neshta | faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6

Analysis

max time kernel
168s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2023 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zeppelinbggaehbcdj14_browsingExe.exe
Size

257KB
MD5

f66b738e1bfe1f8aab510abed850c424
SHA1

571f50fee0acad1da39fe06c75116461800cc719
SHA256

faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6
SHA512

dd8b63631b23a18f062e64c5e719ead52075964a2e465dfc2663425c97f0030ced80b6e48fdc84d54b2b8fb42513a9c9d0a60763eb2feca9f89c900b5bdcb97f
SSDEEP

6144:k957WWlJmcyfwAPWna4DQFu/U3buRKlemZ9DnGAevIGZi+YyJE1yR:O7WWKvhPWa4DQFu/U3buRKlemZ9DnGAy

Score

10^/10

neshta zeppelin persistence ransomware spyware

Malware Config

Extracted

Path

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note

ALL YOUR FILES HAVE BEEN ENCRYPTED BY "VICE SOCIETY" All your important documents, photos, databases were stolen and encrypted. If you don't contact us in 7 days we will upload your files to darknet. The only method of recovering files is to purchase an unique private key. We are the only who can give you tool to recover your files. To proove that we have the key and it works you can send us 2 files and we decrypt it for free (not more than 2 MB each). This file should be not valuable! Write to email: [email protected] Alternative email: [email protected] Public emai:l [email protected] Our tor website: vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to ours) or you can become a victim of a scam.

Emails

[email protected]

URLs

http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion

Signatures

Detect Neshta payload 28 IoCs

Processes:

resource	yara_rule
behavioral2/memory/952-133-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-135-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral2/memory/952-165-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2156-166-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-168-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\odt\office2016setup.exe	family_neshta
behavioral2/memory/952-333-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-530-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2156-620-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-735-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2156-778-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-856-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2156-910-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-973-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2156-1042-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-1133-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2156-1279-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-1313-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2156-1425-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-1514-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2156-1540-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-1550-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2156-1564-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-1591-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2156-1703-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-1745-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detects Zeppelin payload 26 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\Zeppelinbggaehbcdj14_browsingExe.exe	family_zeppelin
C:\Users\Admin\AppData\Local\Temp\3582-490\Zeppelinbggaehbcdj14_browsingExe.exe	family_zeppelin
C:\Users\Admin\AppData\Local\Temp\3582-490\Zeppelinbggaehbcdj14_browsingExe.exe	family_zeppelin
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\lsass.exe	family_zeppelin
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe	family_zeppelin
behavioral2/memory/2432-163-0x0000000000D30000-0x0000000000E71000-memory.dmp	family_zeppelin
behavioral2/memory/4692-167-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe	family_zeppelin
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe	family_zeppelin
behavioral2/memory/1972-181-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/4692-196-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/3744-387-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/4692-449-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/3744-567-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/3744-762-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/4692-779-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/3744-889-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/4692-919-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/3744-1016-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/3744-1198-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/4692-1280-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/3744-1362-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/3744-1531-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/3744-1555-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/3744-1630-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin
behavioral2/memory/3744-1746-0x0000000000F60000-0x00000000010A1000-memory.dmp	family_zeppelin

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (370) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 5 IoCs

Processes:

Zeppelinbggaehbcdj14_browsingExe.exesvchost.comlsass.exelsass.exelsass.exe

pid process

2432 Zeppelinbggaehbcdj14_browsingExe.exe
2156 svchost.com
4692 lsass.exe
3744 lsass.exe
1972 lsass.exe

pid	process
2432	Zeppelinbggaehbcdj14_browsingExe.exe
2156	svchost.com
4692	lsass.exe
3744	lsass.exe
1972	lsass.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

Zeppelinbggaehbcdj14_browsingExe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Zeppelinbggaehbcdj14_browsingExe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Zeppelinbggaehbcdj14_browsingExe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	Zeppelinbggaehbcdj14_browsingExe.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	process
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe

Drops file in Program Files directory 64 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\localedata.jar	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar.v-society.567-125-A10	lsass.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_TW.properties.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif	lsass.exe
File opened for modification	C:\Program Files\SkipResume.ADT.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\ant-javafx.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ja_JP.jar.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\hijrah-config-umalqura.properties	lsass.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\management.properties	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jfxrt.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyDrop32x32.gif	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jaccess.jar.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\zipfs.jar	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\logging.properties.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties.v-society.567-125-A10	lsass.exe
File created	C:\Program Files (x86)\.sys	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt.v-society.567-125-A10	lsass.exe
File created	C:\Program Files\Java\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.ini.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\README.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunmscapi.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveDrop32x32.gif.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\javafx-mx.jar	lsass.exe
File opened for modification	C:\Program Files\DisableUnpublish.edrwx.v-society.567-125-A10	lsass.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe.v-society.567-125-A10	lsass.exe

