buran | 42666b2cb8dfc909799f874b536fece113099aa9c5d4e6f3d4deef7af99625c5

Analysis

max time kernel
153s
max time network
124s
platform
windows7_x64
resource
win7-en-20211208
submitted
06-02-2022 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

March 4.scr
Size

812KB
MD5

5181f541a6d97bab854d5eba326ea7d9
SHA1

16d9967a2658ac765d7acbea18c556b927b810be
SHA256

b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
SHA512

c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 6B3-226-291 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1400 svchost.exe
1604 svchost.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1560 notepad.exe
Loads dropped DLL 1 IoCs

Processes:

March 4.scr

pid process

1080 March 4.scr

pid	process
1400	svchost.exe
1604	svchost.exe

pid	process
1560	notepad.exe

pid	process
1080	March 4.scr

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

March 4.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	March 4.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	March 4.scr

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 geoiptool.com

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nipigon	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml	svchost.exe
File created	C:\Program Files\Java\jre7\lib\jfr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bishkek.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Canary	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Manaus	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dubai.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yerevan	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar.6B3-226-291	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Montevideo.6B3-226-291	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1836 vssadmin.exe
1084 vssadmin.exe

pid	process
1836	vssadmin.exe
1084	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

March 4.scrsvchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	March 4.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	March 4.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	March 4.scr

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

March 4.scrvssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1080	March 4.scr
Token: SeDebugPrivilege	1080	March 4.scr
Token: SeBackupPrivilege	268	vssvc.exe
Token: SeRestorePrivilege	268	vssvc.exe
Token: SeAuditPrivilege	268	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1588	WMIC.exe
Token: SeSecurityPrivilege	1588	WMIC.exe
Token: SeTakeOwnershipPrivilege	1588	WMIC.exe
Token: SeLoadDriverPrivilege	1588	WMIC.exe
Token: SeSystemProfilePrivilege	1588	WMIC.exe
Token: SeSystemtimePrivilege	1588	WMIC.exe
Token: SeProfSingleProcessPrivilege	1588	WMIC.exe
Token: SeIncBasePriorityPrivilege	1588	WMIC.exe
Token: SeCreatePagefilePrivilege	1588	WMIC.exe
Token: SeBackupPrivilege	1588	WMIC.exe
Token: SeRestorePrivilege	1588	WMIC.exe
Token: SeShutdownPrivilege	1588	WMIC.exe
Token: SeDebugPrivilege	1588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1588	WMIC.exe
Token: SeRemoteShutdownPrivilege	1588	WMIC.exe
Token: SeUndockPrivilege	1588	WMIC.exe
Token: SeManageVolumePrivilege	1588	WMIC.exe
Token: 33	1588	WMIC.exe
Token: 34	1588	WMIC.exe
Token: 35	1588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1076	WMIC.exe
Token: SeSecurityPrivilege	1076	WMIC.exe
Token: SeTakeOwnershipPrivilege	1076	WMIC.exe
Token: SeLoadDriverPrivilege	1076	WMIC.exe
Token: SeSystemProfilePrivilege	1076	WMIC.exe
Token: SeSystemtimePrivilege	1076	WMIC.exe
Token: SeProfSingleProcessPrivilege	1076	WMIC.exe
Token: SeIncBasePriorityPrivilege	1076	WMIC.exe
Token: SeCreatePagefilePrivilege	1076	WMIC.exe
Token: SeBackupPrivilege	1076	WMIC.exe
Token: SeRestorePrivilege	1076	WMIC.exe
Token: SeShutdownPrivilege	1076	WMIC.exe
Token: SeDebugPrivilege	1076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1076	WMIC.exe
Token: SeRemoteShutdownPrivilege	1076	WMIC.exe
Token: SeUndockPrivilege	1076	WMIC.exe
Token: SeManageVolumePrivilege	1076	WMIC.exe
Token: 33	1076	WMIC.exe
Token: 34	1076	WMIC.exe
Token: 35	1076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1588	WMIC.exe
Token: SeSecurityPrivilege	1588	WMIC.exe
Token: SeTakeOwnershipPrivilege	1588	WMIC.exe
Token: SeLoadDriverPrivilege	1588	WMIC.exe
Token: SeSystemProfilePrivilege	1588	WMIC.exe
Token: SeSystemtimePrivilege	1588	WMIC.exe
Token: SeProfSingleProcessPrivilege	1588	WMIC.exe
Token: SeIncBasePriorityPrivilege	1588	WMIC.exe
Token: SeCreatePagefilePrivilege	1588	WMIC.exe
Token: SeBackupPrivilege	1588	WMIC.exe
Token: SeRestorePrivilege	1588	WMIC.exe
Token: SeShutdownPrivilege	1588	WMIC.exe
Token: SeDebugPrivilege	1588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1588	WMIC.exe
Token: SeRemoteShutdownPrivilege	1588	WMIC.exe
Token: SeUndockPrivilege	1588	WMIC.exe
Token: SeManageVolumePrivilege	1588	WMIC.exe
Token: 33	1588	WMIC.exe
Token: 34	1588	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

