Analysis
-
max time kernel
56s -
max time network
111s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
28-08-2020 03:35
Static task
static1
Behavioral task
behavioral1
Sample
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe
Resource
win10v200722
General
-
Target
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe
-
Size
54KB
-
MD5
439ef1ddf569a7d6a8280a229357fcfc
-
SHA1
c1a5dfd851337cd12770244c97e83b7066dea781
-
SHA256
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804
-
SHA512
fe4c2a55135f065af8733a1eeb9904353b7279f44ecb8732c58067d4b15f03c5c15d10857994943e785c35a688ca2ee9f333abf3a6dca80542d651be6b77e75e
Malware Config
Extracted
C:\Users\Public\Documents\!$R4GN4R_C37F73E1$!.txt
ragnarlocker
http://prnt.sc/tz6u6u
http://prnt.sc/tz6uq9
http://prnt.sc/tz6uz9
http://prnt.sc/tz6w7x
http://prnt.sc/tzoumv
http://p6o7m73ujalhgkiv.onion/?J0gYIisP3R7m
http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?E5AddcB5e33bF83b3e3e23ef7fD9Dc28eAe4CA0f2D0992AC4d688A35eB5c543F
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exepid process 2800 bcdedit.exe 1328 bcdedit.exe 68 bcdedit.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-1400429095-533421673-2598934218-1000\desktop.ini 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 1845 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\!$R4GN4R_C37F73E1$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunpkcs11.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\core.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Common Files\System\en-US\!$R4GN4R_C37F73E1$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\!$R4GN4R_C37F73E1$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\!$R4GN4R_C37F73E1$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-windows.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiBold.ttf 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\LICENSE 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\!$R4GN4R_C37F73E1$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\plugin.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1680 vssadmin.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = ec430992fd7cd601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 204 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exepid process 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
svchost.exe3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exewmic.exevssvc.exedescription pid process Token: SeShutdownPrivilege 688 svchost.exe Token: SeCreatePagefilePrivilege 688 svchost.exe Token: SeTakeOwnershipPrivilege 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe Token: SeRestorePrivilege 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe Token: SeIncreaseQuotaPrivilege 3796 wmic.exe Token: SeSecurityPrivilege 3796 wmic.exe Token: SeTakeOwnershipPrivilege 3796 wmic.exe Token: SeLoadDriverPrivilege 3796 wmic.exe Token: SeSystemProfilePrivilege 3796 wmic.exe Token: SeSystemtimePrivilege 3796 wmic.exe Token: SeProfSingleProcessPrivilege 3796 wmic.exe Token: SeIncBasePriorityPrivilege 3796 wmic.exe Token: SeCreatePagefilePrivilege 3796 wmic.exe Token: SeBackupPrivilege 3796 wmic.exe Token: SeRestorePrivilege 3796 wmic.exe Token: SeShutdownPrivilege 3796 wmic.exe Token: SeDebugPrivilege 3796 wmic.exe Token: SeSystemEnvironmentPrivilege 3796 wmic.exe Token: SeRemoteShutdownPrivilege 3796 wmic.exe Token: SeUndockPrivilege 3796 wmic.exe Token: SeManageVolumePrivilege 3796 wmic.exe Token: 33 3796 wmic.exe Token: 34 3796 wmic.exe Token: 35 3796 wmic.exe Token: 36 3796 wmic.exe Token: SeBackupPrivilege 2092 vssvc.exe Token: SeRestorePrivilege 2092 vssvc.exe Token: SeAuditPrivilege 2092 vssvc.exe Token: SeIncreaseQuotaPrivilege 3796 wmic.exe Token: SeSecurityPrivilege 3796 wmic.exe Token: SeTakeOwnershipPrivilege 3796 wmic.exe Token: SeLoadDriverPrivilege 3796 wmic.exe Token: SeSystemProfilePrivilege 3796 wmic.exe Token: SeSystemtimePrivilege 3796 wmic.exe Token: SeProfSingleProcessPrivilege 3796 wmic.exe Token: SeIncBasePriorityPrivilege 3796 wmic.exe Token: SeCreatePagefilePrivilege 3796 wmic.exe Token: SeBackupPrivilege 3796 wmic.exe Token: SeRestorePrivilege 3796 wmic.exe Token: SeShutdownPrivilege 3796 wmic.exe Token: SeDebugPrivilege 3796 wmic.exe Token: SeSystemEnvironmentPrivilege 3796 wmic.exe Token: SeRemoteShutdownPrivilege 3796 wmic.exe Token: SeUndockPrivilege 3796 wmic.exe Token: SeManageVolumePrivilege 3796 wmic.exe Token: 33 3796 wmic.exe Token: 34 3796 wmic.exe Token: 35 3796 wmic.exe Token: 36 3796 wmic.