Drops file in Windows directory 3 IoCs

Processes:

Zeppelinbggaehbcdj14_browsingExe.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	Zeppelinbggaehbcdj14_browsingExe.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

Zeppelinbggaehbcdj14_browsingExe.exeZeppelinbggaehbcdj14_browsingExe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Zeppelinbggaehbcdj14_browsingExe.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	Zeppelinbggaehbcdj14_browsingExe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lsass.exe

pid	process
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Zeppelinbggaehbcdj14_browsingExe.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2432	Zeppelinbggaehbcdj14_browsingExe.exe
Token: SeDebugPrivilege	2432	Zeppelinbggaehbcdj14_browsingExe.exe
Token: SeIncreaseQuotaPrivilege	1644	WMIC.exe
Token: SeSecurityPrivilege	1644	WMIC.exe
Token: SeTakeOwnershipPrivilege	1644	WMIC.exe
Token: SeLoadDriverPrivilege	1644	WMIC.exe
Token: SeSystemProfilePrivilege	1644	WMIC.exe
Token: SeSystemtimePrivilege	1644	WMIC.exe
Token: SeProfSingleProcessPrivilege	1644	WMIC.exe
Token: SeIncBasePriorityPrivilege	1644	WMIC.exe
Token: SeCreatePagefilePrivilege	1644	WMIC.exe
Token: SeBackupPrivilege	1644	WMIC.exe
Token: SeRestorePrivilege	1644	WMIC.exe
Token: SeShutdownPrivilege	1644	WMIC.exe
Token: SeDebugPrivilege	1644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1644	WMIC.exe
Token: SeRemoteShutdownPrivilege	1644	WMIC.exe
Token: SeUndockPrivilege	1644	WMIC.exe
Token: SeManageVolumePrivilege	1644	WMIC.exe
Token: 33	1644	WMIC.exe
Token: 34	1644	WMIC.exe
Token: 35	1644	WMIC.exe
Token: 36	1644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3628	WMIC.exe
Token: SeSecurityPrivilege	3628	WMIC.exe
Token: SeTakeOwnershipPrivilege	3628	WMIC.exe
Token: SeLoadDriverPrivilege	3628	WMIC.exe
Token: SeSystemProfilePrivilege	3628	WMIC.exe
Token: SeSystemtimePrivilege	3628	WMIC.exe
Token: SeProfSingleProcessPrivilege	3628	WMIC.exe
Token: SeIncBasePriorityPrivilege	3628	WMIC.exe
Token: SeCreatePagefilePrivilege	3628	WMIC.exe
Token: SeBackupPrivilege	3628	WMIC.exe
Token: SeRestorePrivilege	3628	WMIC.exe
Token: SeShutdownPrivilege	3628	WMIC.exe
Token: SeDebugPrivilege	3628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3628	WMIC.exe
Token: SeRemoteShutdownPrivilege	3628	WMIC.exe
Token: SeUndockPrivilege	3628	WMIC.exe
Token: SeManageVolumePrivilege	3628	WMIC.exe
Token: 33	3628	WMIC.exe
Token: 34	3628	WMIC.exe
Token: 35	3628	WMIC.exe
Token: 36	3628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3628	WMIC.exe
Token: SeSecurityPrivilege	3628	WMIC.exe
Token: SeTakeOwnershipPrivilege	3628	WMIC.exe
Token: SeLoadDriverPrivilege	3628	WMIC.exe
Token: SeSystemProfilePrivilege	3628	WMIC.exe
Token: SeSystemtimePrivilege	3628	WMIC.exe
Token: SeProfSingleProcessPrivilege	3628	WMIC.exe
Token: SeIncBasePriorityPrivilege	3628	WMIC.exe
Token: SeCreatePagefilePrivilege	3628	WMIC.exe
Token: SeBackupPrivilege	3628	WMIC.exe
Token: SeRestorePrivilege	3628	WMIC.exe
Token: SeShutdownPrivilege	3628	WMIC.exe
Token: SeDebugPrivilege	3628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3628	WMIC.exe
Token: SeRemoteShutdownPrivilege	3628	WMIC.exe
Token: SeUndockPrivilege	3628	WMIC.exe
Token: SeManageVolumePrivilege	3628	WMIC.exe
Token: 33	3628	WMIC.exe
Token: 34	3628	WMIC.exe
Token: 35	3628	WMIC.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