March 4.scrsvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1080 wrote to memory of 1400	1080	March 4.scr	svchost.exe
PID 1080 wrote to memory of 1400	1080	March 4.scr	svchost.exe
PID 1080 wrote to memory of 1400	1080	March 4.scr	svchost.exe
PID 1080 wrote to memory of 1400	1080	March 4.scr	svchost.exe
PID 1080 wrote to memory of 1560	1080	March 4.scr	notepad.exe
PID 1080 wrote to memory of 1560	1080	March 4.scr	notepad.exe
PID 1080 wrote to memory of 1560	1080	March 4.scr	notepad.exe
PID 1080 wrote to memory of 1560	1080	March 4.scr	notepad.exe
PID 1080 wrote to memory of 1560	1080	March 4.scr	notepad.exe
PID 1080 wrote to memory of 1560	1080	March 4.scr	notepad.exe
PID 1080 wrote to memory of 1560	1080	March 4.scr	notepad.exe
PID 1400 wrote to memory of 1556	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 1556	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 1556	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 1556	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 1488	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 1488	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 1488	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 1488	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 308	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 308	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 308	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 308	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 1704	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 1704	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 1704	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 1704	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 2032	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 2032	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 2032	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 2032	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 2036	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 2036	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 2036	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 2036	1400	svchost.exe	cmd.exe
PID 1400 wrote to memory of 1604	1400	svchost.exe	svchost.exe
PID 1400 wrote to memory of 1604	1400	svchost.exe	svchost.exe
PID 1400 wrote to memory of 1604	1400	svchost.exe	svchost.exe
PID 1400 wrote to memory of 1604	1400	svchost.exe	svchost.exe
PID 2032 wrote to memory of 1836	2032	cmd.exe	vssadmin.exe
PID 2032 wrote to memory of 1836	2032	cmd.exe	vssadmin.exe
PID 2032 wrote to memory of 1836	2032	cmd.exe	vssadmin.exe
PID 2032 wrote to memory of 1836	2032	cmd.exe	vssadmin.exe
PID 1556 wrote to memory of 1076	1556	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 1076	1556	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 1076	1556	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 1076	1556	cmd.exe	WMIC.exe
PID 2036 wrote to memory of 1588	2036	cmd.exe	WMIC.exe
PID 2036 wrote to memory of 1588	2036	cmd.exe	WMIC.exe
PID 2036 wrote to memory of 1588	2036	cmd.exe	WMIC.exe
PID 2036 wrote to memory of 1588	2036	cmd.exe	WMIC.exe
PID 2036 wrote to memory of 1084	2036	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 1084	2036	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 1084	2036	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 1084	2036	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\March 4.scr
"C:\Users\Admin\AppData\Local\Temp\March 4.scr" /S
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1084

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1604

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
43391b412c650cde148653f76041c4c9

SHA1
f01dede729775576d9b3f4055bcb2f266c6260ed

SHA256
563836a148088af7fd35407fdb197f3b03198f89d7b44ec21efcdf87e03735ad

SHA512
593874dcb37de114829dd0de6ea879324121f898d9201a4ed26668aa9b77886e0afb7103dd3e1a15a42d520b1987ec0ba116e371610093fa03b7649b0056e716

