memory of 1588	1484	BADA.exe	89
PID 1588 wrote to memory of 196	1588	csrss.exe	90
PID 1588 wrote to memory of 196	1588	csrss.exe	90
PID 1588 wrote to memory of 196	1588	csrss.exe	90
PID 1588 wrote to memory of 188	1588	csrss.exe	91
PID 1588 wrote to memory of 188	1588	csrss.exe	91
PID 1588 wrote to memory of 188	1588	csrss.exe	91
PID 1588 wrote to memory of 1192	1588	csrss.exe	92
PID 1588 wrote to memory of 1192	1588	csrss.exe	92
PID 1588 wrote to memory of 1192	1588	csrss.exe	92
PID 1588 wrote to memory of 1104	1588	csrss.exe	93
PID 1588 wrote to memory of 1104	1588	csrss.exe	93
PID 1588 wrote to memory of 1104	1588	csrss.exe	93
PID 1588 wrote to memory of 1052	1588	csrss.exe	94
PID 1588 wrote to memory of 1052	1588	csrss.exe	94
PID 1588 wrote to memory of 1052	1588	csrss.exe	94
PID 1588 wrote to memory of 644	1588	csrss.exe	95
PID 1588 wrote to memory of 644	1588	csrss.exe	95
PID 1588 wrote to memory of 644	1588	csrss.exe	95
PID 1052 wrote to memory of 2544	1052	cmd.exe	101
PID 1052 wrote to memory of 2544	1052	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe
"C:\Users\Admin\AppData\Local\Temp\c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe
  "C:\Users\Admin\AppData\Local\Temp\c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2328

C:\Users\Admin\AppData\Local\Temp\BADA.exe
C:\Users\Admin\AppData\Local\Temp\BADA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:196
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2544
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:644

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3156

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2132

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2096

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2360

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2884

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1800

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2500

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Users\Admin\AppData\Roaming\vuegjsf
C:\Users\Admin\AppData\Roaming\vuegjsf
1⤵
- Executes dropped EXE
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
5703edef7cb0f99305a6b18845e0443e

SHA1
fb6f022ebde210306e1a6575462d6451e98af454

SHA256
e4ce02059eb175c30879041d610db7b8798cdf57a4c67afc83c125c2db36e883

SHA512
4631853bda1498ff3cace6a348fd2d6770edd0fec166707c3afebff09644f34e29a7a6dd3e9cb167c40e8b5fa1fbbc80ba26d80b4d939daf56278c276b07ada4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
888f7457c332ac5e1897316e159f58c1

SHA1
a3047c6e978158dfae29b5735e8131ec1b30703d

SHA256
c2c14652875bfeb1ed529202da6d45eb974acab193c005908cf90b8c5cf3dd41

SHA512
0abdc5f78ade2f56b0f1954adc0479b5dcc88d401bfac95754e7dd80adefe7375a426fd89f81b657ebe9c113092524dcbd1e80c39a4bec51ccd93bc0bc3a5aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
939460925953ce88e1086341b8a11bda

SHA1
06249b891050a9fac128ccfee943aeb5bede1c7b

SHA256
d4da3c5ff04a3b677eb77b1bfedc14e29ebd0d01c476d44a0b1a2366447ab016

SHA512
a8dc3eb58a4a550cc2551463a3d813396caf3f2b65f5b13c8e339a4a32652895ee15c23eb5ba833eca4e7c22331a622657cf5bd64098f0c54e43b4e92fe65f30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
67e2d7a667ae518acf6257a553f0ed81

SHA1
c9ef014167bdbb1a0debfcc38aa5aabffe7a9b0f

SHA256
fa4c82c6d8476a9825ed713615a48cf4d42eacdd77e39bfbd1723b079507201c

SHA512
21da1ad1caaac3559600fcb56b54581c775bba289840a3fb6e238ee9034263ba2b97770f4596c7d36923712ee90a37c484d1f8795717a93687c1805ab33798df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
defc74807672ce3332b7784eacdf3860

SHA1
c66516c7609522d3e8522200abb112946b7f48d3

SHA256
203ca93f68f2b9894a2b9e4dac9a1e70ecb0e007245e986e09757503224bd162

SHA512
3f2b9534cdf80e972de86b304998ecbba2540a260cd404d99a522a41833486674224fd180188da90331ebf4fee025cb2a8a28a81442cf13f5679a989ae9665bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
b0d1a06342255cdc3a62cebd24f94192

SHA1
d5783554a8d7a930b4735d58fd7d59b4fafcb5c5

SHA256
e23e5b200eb63493697199c7514b0291128b86016285f717705ab6d92a1d1340

SHA512
34ae6ebf4dfba715a6aeecfeb4b933435f847010c04df7ad52cf65133305eeae241853c85d08cc47e23f589d8ed3bf131d367870522c4ac3ad3f93c4283ae637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\PEPFYJ2N.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\VX41F6X9.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\BADA.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\BADA.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\vuegjsf

MD5
3f180ec284fad029c3be0801537f7ca4

SHA1
95595bb4ed18e2b00b9328b98066b9b5c47c9276

SHA256
c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c

SHA512
25dbd0ca473056c8ebb0a666b20b5dc7b2d5379cfbd584cfaf108aa12492e2ebfe24bf0917ca2f7787b66e837dc075dea9e6fb556e2c8fcebb7057c75a9f2380

Download Submit
C:\Users\Admin\AppData\Roaming\vuegjsf

MD5
3f180ec284fad029c3be0801537f7ca4

SHA1
95595bb4ed18e2b00b9328b98066b9b5c47c9276

SHA256
c00cc2fd6fe678514c0a5de3fcbf5dcb35400a70c08a5cd9082432e437809a6c

SHA512
25dbd0ca473056c8ebb0a666b20b5dc7b2d5379cfbd584cfaf108aa12492e2ebfe24bf0917ca2f7787b66e837dc075dea9e6fb556e2c8fcebb7057c75a9f2380

Download Submit
memory/188-160-0x0000000000000000-mapping.dmp

Download
memory/196-159-0x0000000000000000-mapping.dmp

Download
memory/644-164-0x0000000000000000-mapping.dmp

Download
memory/1052-163-0x0000000000000000-mapping.dmp

Download
memory/1104-162-0x0000000000000000-mapping.dmp

Download
memory/1192-161-0x0000000000000000-mapping.dmp

Download
memory/1484-118-0x0000000000000000-mapping.dmp

Download
memory/1588-148-0x0000000000000000-mapping.dmp

Download
memory/1800-139-0x0000000000000000-mapping.dmp

Download
memory/1800-141-0x0000000003190000-0x0000000003199000-memory.dmp

Filesize
36KB

Download
memory/1800-140-0x00000000031A0000-0x00000000031A4000-memory.dmp

Filesize
16KB

Download
memory/2096-131-0x00000000005D0000-0x00000000005DB000-memory.dmp

Filesize
44KB

Download
memory/2096-126-0x00000000005E0000-0x00000000005E7000-memory.dmp

Filesize
28KB

Download
memory/2096-125-0x0000000000000000-mapping.dmp

Download
memory/2132-123-0x0000000000980000-0x0000000000987000-memory.dmp

Filesize
28KB

Download
memory/2132-124-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/2132-122-0x0000000000000000-mapping.dmp

Download
memory/2228-116-0x0000000002100000-0x000000000210A000-memory.dmp

Filesize
40KB

Download
memory/2328-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2328-115-0x0000000000402FAB-mapping.dmp

Download
memory/2360-135-0x0000000003100000-0x0000000003109000-memory.dmp

Filesize
36KB

Download
memory/2360-134-0x0000000003110000-0x0000000003115000-memory.dmp

Filesize
20KB

Download
memory/2360-133-0x0000000000000000-mapping.dmp

Download
memory/2428-145-0x0000000000000000-mapping.dmp

Download
memory/2428-147-0x0000000003190000-0x0000000003199000-memory.dmp

Filesize
36KB

Download
memory/2428-146-0x00000000031A0000-0x00000000031A5000-memory.dmp

Filesize
20KB

Download
memory/2500-142-0x0000000000000000-mapping.dmp

Download
memory/2500-144-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/2500-143-0x00000000003E0000-0x00000000003E5000-memory.dmp

Filesize
20KB

Download
memory/2544-166-0x0000000000000000-mapping.dmp

Download
memory/2884-137-0x0000000000FE0000-0x0000000000FE6000-memory.dmp

Filesize
24KB

Download
memory/2884-138-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

Filesize
48KB

Download
memory/2884-136-0x0000000000000000-mapping.dmp

Download
memory/3024-117-0x0000000000C50000-0x0000000000C66000-memory.dmp

Filesize
88KB

Download
memory/3156-127-0x0000000000720000-0x0000000000794000-memory.dmp

Filesize
464KB

Download
memory/3156-121-0x0000000000000000-mapping.dmp

Download
memory/3156-132-0x00000000006B0000-0x000000000071B000-memory.dmp

Filesize
428KB

Download
memory/3552-167-0x0000000000000000-mapping.dmp

Download
memory/3704-128-0x0000000000000000-mapping.dmp

Download
memory/3704-130-0x0000000000D80000-0x0000000000D8F000-memory.dmp

Filesize
60KB

Download
memory/3704-129-0x0000000000D90000-0x0000000000D99000-memory.dmp

Filesize
36KB

Download