Analysis
-
max time kernel
85s -
max time network
10s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
28-08-2020 03:44
Static task
static1
Behavioral task
behavioral1
Sample
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe
Resource
win10
General
-
Target
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe
-
Size
54KB
-
MD5
439ef1ddf569a7d6a8280a229357fcfc
-
SHA1
c1a5dfd851337cd12770244c97e83b7066dea781
-
SHA256
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804
-
SHA512
fe4c2a55135f065af8733a1eeb9904353b7279f44ecb8732c58067d4b15f03c5c15d10857994943e785c35a688ca2ee9f333abf3a6dca80542d651be6b77e75e
Malware Config
Extracted
C:\Users\Public\Documents\!$R4GN4R_AC7AABB2$!.txt
ragnarlocker
http://prnt.sc/tz6u6u
http://prnt.sc/tz6uq9
http://prnt.sc/tz6uz9
http://prnt.sc/tz6w7x
http://prnt.sc/tzoumv
http://p6o7m73ujalhgkiv.onion/?J0gYIisP3R7m
http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?E5AddcB5e33bF83b3e3e23ef7fD9Dc28eAe4CA0f2D0992AC4d688A35eB5c543F
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exepid process 832 bcdedit.exe 1076 bcdedit.exe 668 bcdedit.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2090973689-680783404-4292415065-1000\desktop.ini 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops file in Program Files directory 2338 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Brunei 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\!$R4GN4R_AC7AABB2$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hovd 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Common Files\System\Ole DB\!$R4GN4R_AC7AABB2$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\Smart Tag\!$R4GN4R_AC7AABB2$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcjavas.inc 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBLR6.CHM 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\!$R4GN4R_AC7AABB2$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es\!$R4GN4R_AC7AABB2$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.INF 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\SETUP.XML 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\PREVIEW.GIF 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\AXIS.INF 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\PREVIEW.GIF 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\!$R4GN4R_AC7AABB2$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1760 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 167 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exepid process 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exewmic.exevssvc.exedescription pid process Token: SeTakeOwnershipPrivilege 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe Token: SeRestorePrivilege 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe Token: SeIncreaseQuotaPrivilege 1568 wmic.exe Token: SeSecurityPrivilege 1568 wmic.exe Token: SeTakeOwnershipPrivilege 1568 wmic.exe Token: SeLoadDriverPrivilege 1568 wmic.exe Token: SeSystemProfilePrivilege 1568 wmic.exe Token: SeSystemtimePrivilege 1568 wmic.exe Token: SeProfSingleProcessPrivilege 1568 wmic.exe Token: SeIncBasePriorityPrivilege 1568 wmic.exe Token: SeCreatePagefilePrivilege 1568 wmic.exe Token: SeBackupPrivilege 1568 wmic.exe Token: SeRestorePrivilege 1568 wmic.exe Token: SeShutdownPrivilege 1568 wmic.exe Token: SeDebugPrivilege 1568 wmic.exe Token: SeSystemEnvironmentPrivilege 1568 wmic.exe Token: SeRemoteShutdownPrivilege 1568 wmic.exe Token: SeUndockPrivilege 1568 wmic.exe Token: SeManageVolumePrivilege 1568 wmic.exe Token: 33 1568 wmic.exe Token: 34 1568 wmic.exe Token: 35 1568 wmic.exe Token: SeBackupPrivilege 1476 vssvc.exe Token: SeRestorePrivilege 1476 vssvc.exe Token: SeAuditPrivilege 1476 vssvc.exe Token: SeIncreaseQuotaPrivilege 1568 wmic.exe Token: SeSecurityPrivilege 1568 wmic.exe Token: SeTakeOwnershipPrivilege 1568 wmic.exe Token: SeLoadDriverPrivilege 1568 wmic.exe Token: SeSystemProfilePrivilege 1568 wmic.exe Token: SeSystemtimePrivilege 1568 wmic.exe Token: SeProfSingleProcessPrivilege 1568 wmic.exe Token: SeIncBasePriorityPrivilege 1568 wmic.exe Token: SeCreatePagefilePrivilege 1568 wmic.exe Token: SeBackupPrivilege 1568 wmic.exe Token: SeRestorePrivilege 1568 wmic.exe Token: SeShutdownPrivilege 1568 wmic.exe Token: SeDebugPrivilege 1568 wmic.exe Token: SeSystemEnvironmentPrivilege 1568 wmic.exe Token: SeRemoteShutdownPrivilege 1568 wmic.exe Token: SeUndockPrivilege 1568 wmic.exe Token: SeManageVolumePrivilege 1568 wmic.exe Token: 33 1568 wmic.exe Token: 34 1568 wmic.exe Token: 35 1568 wmic.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exedescription pid process target process PID 1420 wrote to memory of 1568 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe wmic.exe PID 1420 wrote to memory of 1568 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe wmic.exe PID 1420 wrote to memory of 1568 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe wmic.exe PID 1420 wrote to memory of 1568 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe wmic.exe PID 1420 wrote to memory of 1760 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe vssadmin.exe PID 1420 wrote to memory of 1760 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe vssadmin.exe PID 1420 wrote to memory of 1760 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe vssadmin.exe PID 1420 wrote to memory of 1760 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe vssadmin.exe PID 1420 wrote to memory of 832 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 1420 wrote to memory of 832 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 1420 wrote to memory of 832 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 1420 wrote to memory of 832 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 1420 wrote to memory of 1076 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 1420 wrote to memory of 1076 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 1420 wrote to memory of 1076 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 1420 wrote to memory of 1076 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 1420 wrote to memory of 668 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 1420 wrote to memory of 668 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 1420 wrote to memory of 668 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 1420 wrote to memory of 668 1420 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe"C:\Users\Admin\AppData\Local\Temp\3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe"1⤵
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {globalsettings} advancedoptions false2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/668-106-0x0000000000000000-mapping.dmp
-
memory/832-104-0x0000000000000000-mapping.dmp
-
memory/1076-105-0x0000000000000000-mapping.dmp
-
memory/1420-0-0x0000000002E70000-0x0000000002E81000-memory.dmpFilesize
68KB
-
memory/1420-1-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-2-0x0000000002E70000-0x0000000002E81000-memory.dmpFilesize
68KB
-
memory/1420-5-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-9-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-13-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-17-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-21-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-25-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-29-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-31-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-33-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-37-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-41-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-45-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-49-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-51-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-57-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-65-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-73-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-81-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-89-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-97-0x0000000003280000-0x0000000003291000-memory.dmpFilesize
68KB
-
memory/1420-107-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-108-0x0000000004100000-0x0000000004111000-memory.dmpFilesize
68KB
-
memory/1420-109-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-110-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-111-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-112-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-113-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-114-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-115-0x0000000003AE0000-0x0000000003AF1000-memory.dmpFilesize
68KB
-
memory/1420-116-0x0000000003EF0000-0x0000000003F01000-memory.dmpFilesize
68KB
-
memory/1420-117-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-118-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-120-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-122-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-124-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-126-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-127-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-128-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-129-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-130-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-131-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-132-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-134-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-135-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-136-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-137-0x0000000003AE0000-0x0000000003AF1000-memory.dmpFilesize
68KB
-
memory/1420-138-0x00000000042C0000-0x00000000042D1000-memory.dmpFilesize
68KB
-
memory/1420-139-0x0000000003C30000-0x0000000003C41000-memory.dmpFilesize
68KB
-
memory/1420-140-0x0000000004040000-0x0000000004051000-memory.dmpFilesize
68KB
-
memory/1420-141-0x0000000003C30000-0x0000000003C41000-memory.dmpFilesize
68KB
-
memory/1420-143-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-144-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-145-0x0000000003C90000-0x0000000003CA1000-memory.dmpFilesize
68KB
-
memory/1420-146-0x00000000049A0000-0x00000000049B1000-memory.dmpFilesize
68KB
-
memory/1420-147-0x0000000003C90000-0x0000000003CA1000-memory.dmpFilesize
68KB
-
memory/1420-148-0x00000000040A0000-0x00000000040B1000-memory.dmpFilesize
68KB
-
memory/1420-149-0x0000000004070000-0x0000000004081000-memory.dmpFilesize
68KB
-
memory/1420-150-0x00000000056B0000-0x00000000056C1000-memory.dmpFilesize
68KB
-
memory/1420-151-0x00000000056B0000-0x00000000056C1000-memory.dmpFilesize
68KB
-
memory/1420-152-0x0000000006F80000-0x0000000006F91000-memory.dmpFilesize
68KB
-
memory/1420-153-0x0000000006F80000-0x0000000006F91000-memory.dmpFilesize
68KB
-
memory/1420-154-0x0000000008650000-0x0000000008661000-memory.dmpFilesize
68KB
-
memory/1420-155-0x0000000006F80000-0x0000000006F91000-memory.dmpFilesize
68KB
-
memory/1420-156-0x0000000008650000-0x0000000008661000-memory.dmpFilesize
68KB
-
memory/1420-157-0x0000000006F80000-0x0000000006F91000-memory.dmpFilesize
68KB
-
memory/1420-158-0x0000000008650000-0x0000000008661000-memory.dmpFilesize
68KB
-
memory/1420-162-0x0000000008650000-0x0000000008661000-memory.dmpFilesize
68KB
-
memory/1420-166-0x0000000008650000-0x0000000008661000-memory.dmpFilesize
68KB
-
memory/1420-168-0x0000000008650000-0x0000000008661000-memory.dmpFilesize
68KB
-
memory/1420-169-0x0000000005A70000-0x0000000005A81000-memory.dmpFilesize
68KB
-
memory/1420-170-0x0000000006130000-0x0000000006141000-memory.dmpFilesize
68KB
-
memory/1420-171-0x0000000003FA0000-0x0000000003FB1000-memory.dmpFilesize
68KB
-
memory/1420-172-0x00000000043B0000-0x00000000043C1000-memory.dmpFilesize
68KB
-
memory/1420-173-0x0000000003FA0000-0x0000000003FB1000-memory.dmpFilesize
68KB
-
memory/1420-174-0x00000000043B0000-0x00000000043C1000-memory.dmpFilesize
68KB
-
memory/1420-176-0x00000000043B0000-0x00000000043C1000-memory.dmpFilesize
68KB
-
memory/1420-178-0x00000000043B0000-0x00000000043C1000-memory.dmpFilesize
68KB
-
memory/1420-180-0x00000000043B0000-0x00000000043C1000-memory.dmpFilesize
68KB
-
memory/1420-181-0x0000000004190000-0x00000000041A1000-memory.dmpFilesize
68KB
-
memory/1420-182-0x0000000004FC0000-0x0000000004FD1000-memory.dmpFilesize
68KB
-
memory/1420-183-0x0000000004190000-0x00000000041A1000-memory.dmpFilesize
68KB
-