Zeppelinbggaehbcdj14_browsingExe.exeZeppelinbggaehbcdj14_browsingExe.exesvchost.comlsass.execmd.execmd.exe

description	pid	process	target process
PID 952 wrote to memory of 2432	952	Zeppelinbggaehbcdj14_browsingExe.exe	Zeppelinbggaehbcdj14_browsingExe.exe
PID 952 wrote to memory of 2432	952	Zeppelinbggaehbcdj14_browsingExe.exe	Zeppelinbggaehbcdj14_browsingExe.exe
PID 952 wrote to memory of 2432	952	Zeppelinbggaehbcdj14_browsingExe.exe	Zeppelinbggaehbcdj14_browsingExe.exe
PID 2432 wrote to memory of 2156	2432	Zeppelinbggaehbcdj14_browsingExe.exe	svchost.com
PID 2432 wrote to memory of 2156	2432	Zeppelinbggaehbcdj14_browsingExe.exe	svchost.com
PID 2432 wrote to memory of 2156	2432	Zeppelinbggaehbcdj14_browsingExe.exe	svchost.com
PID 2156 wrote to memory of 4692	2156	svchost.com	lsass.exe
PID 2156 wrote to memory of 4692	2156	svchost.com	lsass.exe
PID 2156 wrote to memory of 4692	2156	svchost.com	lsass.exe
PID 2432 wrote to memory of 3340	2432	Zeppelinbggaehbcdj14_browsingExe.exe	notepad.exe
PID 2432 wrote to memory of 3340	2432	Zeppelinbggaehbcdj14_browsingExe.exe	notepad.exe
PID 2432 wrote to memory of 3340	2432	Zeppelinbggaehbcdj14_browsingExe.exe	notepad.exe
PID 2432 wrote to memory of 3340	2432	Zeppelinbggaehbcdj14_browsingExe.exe	notepad.exe
PID 2432 wrote to memory of 3340	2432	Zeppelinbggaehbcdj14_browsingExe.exe	notepad.exe
PID 2432 wrote to memory of 3340	2432	Zeppelinbggaehbcdj14_browsingExe.exe	notepad.exe
PID 4692 wrote to memory of 2592	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 2592	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 2592	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 560	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 560	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 560	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 1380	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 1380	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 1380	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 3880	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 3880	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 3880	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 832	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 832	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 832	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 3052	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 3052	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 3052	4692	lsass.exe	cmd.exe
PID 4692 wrote to memory of 3744	4692	lsass.exe	lsass.exe
PID 4692 wrote to memory of 3744	4692	lsass.exe	lsass.exe
PID 4692 wrote to memory of 3744	4692	lsass.exe	lsass.exe
PID 4692 wrote to memory of 1972	4692	lsass.exe	lsass.exe
PID 4692 wrote to memory of 1972	4692	lsass.exe	lsass.exe
PID 4692 wrote to memory of 1972	4692	lsass.exe	lsass.exe
PID 3052 wrote to memory of 3628	3052	cmd.exe	WMIC.exe
PID 3052 wrote to memory of 3628	3052	cmd.exe	WMIC.exe
PID 3052 wrote to memory of 3628	3052	cmd.exe	WMIC.exe
PID 2592 wrote to memory of 1644	2592	cmd.exe	WMIC.exe
PID 2592 wrote to memory of 1644	2592	cmd.exe	WMIC.exe
PID 2592 wrote to memory of 1644	2592	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\Zeppelinbggaehbcdj14_browsingExe.exe
"C:\Users\Admin\AppData\Local\Temp\Zeppelinbggaehbcdj14_browsingExe.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\3582-490\Zeppelinbggaehbcdj14_browsingExe.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\Zeppelinbggaehbcdj14_browsingExe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\lsass.exe" -start
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\lsass.exe
      C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\lsass.exe -start
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
        5⤵
        
        PID:832
    - - C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\lsass.exe
        
        "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\lsass.exe" -agent 1
        5⤵
        Executes dropped EXE
        
        PID:1972
    - - C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\lsass.exe
        
        "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\lsass.exe" -agent 0
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3744
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
        5⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        
        PID:1380
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        5⤵
        
        PID:560
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
1KB

MD5
bbcf34cd6da2b72eabeafe2e82846df8

SHA1
e17a5459251d6fdce6184a438752766158337c4b

SHA256
46bb44ee485f8ae3d19c3890f69430c5dc2fa8f88bb13138bbf5073a3c9812ac

SHA512
520b31de32e5e0acbd7c725ef246b6f049b6ad19060b1631c00ab06caa60480128af39016ae40f7c287ec66a0fbc1ffec6ade85fde12d5333792b92dcec957cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Zeppelinbggaehbcdj14_browsingExe.exe

Filesize
216KB

MD5
78621f1e196497d440afb57f4609fcf9

SHA1
eed7c3bb3fc5181b88abeed2204997f350324022

SHA256
4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

SHA512
8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Zeppelinbggaehbcdj14_browsingExe.exe

Filesize
216KB

MD5
78621f1e196497d440afb57f4609fcf9

SHA1
eed7c3bb3fc5181b88abeed2204997f350324022

SHA256
4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

SHA512
8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Zeppelinbggaehbcdj14_browsingExe.exe

Filesize
216KB

MD5
78621f1e196497d440afb57f4609fcf9

SHA1
eed7c3bb3fc5181b88abeed2204997f350324022

SHA256
4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

SHA512
8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\lsass.exe

Filesize
216KB

MD5
78621f1e196497d440afb57f4609fcf9

SHA1
eed7c3bb3fc5181b88abeed2204997f350324022

SHA256
4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

SHA512
8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
216KB

MD5
78621f1e196497d440afb57f4609fcf9

SHA1
eed7c3bb3fc5181b88abeed2204997f350324022

SHA256
4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

SHA512
8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
216KB

MD5
78621f1e196497d440afb57f4609fcf9

SHA1
eed7c3bb3fc5181b88abeed2204997f350324022

SHA256
4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

SHA512
8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
216KB

MD5
78621f1e196497d440afb57f4609fcf9

SHA1
eed7c3bb3fc5181b88abeed2204997f350324022

SHA256
4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

SHA512
8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\.Zeppelin

Filesize
513B

MD5
5d0187ffdf87419fc8f56f58ad65b092

SHA1
1ca27fd360d3d7a42b600de4a047adb2aca31e80

SHA256
2e64b7e05eab9618681023654d37ee007df4592e082b5a78ad88c6b05f73dc12

SHA512
6072ba29bb6da96f42c2461b67bea643b4ddefbd4fab96c1397164c038ff4d9f7cd5ca6733acc685ccf90cb274d8796a9b72da535af036bcbc6d029fbc749c58

Download Submit
C:\odt\office2016setup.exe

Filesize
5.1MB

MD5
62439906a0f20a21ecb33fbebd58ea3e

SHA1
f7ad9081d4c11522b41d3f1d1c472465502e5e5e

SHA256
20205f1966de21d04f7d878832405ff156c479fca3eabed1a5a7f876a5c4e252

SHA512
cc338ee4ff67e6bb4b478fcf6a580edddf1e4df47792e69ef14c16a8745e3b9a0e9266d060d4c68beeb749165cd93dd10c1a786b7b810b110c40a84b1ab8814f

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
079197bf8e69248c39e32a243baebd2b

SHA1
db5a976848516c70fdb10a2ea4edc1456ce58646

SHA256
fb62bee730b1c61c9265587f314460ae02c49fb4b41809c9b3a6aa587d05cbcd

SHA512
2b5d01cc6c789cdf802419bfe5fdfbc89fe750f9278c43085039ed313ec4383e0a3e49d51106357bfee544a7cf45a38ab74ecf1349b0e8702121b29b71f46f3e

Download Submit
memory/952-973-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-1313-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-1550-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-165-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-1745-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-1591-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-1514-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-735-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-133-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-135-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-1133-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-168-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-530-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-856-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1972-181-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/2156-620-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-1279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-778-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-166-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-1540-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-910-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-1425-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-1703-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-1042-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-1564-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2432-163-0x0000000000D30000-0x0000000000E71000-memory.dmp

Filesize
1.3MB

Download
memory/3340-162-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3744-387-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/3744-1198-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/3744-1016-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/3744-1630-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/3744-1362-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/3744-762-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/3744-889-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/3744-1531-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/3744-567-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/3744-1746-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/3744-1555-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/4692-449-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/4692-167-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/4692-196-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/4692-1280-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/4692-919-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download
memory/4692-779-0x0000000000F60000-0x00000000010A1000-memory.dmp

Filesize
1.3MB

Download