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exedescription pid process target process PID 584 wrote to memory of 3796 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe wmic.exe PID 584 wrote to memory of 3796 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe wmic.exe PID 584 wrote to memory of 1680 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe vssadmin.exe PID 584 wrote to memory of 1680 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe vssadmin.exe PID 584 wrote to memory of 2800 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 584 wrote to memory of 2800 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 584 wrote to memory of 1328 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 584 wrote to memory of 1328 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 584 wrote to memory of 68 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 584 wrote to memory of 68 584 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe"C:\Users\Admin\AppData\Local\Temp\3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe"1⤵
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit /set {globalsettings} advancedoptions false2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/68-106-0x0000000000000000-mapping.dmp
-
memory/584-0-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/584-1-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-2-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/584-3-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-7-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-9-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-11-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-17-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-23-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-25-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-29-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-35-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-41-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-45-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-51-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-57-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-59-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-69-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-75-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-99-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/584-107-0x00000000061E0000-0x00000000061E1000-memory.dmpFilesize
4KB
-
memory/584-108-0x00000000069E0000-0x00000000069E1000-memory.dmpFilesize
4KB
-
memory/584-109-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/584-110-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/584-112-0x00000000063A0000-0x00000000063A1000-memory.dmpFilesize
4KB
-
memory/584-111-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/584-113-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/584-114-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/584-115-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/584-116-0x00000000063A0000-0x00000000063A1000-memory.dmpFilesize
4KB
-
memory/584-117-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/584-118-0x00000000063A0000-0x00000000063A1000-memory.dmpFilesize
4KB
-
memory/584-119-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/584-120-0x0000000006260000-0x0000000006261000-memory.dmpFilesize
4KB
-
memory/584-121-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/584-122-0x0000000006260000-0x0000000006261000-memory.dmpFilesize
4KB
-
memory/584-123-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/584-124-0x00000000063A0000-0x00000000063A1000-memory.dmpFilesize
4KB
-
memory/584-125-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/584-126-0x0000000006260000-0x0000000006261000-memory.dmpFilesize