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
faa285bde2e487ce7d9b8419e5d68449

SHA1
bdc1d3d2f283c23954406f01c453774b41c4cff3

SHA256
76f585d5e0ac3247f817f02d521b6c169f068062c693a2ad800426ef4f67e2c2

SHA512
95647b54124efec096c4e65225c758a234f284b641b58d861a7733dd9c183807a523b17d652d573d654113d7cae3cb1c8bbcd990a53779ed86d0887a9d56723b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
09c39cd47a026a9f730cedcf0cd6c086

SHA1
c496f857cdd321b0c233908e5cfca3a2741774db

SHA256
dac2163db6f8f5efe2040c00e1af9f71605f892ea29a858f8b95cd5469a74e3b

SHA512
722839ff8035ea20e14bdaeee553ecfcf8679ec7800c3f826163d3f978eb933c662fa3c66178a84463fd3aa6cd78469d275a26e0779b00b978665037d4736bfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
b8d8dd21f3fa1ea2e33bfbf92dcb095f

SHA1
069f45075eec0f7f0083da35dc57974a3c9688cb

SHA256
c1e4bbe914b8a4304b6d3bbdb0a9f8be83f87889b25faa9ef5aad0b6a856a463

SHA512
dc04f3da4522e66f14d4271471c065aa95b0d5629ee32eae1eb4335e9e4c68c1426dc11fd1d67608a3a2b5e96877842cd3d68b7da41d802372475b73c8ca838a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
f756f14771204f3ac582c64838e62f6f

SHA1
5a17ba1a74e4e4f789f91d01847cd69329192f75

SHA256
5f60ddd57be65ed09129d5fc54281412e19fcc5c67ee27674c069f9c2df3941c

SHA512
28cbc59f2a6b161c5908109497513f9e1b72f4d00bfff7e0aee9e44fffa2f40efe0e2e345aff5def40bd32f84263a427e33b5407ce6e768fb3e4d1713aee01d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a6831ae5eccf412b7a6b09cad75e706b

SHA1
aae0a6e0404bf929c0d40383b2e9611b8c5fc423

SHA256
fdc4c4d718b9d715d51f58a47e31c8577e1d1732cb980e4674b201cbfe640ff5

SHA512
772bfca32958722fa09619baa8c1092bd17ea32e048cd387d80c6459e92467bc710b9882ea4e9b45da81c2641c9cf0dd0b9a748522fef222a232f48ad25d8cee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
065726dfc4593ee210787d9d922cb7d2

SHA1
c60ed15a30cbb7ab28bb102a16ccf0daa439bb41

SHA256
b0aa7310d28ad2c50d6a3c70a265b985b93e855386098d3e11b72d7ca2d4fe19

SHA512
394157f78b794a4f923d9b42f3c9959b1e3a4f76b57f3e0673cc949580405634b6410cc9e7fa99f8df97603630b9c3063fa6eb7f349608658b34ff0d5e6f99cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\H74KYIY4.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YFMJZ4T6\TVDX75K2.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
5181f541a6d97bab854d5eba326ea7d9

SHA1
16d9967a2658ac765d7acbea18c556b927b810be

SHA256
b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

SHA512
c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
5181f541a6d97bab854d5eba326ea7d9

SHA1
16d9967a2658ac765d7acbea18c556b927b810be

SHA256
b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

SHA512
c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
5181f541a6d97bab854d5eba326ea7d9

SHA1
16d9967a2658ac765d7acbea18c556b927b810be

SHA256
b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

SHA512
c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

Download Submit
memory/1080-55-0x0000000076371000-0x0000000076373000-memory.dmp

Filesize
8KB

Download
memory/1080-57-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1080-56-0x0000000007120000-0x000000000C37C000-memory.dmp

Filesize
82.4MB

Download
memory/1400-76-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1400-68-0x0000000006F90000-0x000000000C1EC000-memory.dmp

Filesize
82.4MB

Download
memory/1560-61-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1560-65-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1604-80-0x00000000071B0000-0x000000000C40C000-memory.dmp

Filesize
82.4MB

Download