buran | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

max time kernel
1679s
max time network
1704s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2022 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Size

812KB
MD5

5181f541a6d97bab854d5eba326ea7d9
SHA1

16d9967a2658ac765d7acbea18c556b927b810be
SHA256

b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
SHA512

c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
SSDEEP

6144:73KIrUL3UE1S5mY5/i+i6thb2/VMpfkgXkJX/h/O11/vMLZ935PFXwz6Ui:DTru3FS5C/VMpfkg2ROs9dSz6

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 3D5-499-44B Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 12 IoCs

Processes:

resource	yara_rule
behavioral32/memory/1640-134-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral32/memory/1640-139-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral32/memory/1640-140-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral32/memory/3052-141-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral32/memory/3052-144-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral32/memory/3052-145-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral32/memory/3052-146-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral32/memory/996-160-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral32/memory/996-161-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral32/memory/996-162-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral32/memory/996-163-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral32/memory/3052-187-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

lsass.exelsass.exe

pid process

3052 lsass.exe
996 lsass.exe

pid	process
3052	lsass.exe
996	lsass.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\GroupCopy.tiff	lsass.exe
File opened for modification	C:\Users\Admin\Pictures\ImportEnter.tiff	lsass.exe
File opened for modification	C:\Users\Admin\Pictures\RepairWatch.tiff	lsass.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zeppelin_08_03_2021_813KB.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Zeppelin_08_03_2021_813KB.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Zeppelin_08_03_2021_813KB.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Zeppelin_08_03_2021_813KB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	Zeppelin_08_03_2021_813KB.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	process
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe

Drops file in Program Files directory 64 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-150.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-400.png	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Silhouette.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg7.jpg	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-250.png	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-125_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\6445_48x48x32.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\SplashScreen.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-125.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\help.svg	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main-selector.css.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-30.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\office.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.bfc	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_BadgeLogo.scale-100.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W0.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\credit-illustration.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg.3D5-499-44B	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-colorize.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_bow.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-48.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\ui-strings.js.3D5-499-44B	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_sv_135x40.svg.3D5-499-44B	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Zeppelin_08_03_2021_813KB.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1640	Zeppelin_08_03_2021_813KB.exe
Token: SeDebugPrivilege	1640	Zeppelin_08_03_2021_813KB.exe
Token: SeIncreaseQuotaPrivilege	1252	WMIC.exe
Token: SeSecurityPrivilege	1252	WMIC.exe
Token: SeTakeOwnershipPrivilege	1252	WMIC.exe
Token: SeLoadDriverPrivilege	1252	WMIC.exe
Token: SeSystemProfilePrivilege	1252	WMIC.exe
Token: SeSystemtimePrivilege	1252	WMIC.exe
Token: SeProfSingleProcessPrivilege	1252	WMIC.exe
Token: SeIncBasePriorityPrivilege	1252	WMIC.exe
Token: SeCreatePagefilePrivilege	1252	WMIC.exe
Token: SeBackupPrivilege	1252	WMIC.exe
Token: SeRestorePrivilege	1252	WMIC.exe
Token: SeShutdownPrivilege	1252	WMIC.exe
Token: SeDebugPrivilege	1252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1252	WMIC.exe
Token: SeRemoteShutdownPrivilege	1252	WMIC.exe
Token: SeUndockPrivilege	1252	WMIC.exe
Token: SeManageVolumePrivilege	1252	WMIC.exe
Token: 33	1252	WMIC.exe
Token: 34	1252	WMIC.exe
Token: 35	1252	WMIC.exe
Token: 36	1252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2468	WMIC.exe
Token: SeSecurityPrivilege	2468	WMIC.exe
Token: SeTakeOwnershipPrivilege	2468	WMIC.exe
Token: SeLoadDriverPrivilege	2468	WMIC.exe
Token: SeSystemProfilePrivilege	2468	WMIC.exe
Token: SeSystemtimePrivilege	2468	WMIC.exe
Token: SeProfSingleProcessPrivilege	2468	WMIC.exe
Token: SeIncBasePriorityPrivilege	2468	WMIC.exe
Token: SeCreatePagefilePrivilege	2468	WMIC.exe
Token: SeBackupPrivilege	2468	WMIC.exe
Token: SeRestorePrivilege	2468	WMIC.exe
Token: SeShutdownPrivilege	2468	WMIC.exe
Token: SeDebugPrivilege	2468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2468	WMIC.exe
Token: SeRemoteShutdownPrivilege	2468	WMIC.exe
Token: SeUndockPrivilege	2468	WMIC.exe
Token: SeManageVolumePrivilege	2468	WMIC.exe
Token: 33	2468	WMIC.exe
Token: 34	2468	WMIC.exe
Token: 35	2468	WMIC.exe
Token: 36	2468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2468	WMIC.exe
Token: SeSecurityPrivilege	2468	WMIC.exe
Token: SeTakeOwnershipPrivilege	2468	WMIC.exe
Token: SeLoadDriverPrivilege	2468	WMIC.exe
Token: SeSystemProfilePrivilege	2468	WMIC.exe
Token: SeSystemtimePrivilege	2468	WMIC.exe
Token: SeProfSingleProcessPrivilege	2468	WMIC.exe
Token: SeIncBasePriorityPrivilege	2468	WMIC.exe
Token: SeCreatePagefilePrivilege	2468	WMIC.exe
Token: SeBackupPrivilege	2468	WMIC.exe
Token: SeRestorePrivilege	2468	WMIC.exe
Token: SeShutdownPrivilege	2468	WMIC.exe
Token: SeDebugPrivilege	2468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2468	WMIC.exe
Token: SeRemoteShutdownPrivilege	2468	WMIC.exe
Token: SeUndockPrivilege	2468	WMIC.exe
Token: SeManageVolumePrivilege	2468	WMIC.exe
Token: 33	2468	WMIC.exe
Token: 34	2468	WMIC.exe
Token: 35	2468	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

Zeppelin_08_03_2021_813KB.exelsass.execmd.execmd.exe

description	pid	process	target process
PID 1640 wrote to memory of 3052	1640	Zeppelin_08_03_2021_813KB.exe	lsass.exe
PID 1640 wrote to memory of 3052	1640	Zeppelin_08_03_2021_813KB.exe	lsass.exe
PID 1640 wrote to memory of 3052	1640	Zeppelin_08_03_2021_813KB.exe	lsass.exe
PID 1640 wrote to memory of 2000	1640	Zeppelin_08_03_2021_813KB.exe	notepad.exe
PID 1640 wrote to memory of 2000	1640	Zeppelin_08_03_2021_813KB.exe	notepad.exe
PID 1640 wrote to memory of 2000	1640	Zeppelin_08_03_2021_813KB.exe	notepad.exe
PID 1640 wrote to memory of 2000	1640	Zeppelin_08_03_2021_813KB.exe	notepad.exe
PID 1640 wrote to memory of 2000	1640	Zeppelin_08_03_2021_813KB.exe	notepad.exe
PID 1640 wrote to memory of 2000	1640	Zeppelin_08_03_2021_813KB.exe	notepad.exe
PID 3052 wrote to memory of 3116	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 3116	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 3116	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 4568	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 4568	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 4568	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 1488	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 1488	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 1488	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 4068	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 4068	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 4068	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 4228	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 4228	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 4228	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 2444	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 2444	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 2444	3052	lsass.exe	cmd.exe
PID 3052 wrote to memory of 996	3052	lsass.exe	lsass.exe
PID 3052 wrote to memory of 996	3052	lsass.exe	lsass.exe
PID 3052 wrote to memory of 996	3052	lsass.exe	lsass.exe
PID 3116 wrote to memory of 1252	3116	cmd.exe	WMIC.exe
PID 3116 wrote to memory of 1252	3116	cmd.exe	WMIC.exe
PID 3116 wrote to memory of 1252	3116	cmd.exe	WMIC.exe
PID 2444 wrote to memory of 2468	2444	cmd.exe	WMIC.exe
PID 2444 wrote to memory of 2468	2444	cmd.exe	WMIC.exe
PID 2444 wrote to memory of 2468	2444	cmd.exe	WMIC.exe
PID 3052 wrote to memory of 2580	3052	lsass.exe	notepad.exe
PID 3052 wrote to memory of 2580	3052	lsass.exe	notepad.exe
PID 3052 wrote to memory of 2580	3052	lsass.exe	notepad.exe
PID 3052 wrote to memory of 2580	3052	lsass.exe	notepad.exe
PID 3052 wrote to memory of 2580	3052	lsass.exe	notepad.exe
PID 3052 wrote to memory of 2580	3052	lsass.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2468
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    PID:996
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2580
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:2000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
812KB

MD5
5181f541a6d97bab854d5eba326ea7d9

SHA1
16d9967a2658ac765d7acbea18c556b927b810be

SHA256
b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

SHA512
c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
812KB

MD5
5181f541a6d97bab854d5eba326ea7d9

SHA1
16d9967a2658ac765d7acbea18c556b927b810be

SHA256
b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

SHA512
c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
812KB

MD5
5181f541a6d97bab854d5eba326ea7d9

SHA1
16d9967a2658ac765d7acbea18c556b927b810be

SHA256
b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

SHA512
c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

Download Submit
C:\Users\Admin\Desktop\AssertAdd.exe.3D5-499-44B

Filesize
560KB

MD5
6f8d34771785cc2d5f46f72522dd6c1c

SHA1
913e8f2d0e7184ff6ee6f9b774453b990094f2f7

SHA256
bb934e42d0a5e553d4e7e040609c130edeafa1f8100e83d36711a7a6fdc645a4

SHA512
c484496b4aa2dc0fb3415645fa462208127c65c512a8070131c554385aabbd041a691e1e910196b01e4c3cd0dc1c63d8b995b9f35171c070903b0db6a7eba3cb

Download Submit
C:\Users\Admin\Desktop\AssertUnpublish.crw.3D5-499-44B

Filesize
700KB

MD5
aefb0a2b5035caf86817ee4c5fd199fd

SHA1
9f053b476f60de8a6fa01c9f771bf7c0a2803bc6

SHA256
53ac8f80a803bf01c3f442da9a2e0d06ff25662bfa6220c41f8c86f66d1ea239

SHA512
6c1d2440e0be79dad3c65b7b843ddd56e8990e1a25f4d6214968e198d59bb6f5394cdc9a63cc108d07b02a5c6179db4daac2725c60f49c7cc4818dfcca203a0e

Download Submit
C:\Users\Admin\Desktop\BlockSuspend.ex_.3D5-499-44B

Filesize
653KB

MD5
d2c44de07eda23297a17939f739c49ba

SHA1
322b4c178b9a11f6b30fda3e1a8c86f1a8fd76c4

SHA256
e8480f39de80eac577b92d57ef4b0c2cc44fbfbc9016f6d27b35446d69651b8f

SHA512
860202e94d155522176def947c8f0853a98d9b9d5086ab1ac094d8e8d9980ac3e3f30ea0c08cafceae8e0933b9a0a4c8b11af463df7e00fa3bd60c8326643d5e

Download Submit
C:\Users\Admin\Desktop\ConvertFromRename.ppt.3D5-499-44B

Filesize
723KB

MD5
2887912352da288fd2cf36a41e9f038c

SHA1
ae530a92cda6b58d43f12911d1dc5ddbd91f4b5e

SHA256
be9b3df89a2d37a15a9c447dfdc5c8fda5702525eae666ee7c65d050380a675a

SHA512
b129816f3c37a14fdee65a1fcbfb027147fed18e0649e16252d6dd78189533ef49ab2f644334553b3a1278a827047a068bb067044c637b3acc149ded1b1dae1b

Download Submit
C:\Users\Admin\Desktop\DisableWrite.png.3D5-499-44B

Filesize
607KB

MD5
6715c447e11e282190129646a26a2e6c

SHA1
73e08856c43782fb607f61ba4f79fca3d7f6aee3

SHA256
efd6439694a8342be70d0ee2c3ce0545e549afcbfe29f19c2494ccf5bc72f0ac

SHA512
0ef62dfb827cb43531c2ed82ecce2debf773c9e850d8dac45ea79b4134a938d37c5db298eaa0744d73f648b4a222ade1f342badbc6cb6e6e408eeb1735b21276

Download Submit
C:\Users\Admin\Desktop\DismountSubmit.cab.3D5-499-44B

Filesize
351KB

MD5
d0dd8f27a41f18648f0c60c31b67abcf

SHA1
f09c30dd514a6f30ded7a8d305e685ec97885dd0

SHA256
74ad9d009372ceddb33c18bb4656bd80effcdc3f421002c264412ec19f5810f2

SHA512
181ca11783a50525344adb2017e699e7030a714e4611ddd834ee8d995e0553f5a736fcb49fefd85e916ea80b7ae1efe8ae7f1b9f72670e9310b87abcaac7fe5c

Download Submit
C:\Users\Admin\Desktop\DismountWatch.crw.3D5-499-44B

Filesize
397KB

MD5
df5d5ebf12de1fc6de001f6cdad07a05

SHA1
ea02bc223f401fd9505c815703008810ba1b4295

SHA256
ce82f74389357743a93dc4008e469b8552a993ff2475a328ea1ca374d85c6032

SHA512
45468363c8dce4d216156223f5f3bc7eef663481d51a25c9bd0aa3fe2263e210d99bb8b7d19c8cd57ec81ced7ce17526a3c51aa7db89c5db51fcc1212628f1bb

Download Submit
C:\Users\Admin\Desktop\EnterBackup.MOD.3D5-499-44B

Filesize
514KB

MD5
6d8f687567cd554f7d17a18ba4c78cab

SHA1
74fab7a8d0fb5a1576fc58b8ebaa26181560e08d

SHA256
ee822fff35debcca0ab008554ac3eb768b82cc5a94e7f966b634191a2bb57da0

SHA512
53612da8adfaf67deff780f375e1e4be9298f4edc47a07182abf4c58eaadcfce327474781e55662848f9bf1b65b87ba7c706e995a4bb005bedd2639d7e83dda3

Download Submit
C:\Users\Admin\Desktop\EnterGrant.mpeg.3D5-499-44B

Filesize
491KB

MD5
0aa7e3ec6b134b6b6299d0509dd3f3e2

SHA1
080a20788243744375f9d3bcd13bb5cf9f7dc8bf

SHA256
25d8536f72865da909bc5cd83bcb0d736642cec417c4e9067153e2f18e9c6991

SHA512
1ea5bc4fa5f2b0f97bc283b44790870ebc28151be0b23ff1ff3fc6a6dc5d2aa2239eb04f03080e359cf2db82a5008cffce744fb545e1b4fe5c5416fe01c12102

Download Submit
C:\Users\Admin\Desktop\ImportFormat.zip.3D5-499-44B

Filesize
630KB

MD5
5a39bdfbf848cb322e0a9bf06a1c038f

SHA1
9d9bbf2fc63d7e3d29bac2f33fd79f7270cc172e

SHA256
cd2f3fd588809130dae04ddf3c3c3929d6d4943c72b88bc04f14a509885eb26c

SHA512
e46509832b630472d5ffee5858a00eb8265bbcb72508fdb167709029da950a9bf9f8c4329b5148382e61fda000ae0c456cdca01be6faf1c33327119ae4c3314d

Download Submit
C:\Users\Admin\Desktop\OptimizeJoin.xps.3D5-499-44B

Filesize
467KB

MD5
e5ac3ba357029ac15cf45477678e5ac1

SHA1
800154b174f850ae51a1b6d5362f55d79f13cec0

SHA256
e9907d445f11b1355c6eb3553ee2b61cdcc4e242f8827868078dc9322d589448

SHA512
a077751ef01d92ff5629e803c84a1ea5a63cfc226b9909eaf341e23409f30e29c81dccc09d7021533bcb8c58502d2873b78bd4a47e254a711544ec05a4eb50cb