4KB
-
memory/584-127-0x0000000005BB0000-0x0000000005BB1000-memory.dmpFilesize
4KB
-
memory/584-128-0x00000000063B0000-0x00000000063B1000-memory.dmpFilesize
4KB
-
memory/584-129-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/584-131-0x0000000006610000-0x0000000006611000-memory.dmpFilesize
4KB
-
memory/584-132-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/584-133-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/584-134-0x00000000069C0000-0x00000000069C1000-memory.dmpFilesize
4KB
-
memory/584-135-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/584-136-0x0000000006260000-0x0000000006261000-memory.dmpFilesize
4KB
-
memory/584-137-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/584-138-0x0000000006260000-0x0000000006261000-memory.dmpFilesize
4KB
-
memory/584-139-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/584-140-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/584-141-0x00000000061B0000-0x00000000061B1000-memory.dmpFilesize
4KB
-
memory/584-142-0x0000000006BA0000-0x0000000006BA1000-memory.dmpFilesize
4KB
-
memory/584-143-0x0000000006AB0000-0x0000000006AB1000-memory.dmpFilesize
4KB
-
memory/584-144-0x00000000076A0000-0x00000000076A1000-memory.dmpFilesize
4KB
-
memory/584-145-0x0000000006600000-0x0000000006601000-memory.dmpFilesize
4KB
-
memory/584-146-0x00000000074A0000-0x00000000074A1000-memory.dmpFilesize
4KB
-
memory/584-147-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB
-
memory/584-148-0x0000000006CB0000-0x0000000006CB1000-memory.dmpFilesize
4KB
-
memory/584-149-0x0000000006620000-0x0000000006621000-memory.dmpFilesize
4KB
-
memory/584-150-0x0000000006E20000-0x0000000006E21000-memory.dmpFilesize
4KB
-
memory/584-151-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/584-152-0x00000000063E0000-0x00000000063E1000-memory.dmpFilesize
4KB
-
memory/584-153-0x0000000006BE0000-0x0000000006BE1000-memory.dmpFilesize
4KB
-
memory/584-154-0x00000000060E0000-0x00000000060E1000-memory.dmpFilesize
4KB
-
memory/584-155-0x00000000068E0000-0x00000000068E1000-memory.dmpFilesize
4KB
-
memory/584-156-0x00000000062F0000-0x00000000062F1000-memory.dmpFilesize
4KB
-
memory/584-157-0x0000000006AF0000-0x0000000006AF1000-memory.dmpFilesize
4KB
-
memory/584-158-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/584-159-0x0000000006A80000-0x0000000006A81000-memory.dmpFilesize
4KB
-
memory/584-160-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/584-161-0x00000000063C0000-0x00000000063C1000-memory.dmpFilesize
4KB
-
memory/584-162-0x0000000007420000-0x0000000007421000-memory.dmpFilesize
4KB
-
memory/584-163-0x0000000006DC0000-0x0000000006DC1000-memory.dmpFilesize
4KB
-
memory/584-164-0x00000000075C0000-0x00000000075C1000-memory.dmpFilesize
4KB
-
memory/584-165-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/584-166-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/584-167-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/584-168-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/584-169-0x00000000067A0000-0x00000000067A1000-memory.dmpFilesize
4KB
-
memory/584-170-0x0000000006FA0000-0x0000000006FA1000-memory.dmpFilesize
4KB
-
memory/584-171-0x0000000006420000-0x0000000006421000-memory.dmpFilesize
4KB
-
memory/584-172-0x0000000006C20000-0x0000000006C21000-memory.dmpFilesize
4KB
-
memory/584-175-0x0000000006800000-0x0000000006801000-memory.dmpFilesize
4KB
-
memory/584-176-0x0000000005E60000-0x0000000005E61000-memory.dmpFilesize
4KB
-
memory/584-177-0x0000000006660000-0x0000000006661000-memory.dmpFilesize
4KB
-
memory/584-178-0x0000000006A60000-0x0000000006A61000-memory.dmpFilesize
4KB
-
memory/584-179-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/584-180-0x0000000006260000-0x0000000006261000-memory.dmpFilesize
4KB
-
memory/584-182-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/584-183-0x00000000063A0000-0x00000000063A1000-memory.dmpFilesize
4KB
-
memory/584-184-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/584-185-0x0000000006600000-0x0000000006601000-memory.dmpFilesize
4KB
-
