Analysis
-
max time kernel
55s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
28-08-2020 03:44
Static task
static1
Behavioral task
behavioral1
Sample
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe
Resource
win10
General
-
Target
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe
-
Size
54KB
-
MD5
439ef1ddf569a7d6a8280a229357fcfc
-
SHA1
c1a5dfd851337cd12770244c97e83b7066dea781
-
SHA256
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804
-
SHA512
fe4c2a55135f065af8733a1eeb9904353b7279f44ecb8732c58067d4b15f03c5c15d10857994943e785c35a688ca2ee9f333abf3a6dca80542d651be6b77e75e
Malware Config
Extracted
C:\Users\Public\Documents\!$R4GN4R_2D08E9B5$!.txt
ragnarlocker
http://prnt.sc/tz6u6u
http://prnt.sc/tz6uq9
http://prnt.sc/tz6uz9
http://prnt.sc/tz6w7x
http://prnt.sc/tzoumv
http://p6o7m73ujalhgkiv.onion/?J0gYIisP3R7m
http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?E5AddcB5e33bF83b3e3e23ef7fD9Dc28eAe4CA0f2D0992AC4d688A35eB5c543F
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exepid process 1860 bcdedit.exe 1280 bcdedit.exe 2484 bcdedit.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2066881839-3229799743-3576549721-1000\desktop.ini 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops file in Program Files directory 2538 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-windows.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Java\jre1.8.0_66\lib\applet\!$R4GN4R_2D08E9B5$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\psfontj2d.properties 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\!$R4GN4R_2D08E9B5$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Common Files\System\Ole DB\!$R4GN4R_2D08E9B5$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\!$R4GN4R_2D08E9B5$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\!$R4GN4R_2D08E9B5$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\!$R4GN4R_2D08E9B5$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Java\jre1.8.0_66\lib\deploy\!$R4GN4R_2D08E9B5$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-nodes.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File created C:\Program Files\Java\jre1.8.0_66\lib\management\!$R4GN4R_2D08E9B5$!.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1048 vssadmin.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 5895bffbed7cd601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 286 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exepid process 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
svchost.exe3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exewmic.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3912 svchost.exe Token: SeCreatePagefilePrivilege 3912 svchost.exe Token: SeTakeOwnershipPrivilege 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe Token: SeRestorePrivilege 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe Token: SeIncreaseQuotaPrivilege 2528 wmic.exe Token: SeSecurityPrivilege 2528 wmic.exe Token: SeTakeOwnershipPrivilege 2528 wmic.exe Token: SeLoadDriverPrivilege 2528 wmic.exe Token: SeSystemProfilePrivilege 2528 wmic.exe Token: SeSystemtimePrivilege 2528 wmic.exe Token: SeProfSingleProcessPrivilege 2528 wmic.exe Token: SeIncBasePriorityPrivilege 2528 wmic.exe Token: SeCreatePagefilePrivilege 2528 wmic.exe Token: SeBackupPrivilege 2528 wmic.exe Token: SeRestorePrivilege 2528 wmic.exe Token: SeShutdownPrivilege 2528 wmic.exe Token: SeDebugPrivilege 2528 wmic.exe Token: SeSystemEnvironmentPrivilege 2528 wmic.exe Token: SeRemoteShutdownPrivilege 2528 wmic.exe Token: SeUndockPrivilege 2528 wmic.exe Token: SeManageVolumePrivilege 2528 wmic.exe Token: 33 2528 wmic.exe Token: 34 2528 wmic.exe Token: 35 2528 wmic.exe Token: 36 2528 wmic.exe Token: SeIncreaseQuotaPrivilege 2528 wmic.exe Token: SeSecurityPrivilege 2528 wmic.exe Token: SeTakeOwnershipPrivilege 2528 wmic.exe Token: SeLoadDriverPrivilege 2528 wmic.exe Token: SeSystemProfilePrivilege 2528 wmic.exe Token: SeSystemtimePrivilege 2528 wmic.exe Token: SeProfSingleProcessPrivilege 2528 wmic.exe Token: SeIncBasePriorityPrivilege 2528 wmic.exe Token: SeCreatePagefilePrivilege 2528 wmic.exe Token: SeBackupPrivilege 2528 wmic.exe Token: SeRestorePrivilege 2528 wmic.exe Token: SeShutdownPrivilege 2528 wmic.exe Token: SeDebugPrivilege 2528 wmic.exe Token: SeSystemEnvironmentPrivilege 2528 wmic.exe Token: SeRemoteShutdownPrivilege 2528 wmic.exe Token: SeUndockPrivilege 2528 wmic.exe Token: SeManageVolumePrivilege 2528 wmic.exe Token: 33 2528 wmic.exe Token: 34 2528 wmic.exe Token: 35 2528 wmic.exe Token: 36 2528 wmic.exe Token: SeBackupPrivilege 2364 vssvc.exe Token: SeRestorePrivilege 2364 vssvc.exe Token: SeAuditPrivilege 2364 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exedescription pid process target process PID 2880 wrote to memory of 2528 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe wmic.exe PID 2880 wrote to memory of 2528 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe wmic.exe PID 2880 wrote to memory of 1048 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe vssadmin.exe PID 2880 wrote to memory of 1048 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe vssadmin.exe PID 2880 wrote to memory of 1860 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 2880 wrote to memory of 1860 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 2880 wrote to memory of 1280 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 2880 wrote to memory of 1280 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 2880 wrote to memory of 2484 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe PID 2880 wrote to memory of 2484 2880 3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe"C:\Users\Admin\AppData\Local\Temp\3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804.bin.exe"1⤵
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit /set {globalsettings} advancedoptions false2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1048-103-0x0000000000000000-mapping.dmp
-
memory/1280-105-0x0000000000000000-mapping.dmp
-
memory/1860-104-0x0000000000000000-mapping.dmp
-
memory/2484-106-0x0000000000000000-mapping.dmp
-
memory/2528-102-0x0000000000000000-mapping.dmp
-