Download Submit
C:\Users\Admin\Desktop\ReadResolve.odp.3D5-499-44B

Filesize
537KB

MD5
7b4aef03cb279d27c854037f6f0539fb

SHA1
f518f809ae3ab21aec092341a3e09fa8b12960a7

SHA256
e443ea42317208941ef2802f01ca7bf07991e47a079e1dc8e5b3c7a60ad6e4f8

SHA512
28fdacabbf700914433bb9ae6a048715f4bb55eca0fe80da436a7cafb62da887a90e85e8f7e747cda9867c15315504a03cd4ede7d122ea27fea162471f7067e7

Download Submit
C:\Users\Admin\Desktop\RemoveMeasure.asf.3D5-499-44B

Filesize
258KB

MD5
b5551751aaafee4390b4e6e002607402

SHA1
fa54678401c84b1b1951f35b82d720d6b29d1951

SHA256
346a31a3d1acaf494af1f660259b5094218fa937a22e25e5c8d262f7e54f180f

SHA512
0797585eff78e762c27129925c2a9f731bf0e47e396384e9ace06f7122770501245ae504a7597d66373e15db355ea4d514b3693ff825a7e098eebed5f20159ce

Download Submit
C:\Users\Admin\Desktop\RevokeStep.vsd.3D5-499-44B

Filesize
374KB

MD5
6edf6a3297c3de0b897b8b22980dd3a9

SHA1
2ebab3c79d15f160a25f830e322825719eeed116

SHA256
66c50c1b4ac250a77259ebe3be78c2f122f76104e62a86f8076b62e321b59d96

SHA512
cc835997dd81343533748e9e75cbd3cae3d754315e50d129e572759687c09df662bd1a1aba88fff7666226f864321bb8c706001905fd2264b10abe8575b7752e

Download Submit
C:\Users\Admin\Desktop\SkipDebug.rle.3D5-499-44B

Filesize
421KB

MD5
91f2d9acbab50a6066f7a8e4cb71c971

SHA1
a2e4fc969361fc55f92c123f78c292b6e25a54de

SHA256
cbb2eb8832b2f24c3e61bf57f48043981dd2c8d698813ccb4d9a862fe348211a

SHA512
5440497946ba2d92c4121e217519e9dbecc71e5b2d338b18de93125e6d36d874870cb325be7272160fed49370d7a264f4e4d4a1809dd8d1f59b3317bbd5fef8b

Download Submit
C:\Users\Admin\Desktop\SkipProtect.rle.3D5-499-44B

Filesize
584KB

MD5
e70124d152ab3ddebb99a1de43b973a4

SHA1
c4ed7f25023c2895a17807dcd3179ccc87881b3b

SHA256
2fe26ef8bf78ccd49f3be866cad1f3dfafa5695b5c5ea1ace3ab64a5903352b1

SHA512
1d74435449045e450f415ae2dedbc17a8d5c734b34d1c261c2ac82812cd52c15abe786d15195ada768386455a8ee36ab04610cd57feea521f9b2f1f6fe0bc313

Download Submit
C:\Users\Admin\Desktop\SuspendDeny.mpe.3D5-499-44B

Filesize
444KB

MD5
f9f10af65ec50536b859823b3e467eda

SHA1
91cc961c783480bb9faf64cb27a22543976641ba

SHA256
93d22dee54055897e00c893216f6e1302802576f793bcd0dcede317961eb5338

SHA512
4279c2dd662b17a35256365ac5ee5847b1d597f296859eb22166ce7af482ed22a96fa2fc20f92e16307883664f58c07150a55e898ff3c5dd51f3bf9b7356190e

Download Submit
C:\Users\Admin\Desktop\SwitchConnect.docx.3D5-499-44B

Filesize
304KB

MD5
c340cdadaaaddec01b9321bf15c16819

SHA1
8bf97e1374221f8c8baa5bc6eb8923eb5059771c

SHA256
446e21deb0c9b38d246ae8754ec3d6d0774e661cf2b2acc44ed34cc762b16318

SHA512
5ad5847241d70b5af0c5e93a0676807a64982db6f3932e131372d816e09e2e5aabe718f9d69c417d27ec0a63ef24dd4309807f62008f6565b91a51a0826514bc

Download Submit
C:\Users\Admin\Desktop\TestStart.edrwx.3D5-499-44B

Filesize
677KB

MD5
bf56b215445c6ce368b758737c1bcb4b

SHA1
18c5b8520f6959e5d5303ef308198d324582079c

SHA256
f14f427b4182c8df58bc323733ccd01e56e62fb54dae4803eaa468191904cc64

SHA512
9aa3fcb66bd62a296935acfed5ebdad6b63ce4986d8c3e19e8c28739992c92abb6df210d46118f30d852f7c4af493972e87651419fd1b92acad547d1b0bd8d99

Download Submit
C:\Users\Admin\Desktop\UninstallInstall.eprtx.3D5-499-44B

Filesize
1003KB

MD5
c03ff27f7e2e9e6b3d54cdc759ca757a

SHA1
d9a3dd6193fabc3fa789f6540fde8c9a7e0cc725

SHA256
5dc8a680347026c776c4749d4069c96ee1aea092735eeba4271a21c09dfb6a49

SHA512
9be27b84e311951e8385f2e07918410f59f22ca7b7b8c434d18e952b600749cffac6cea9807df1c55dcdbe43ec27504b8d97fb58d23b725b9c8e4e57a72612a0

Download Submit
C:\Users\Admin\Desktop\UninstallPush.png.3D5-499-44B

Filesize
328KB

MD5
874fcbd5ce7fbd39d5a2f3bd6b118e53

SHA1
2e147a5e386118ef70130b3e4c8cae8ab9956fd2

SHA256
9a35c660ae0d0552b29cc0fb95d23e60032c36c6eba87af2db52122866b9289d

SHA512
a91ee0caadb0b840df26b98a44012427df0f36bbcb53e0d74362c6b24487da3fd28baab871d747e568a11b45a3912e6ba4af23214fc4414573582a085e43f6d2

Download Submit
C:\Users\Admin\Desktop\UnprotectRestore.vstx.3D5-499-44B

Filesize
281KB

MD5
d3fb4890d02bdc589fc7e4842ffa4f7c

SHA1
bc562e6d92ac0a86331a8bd313be2e2478e10b04

SHA256
798340476366adac617748043186c2c9ee87d3efc0f72e87ddec4d81adb2aaa6

SHA512
5c11e529045c9df043a441f4bcca41de6eb4b196c390944cb59cd97ffedc90ba64ed9f2ac3d29dc528541bd98a9a7c525e9d57e47823c364b424cc84d6f729f1

Download Submit
memory/996-160-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/996-156-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/996-159-0x0000000007800000-0x000000000CA5C000-memory.dmp

Filesize
82.4MB

Download
memory/996-161-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/996-162-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/996-163-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/996-153-0x0000000000000000-mapping.dmp

Download
memory/1252-155-0x0000000000000000-mapping.dmp

Download
memory/1488-149-0x0000000000000000-mapping.dmp

Download
memory/1640-133-0x00000000076D0000-0x000000000C92C000-memory.dmp

Filesize
82.4MB

Download
memory/1640-134-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1640-132-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1640-139-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1640-140-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1640-142-0x00000000076D0000-0x000000000C92C000-memory.dmp

Filesize
82.4MB

Download
memory/2000-138-0x0000000000000000-mapping.dmp

Download
memory/2444-152-0x0000000000000000-mapping.dmp

Download
memory/2468-158-0x0000000000000000-mapping.dmp

Download
memory/2580-186-0x0000000000000000-mapping.dmp

Download
memory/3052-144-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/3052-143-0x0000000007800000-0x000000000CA5C000-memory.dmp

Filesize
82.4MB

Download
memory/3052-145-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/3052-141-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/3052-146-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/3052-135-0x0000000000000000-mapping.dmp

Download
memory/3052-187-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/3116-147-0x0000000000000000-mapping.dmp

Download
memory/4068-150-0x0000000000000000-mapping.dmp

Download
memory/4228-151-0x0000000000000000-mapping.dmp

Download
memory/4568-148-0x0000000000000000-mapping.dmp

Download