memory/584-186-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/584-187-0x00000000064F0000-0x00000000064F1000-memory.dmpFilesize
4KB
-
memory/584-189-0x0000000005DC0000-0x0000000005DC1000-memory.dmpFilesize
4KB
-
memory/584-190-0x00000000065C0000-0x00000000065C1000-memory.dmpFilesize
4KB
-
memory/584-191-0x0000000005E60000-0x0000000005E61000-memory.dmpFilesize
4KB
-
memory/584-192-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/584-194-0x0000000006420000-0x0000000006421000-memory.dmpFilesize
4KB
-
memory/584-195-0x0000000006C20000-0x0000000006C21000-memory.dmpFilesize
4KB
-
memory/584-196-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/584-197-0x0000000006620000-0x0000000006621000-memory.dmpFilesize
4KB
-
memory/584-198-0x0000000006E20000-0x0000000006E21000-memory.dmpFilesize
4KB
-
memory/584-200-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/584-201-0x00000000063A0000-0x00000000063A1000-memory.dmpFilesize
4KB
-
memory/584-202-0x0000000006A60000-0x0000000006A61000-memory.dmpFilesize
4KB
-
memory/584-203-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/584-204-0x0000000006260000-0x0000000006261000-memory.dmpFilesize
4KB
-
memory/584-206-0x0000000005F70000-0x0000000005F71000-memory.dmpFilesize
4KB
-
memory/584-207-0x0000000006770000-0x0000000006771000-memory.dmpFilesize
4KB
-
memory/584-208-0x00000000068B0000-0x00000000068B1000-memory.dmpFilesize
4KB
-
memory/584-209-0x00000000060B0000-0x00000000060B1000-memory.dmpFilesize
4KB
-
memory/584-210-0x00000000070B0000-0x00000000070B1000-memory.dmpFilesize
4KB
-
memory/584-211-0x0000000006070000-0x0000000006071000-memory.dmpFilesize
4KB
-
memory/584-212-0x0000000006F50000-0x0000000006F51000-memory.dmpFilesize
4KB
-
memory/584-213-0x0000000005F60000-0x0000000005F61000-memory.dmpFilesize
4KB
-
memory/584-214-0x0000000006760000-0x0000000006761000-memory.dmpFilesize
4KB
-
memory/584-216-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/584-217-0x00000000063A0000-0x00000000063A1000-memory.dmpFilesize
4KB
-
memory/584-218-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/584-220-0x00000000067E0000-0x00000000067E1000-memory.dmpFilesize
4KB
-
memory/584-221-0x0000000005E10000-0x0000000005E26000-memory.dmpFilesize
88KB
-
memory/584-223-0x0000000006030000-0x0000000006031000-memory.dmpFilesize
4KB
-
memory/584-224-0x0000000006830000-0x0000000006831000-memory.dmpFilesize
4KB
-
memory/584-225-0x0000000006440000-0x0000000006441000-memory.dmpFilesize
4KB
-
memory/584-226-0x0000000006C40000-0x0000000006C41000-memory.dmpFilesize
4KB
-
memory/584-227-0x0000000005A80000-0x0000000005A8C000-memory.dmpFilesize
48KB
-
memory/584-228-0x0000000005A80000-0x0000000005A8C000-memory.dmpFilesize
48KB
-
memory/584-229-0x0000000005A80000-0x0000000005A8C000-memory.dmpFilesize
48KB
-
memory/584-230-0x0000000005A80000-0x0000000005A8C000-memory.dmpFilesize
48KB
-
memory/584-231-0x0000000005A80000-0x0000000005A8C000-memory.dmpFilesize
48KB
-
memory/584-232-0x0000000005A80000-0x0000000005A8C000-memory.dmpFilesize
48KB
-
memory/584-233-0x0000000005A80000-0x0000000005A8C000-memory.dmpFilesize
48KB
-
memory/584-234-0x0000000005F30000-0x0000000005F31000-memory.dmpFilesize
4KB
-
memory/584-235-0x0000000006730000-0x0000000006731000-memory.dmpFilesize
4KB
-
memory/584-236-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/584-237-0x0000000005A80000-0x0000000005A9A000-memory.dmpFilesize
104KB
-
memory/584-238-0x0000000005A80000-0x0000000005A9A000-memory.dmpFilesize
104KB
-
memory/584-239-0x0000000005A80000-0x0000000005A9A000-memory.dmpFilesize
104KB
-
memory/584-240-0x00000000065B0000-0x00000000065B1000-memory.dmpFilesize
4KB
-
memory/584-241-0x0000000006DB0000-0x0000000006DB1000-memory.dmpFilesize
4KB
-
memory/584-243-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/584-244-0x00000000065B0000-0x00000000065B1000-memory.dmpFilesize
4KB
-
memory/584-245-0x00000000060A0000-0x00000000060A1000-memory.dmpFilesize
4KB
-
memory/584-246-0x00000000068A0000-0x00000000068A1000-memory.dmpFilesize
4KB
-
memory/1328-105-0x0000000000000000-mapping.dmp
-
memory/1680-103-0x0000000000000000-mapping.dmp
-
memory/2800-104-0x0000000000000000-mapping.dmp
-
memory/3796-102-0x0000000000000000-mapping.dmp