memory/1420-184-0x0000000004FC0000-0x0000000004FD1000-memory.dmpFilesize
68KB
-
memory/1420-190-0x0000000004FC0000-0x0000000004FD1000-memory.dmpFilesize
68KB
-
memory/1420-191-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-192-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-194-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-196-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-198-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-199-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-200-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-202-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-203-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-204-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-206-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-207-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-208-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-210-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-211-0x0000000003D10000-0x0000000003D21000-memory.dmpFilesize
68KB
-
memory/1420-212-0x0000000005BC0000-0x0000000005BD1000-memory.dmpFilesize
68KB
-
memory/1420-213-0x0000000003D10000-0x0000000003D21000-memory.dmpFilesize
68KB
-
memory/1420-214-0x0000000005BC0000-0x0000000005BD1000-memory.dmpFilesize
68KB
-
memory/1420-216-0x0000000005BC0000-0x0000000005BD1000-memory.dmpFilesize
68KB
-
memory/1420-217-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-218-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-221-0x0000000003D60000-0x0000000003D71000-memory.dmpFilesize
68KB
-
memory/1420-222-0x00000000047D0000-0x00000000047E1000-memory.dmpFilesize
68KB
-
memory/1420-223-0x0000000003D60000-0x0000000003D71000-memory.dmpFilesize
68KB
-
memory/1420-224-0x00000000047D0000-0x00000000047E1000-memory.dmpFilesize
68KB
-
memory/1420-225-0x0000000003D60000-0x0000000003D71000-memory.dmpFilesize
68KB
-
memory/1420-228-0x00000000046C0000-0x00000000046D1000-memory.dmpFilesize
68KB
-
memory/1420-230-0x00000000044D0000-0x00000000044E1000-memory.dmpFilesize
68KB
-
memory/1420-231-0x0000000004060000-0x0000000004071000-memory.dmpFilesize
68KB
-
memory/1420-232-0x0000000004470000-0x0000000004481000-memory.dmpFilesize
68KB
-
memory/1420-234-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-235-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-236-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-237-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-238-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-239-0x0000000003D90000-0x0000000003DA1000-memory.dmpFilesize
68KB
-
memory/1420-240-0x0000000004C20000-0x0000000004C31000-memory.dmpFilesize
68KB
-
memory/1420-241-0x0000000003D90000-0x0000000003DA1000-memory.dmpFilesize
68KB
-
memory/1420-242-0x0000000004C20000-0x0000000004C31000-memory.dmpFilesize
68KB
-
memory/1420-243-0x0000000003D90000-0x0000000003DA1000-memory.dmpFilesize
68KB
-
memory/1420-244-0x0000000004C20000-0x0000000004C31000-memory.dmpFilesize
68KB
-
memory/1420-245-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-246-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-247-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-248-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-249-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-250-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-251-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-253-0x0000000003C70000-0x0000000003C81000-memory.dmpFilesize
68KB
-
memory/1420-254-0x0000000004950000-0x0000000004961000-memory.dmpFilesize
68KB
-
memory/1420-255-0x0000000004950000-0x0000000004961000-memory.dmpFilesize
68KB
-
memory/1420-256-0x0000000006310000-0x0000000006321000-memory.dmpFilesize
68KB
-
memory/1420-257-0x0000000006310000-0x0000000006321000-memory.dmpFilesize
68KB
-
memory/1420-258-0x00000000075F0000-0x0000000007601000-memory.dmpFilesize
68KB
-
memory/1420-259-0x00000000075F0000-0x0000000007601000-memory.dmpFilesize
68KB
-
memory/1420-260-0x0000000009470000-0x0000000009481000-memory.dmpFilesize
68KB
-
memory/1420-261-0x00000000075F0000-0x0000000007601000-memory.dmpFilesize
68KB
-
memory/1420-262-0x0000000009470000-0x0000000009481000-memory.dmpFilesize
68KB
-
memory/1420-263-0x00000000075F0000-0x0000000007601000-memory.dmpFilesize
68KB
-
memory/1420-264-0x0000000009470000-0x0000000009481000-memory.dmpFilesize
68KB
-
memory/1420-272-0x0000000009470000-0x0000000009481000-memory.dmpFilesize
68KB
-
memory/1420-273-0x00000000075F0000-0x0000000007601000-memory.dmpFilesize
68KB
-
memory/1420-274-0x0000000009470000-0x0000000009481000-memory.dmpFilesize
68KB
-
memory/1420-275-0x00000000075F0000-0x0000000007601000-memory.dmpFilesize
68KB
-
memory/1420-276-0x0000000009470000-0x0000000009481000-memory.dmpFilesize
68KB
-
memory/1420-277-0x00000000075F0000-0x0000000007601000-memory.dmpFilesize
68KB
-
memory/1420-278-0x0000000009470000-0x0000000009481000-memory.dmpFilesize
68KB
-
memory/1420-279-0x00000000075F0000-0x0000000007601000-memory.dmpFilesize
68KB
-
memory/1420-282-0x0000000009470000-0x0000000009481000-memory.dmpFilesize
68KB
-
memory/1420-283-0x00000000075F0000-0x0000000007601000-memory.dmpFilesize
68KB
-
memory/1420-284-0x0000000009470000-0x0000000009481000-memory.dmpFilesize
68KB
-
memory/1420-286-0x0000000009470000-0x0000000009481000-memory.dmpFilesize
68KB
-
memory/1420-287-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-288-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-289-0x0000000003CC0000-0x0000000003CD1000-memory.dmpFilesize
68KB
-
memory/1420-290-0x0000000004E20000-0x0000000004E31000-memory.dmpFilesize
68KB
-
memory/1420-291-0x0000000003B40000-0x0000000003B51000-memory.dmpFilesize
68KB
-
memory/1420-292-0x0000000004A50000-0x0000000004A61000-memory.dmpFilesize
68KB
-
memory/1420-293-0x0000000003B40000-0x0000000003B51000-memory.dmpFilesize
68KB
-
memory/1420-294-0x0000000004A50000-0x0000000004A61000-memory.dmpFilesize
68KB
-
memory/1420-295-0x0000000003B40000-0x0000000003B51000-memory.dmpFilesize
68KB
-
memory/1420-296-0x0000000004780000-0x0000000004791000-memory.dmpFilesize
68KB
-
memory/1420-297-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-298-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-300-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-303-0x0000000003D80000-0x0000000003D91000-memory.dmpFilesize
68KB
-
memory/1420-304-0x0000000004C20000-0x0000000004C31000-memory.dmpFilesize
68KB
-
memory/1420-305-0x0000000003D80000-0x0000000003D91000-memory.dmpFilesize
68KB
-
memory/1420-307-0x0000000003C60000-0x0000000003C71000-memory.dmpFilesize
68KB
-
memory/1420-308-0x00000000044D0000-0x00000000044E1000-memory.dmpFilesize
68KB
-
memory/1420-309-0x0000000003C60000-0x0000000003C71000-memory.dmpFilesize
68KB
-
memory/1420-310-0x00000000044D0000-0x00000000044E1000-memory.dmpFilesize
68KB
-
memory/1420-312-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-316-0x0000000004D60000-0x0000000004D71000-memory.dmpFilesize
68KB
-
memory/1420-317-0x0000000004D60000-0x0000000004D71000-memory.dmpFilesize
68KB
-
memory/1420-318-0x0000000005A30000-0x0000000005A41000-memory.dmpFilesize
68KB
-
memory/1420-319-0x0000000004D60000-0x0000000004D71000-memory.dmpFilesize
68KB
-
memory/1420-320-0x0000000005A30000-0x0000000005A41000-memory.dmpFilesize
68KB
-
memory/1420-324-0x0000000004D60000-0x0000000004D71000-memory.dmpFilesize
68KB
-
memory/1420-325-0x0000000003990000-0x00000000039A1000-memory.dmpFilesize
68KB
-
memory/1420-326-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-328-0x0000000003DA0000-0x0000000003DB1000-memory.dmpFilesize
68KB
-
memory/1420-330-0x00000000057D0000-0x00000000057E1000-memory.dmpFilesize
68KB
-
memory/1420-331-0x00000000075E0000-0x00000000075F1000-memory.dmpFilesize
68KB
-
memory/1420-332-0x00000000079F0000-0x0000000007A01000-memory.dmpFilesize
68KB
-
memory/1420-333-0x00000000075E0000-0x00000000075F1000-memory.dmpFilesize
68KB
-
memory/1420-334-0x00000000079F0000-0x0000000007A01000-memory.dmpFilesize
68KB
-
memory/1420-335-0x00000000075E0000-0x00000000075F1000-memory.dmpFilesize
68KB
-
memory/1420-336-0x00000000079F0000-0x0000000007A01000-memory.dmpFilesize
68KB
-
memory/1420-337-0x0000000007480000-0x0000000007491000-memory.dmpFilesize
68KB
-
memory/1420-338-0x0000000007890000-0x00000000078A1000-memory.dmpFilesize
68KB
-
memory/1568-102-0x0000000000000000-mapping.dmp
-
memory/1760-103-0x0000000000000000-mapping.dmp