memory/2880-197-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-109-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-2-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/2880-3-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-7-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-9-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-11-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-17-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-23-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-25-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-29-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-35-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-45-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-51-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-57-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-59-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-69-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-75-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-99-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-107-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-108-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-201-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-110-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-111-0x0000000006750000-0x0000000006751000-memory.dmpFilesize
4KB
-
memory/2880-112-0x00000000074D0000-0x00000000074D1000-memory.dmpFilesize
4KB
-
memory/2880-113-0x0000000006750000-0x0000000006751000-memory.dmpFilesize
4KB
-
memory/2880-114-0x00000000074D0000-0x00000000074D1000-memory.dmpFilesize
4KB
-
memory/2880-115-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-116-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-117-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-118-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/2880-119-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-120-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/2880-121-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-122-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-123-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-124-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-125-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-126-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-127-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-128-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-129-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-130-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB
-
memory/2880-131-0x0000000006CB0000-0x0000000006CB1000-memory.dmpFilesize
4KB
-
memory/2880-133-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-134-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-135-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/2880-136-0x0000000006250000-0x0000000006253000-memory.dmpFilesize
12KB
-
memory/2880-137-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-138-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-139-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-140-0x00000000064B0000-0x00000000064B4000-memory.dmpFilesize
16KB
-
memory/2880-141-0x00000000064B0000-0x00000000064B4000-memory.dmpFilesize
16KB
-
memory/2880-142-0x00000000063A0000-0x00000000063A1000-memory.dmpFilesize
4KB
-
memory/2880-143-0x0000000006BA0000-0x0000000006BA1000-memory.dmpFilesize
4KB
-
memory/2880-145-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-147-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-148-0x00000000064B0000-0x00000000064B4000-memory.dmpFilesize
16KB
-
memory/2880-150-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-151-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-152-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-153-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-154-0x0000000006250000-0x0000000006253000-memory.dmpFilesize
12KB
-
memory/2880-155-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-156-0x0000000006250000-0x0000000006253000-memory.dmpFilesize
12KB
-
memory/2880-157-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-158-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-159-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/2880-160-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-200-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-163-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-165-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/2880-167-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-166-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-168-0x0000000006250000-0x0000000006252000-memory.dmpFilesize
8KB
-
memory/2880-169-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-171-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/2880-172-0x0000000006250000-0x0000000006252000-memory.dmpFilesize
8KB
-
memory/2880-173-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-174-0x0000000006250000-0x0000000006252000-memory.dmpFilesize
8KB
-
memory/2880-177-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-178-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-179-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/2880-180-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-181-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/2880-183-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-182-0x0000000006250000-0x0000000006253000-memory.dmpFilesize
12KB
-
memory/2880-184-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-185-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-186-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-187-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-188-0x00000000064B0000-0x00000000064B4000-memory.dmpFilesize
16KB
-
memory/2880-189-0x00000000064B0000-0x00000000064B4000-memory.dmpFilesize
16KB
-
memory/2880-191-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-192-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-193-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/2880-195-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-1-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2880-198-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-199-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-161-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-0-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/2880-320-0x0000000006250000-0x0000000006257000-memory.dmpFilesize
28KB
-
memory/2880-204-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-208-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-210-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/2880-211-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-212-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-213-0x0000000006420000-0x0000000006421000-memory.dmpFilesize
4KB
-
memory/2880-214-0x0000000006C20000-0x0000000006C21000-memory.dmpFilesize
4KB
-
memory/2880-215-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-216-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-219-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/2880-218-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-220-0x0000000007580000-0x0000000007581000-memory.dmpFilesize
4KB
-
memory/2880-221-0x0000000007FC0000-0x0000000007FC1000-memory.dmpFilesize
4KB
-
memory/2880-223-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-225-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-226-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/2880-227-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-228-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-230-0x0000000006250000-0x0000000006253000-memory.dmpFilesize
12KB
-
memory/2880-231-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-232-0x00000000064E0000-0x00000000064E1000-memory.dmpFilesize
4KB
-
memory/2880-233-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-234-0x0000000006BA0000-0x0000000006BA5000-memory.dmpFilesize
20KB
-
memory/2880-236-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-237-0x0000000006750000-0x0000000006751000-memory.dmpFilesize
4KB
-
memory/2880-238-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-239-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-240-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-241-0x00000000065E0000-0x00000000065E1000-memory.dmpFilesize
4KB
-
memory/2880-242-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-243-0x00000000064D0000-0x00000000064D1000-memory.dmpFilesize
4KB
-
memory/2880-244-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-246-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-247-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-248-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-249-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-250-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-251-0x00000000064D0000-0x00000000064D1000-memory.dmpFilesize
4KB
-
memory/2880-252-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-253-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-255-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-256-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/2880-259-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-258-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-260-0x00000000064D0000-0x00000000064D1000-memory.dmpFilesize
4KB
-
memory/2880-261-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-263-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-262-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/2880-266-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-267-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-269-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-270-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-272-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-273-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-274-0x0000000006260000-0x0000000006263000-memory.dmpFilesize
12KB
-
memory/2880-275-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-276-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/2880-278-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-279-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-281-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-282-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-284-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-285-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-287-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-288-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-290-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-291-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-292-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/2880-293-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-295-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-296-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/2880-298-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-299-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-300-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-301-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-302-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-304-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2880-305-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-306-0x0000000006BA0000-0x0000000006BA5000-memory.dmpFilesize
20KB
-
memory/2880-307-0x00000000063A0000-0x00000000063A1000-memory.dmpFilesize
4KB
-
memory/2880-308-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-310-0x0000000006250000-0x0000000006253000-memory.dmpFilesize
12KB
-
memory/2880-311-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-313-0x0000000006250000-0x0000000006253000-memory.dmpFilesize
12KB
-
memory/2880-314-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-316-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-315-0x0000000006250000-0x0000000006253000-memory.dmpFilesize
12KB
-
memory/2880-317-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/2880-318-0x0000000006250000-0x0000000006253000-memory.dmpFilesize
12KB
-
memory/2880-319-0x0000000006270000-0x0000000006273000-memory.dmpFilesize
12KB
-
memory/2880-202-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2880-321-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-322-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/2880-325-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-328-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-330-0x00000000063A0000-0x00000000063A1000-memory.dmpFilesize
4KB
-
memory/2880-331-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2880-333-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB