Analysis
-
max time kernel
128s -
max time network
40s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
03-06-2020 08:32
Static task
static1
Behavioral task
behavioral1
Sample
true.bin.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
true.bin.exe
Resource
win10v200430
General
-
Target
true.bin.exe
-
Size
47KB
-
MD5
3ca359f5085bb96a7950d4735b089ffe
-
SHA1
60747604d54a18c4e4dc1a2c209e77a793e64dde
-
SHA256
7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929
-
SHA512
67ac9a483062f42b984f8d2798a02461f27a718f5b93b6f84645170b65e8edbbfddae52c8bee4fd6735fea0e977d8615d1d5c49481e4fbf1480e5e2113af0426
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_FB7C60F2.txt
ragnarlocker
http://p6o7m73ujalhgkiv.onion/?p=171
http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
http://p6o7m73ujalhgkiv.onion/?page_id=171
Signatures
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exewmic.exedescription pid process Token: SeBackupPrivilege 2536 vssvc.exe Token: SeRestorePrivilege 2536 vssvc.exe Token: SeAuditPrivilege 2536 vssvc.exe Token: SeIncreaseQuotaPrivilege 2104 wmic.exe Token: SeSecurityPrivilege 2104 wmic.exe Token: SeTakeOwnershipPrivilege 2104 wmic.exe Token: SeLoadDriverPrivilege 2104 wmic.exe Token: SeSystemProfilePrivilege 2104 wmic.exe Token: SeSystemtimePrivilege 2104 wmic.exe Token: SeProfSingleProcessPrivilege 2104 wmic.exe Token: SeIncBasePriorityPrivilege 2104 wmic.exe Token: SeCreatePagefilePrivilege 2104 wmic.exe Token: SeBackupPrivilege 2104 wmic.exe Token: SeRestorePrivilege 2104 wmic.exe Token: SeShutdownPrivilege 2104 wmic.exe Token: SeDebugPrivilege 2104 wmic.exe Token: SeSystemEnvironmentPrivilege 2104 wmic.exe Token: SeRemoteShutdownPrivilege 2104 wmic.exe Token: SeUndockPrivilege 2104 wmic.exe Token: SeManageVolumePrivilege 2104 wmic.exe Token: 33 2104 wmic.exe Token: 34 2104 wmic.exe Token: 35 2104 wmic.exe Token: 36 2104 wmic.exe Token: SeIncreaseQuotaPrivilege 2104 wmic.exe Token: SeSecurityPrivilege 2104 wmic.exe Token: SeTakeOwnershipPrivilege 2104 wmic.exe Token: SeLoadDriverPrivilege 2104 wmic.exe Token: SeSystemProfilePrivilege 2104 wmic.exe Token: SeSystemtimePrivilege 2104 wmic.exe Token: SeProfSingleProcessPrivilege 2104 wmic.exe Token: SeIncBasePriorityPrivilege 2104 wmic.exe Token: SeCreatePagefilePrivilege 2104 wmic.exe Token: SeBackupPrivilege 2104 wmic.exe Token: SeRestorePrivilege 2104 wmic.exe Token: SeShutdownPrivilege 2104 wmic.exe Token: SeDebugPrivilege 2104 wmic.exe Token: SeSystemEnvironmentPrivilege 2104 wmic.exe Token: SeRemoteShutdownPrivilege 2104 wmic.exe Token: SeUndockPrivilege 2104 wmic.exe Token: SeManageVolumePrivilege 2104 wmic.exe Token: 33 2104 wmic.exe Token: 34 2104 wmic.exe Token: 35 2104 wmic.exe Token: 36 2104 wmic.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
true.bin.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 true.bin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 19499 IoCs
Processes:
true.bin.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\RGNR_FB7C60F2.txt true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Particles\butterfly.respack true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png true.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\RGNR_FB7C60F2.txt true.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar true.bin.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_LinkDrop32x32.gif true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Microsoft.Xaml.Interactions.winmd true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-400.png true.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\upsell-2x.png true.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png true.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\RGNR_FB7C60F2.txt true.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar true.bin.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\RGNR_FB7C60F2.txt true.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-100.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\SmallTile.scale-200.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated_contrast-high.png true.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\svgCheckboxSelected.svg true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated.png true.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\RGNR_FB7C60F2.txt true.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar true.bin.exe File created C:\Program Files\Microsoft Office\root\mcxml\x-none\RGNR_FB7C60F2.txt true.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\157.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Pyramid\Control_2.jpg true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\mq_16x11.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\StarClub\challenge_tripeaks.jpg true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x64__8wekyb3d8bbwe\AppxManifest.xml true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleAppStoreLogo.scale-200.png true.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\af_get.svg true.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\RGNR_FB7C60F2.txt true.bin.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif true.bin.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\RGNR_FB7C60F2.txt true.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-300.png true.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\ui-strings.js true.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT true.bin.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\RGNR_FB7C60F2.txt true.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\eu_60x42.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\LargeTile.scale-100.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-64.png true.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\PlaneCutMove.scale-140.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5034_32x32x32.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\SmallTile.scale-100.png true.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-fr\RGNR_FB7C60F2.txt true.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-black.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\ShowLeaderboardButton.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-150.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-125.png true.bin.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\RGNR_FB7C60F2.txt true.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui true.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\RGNR_FB7C60F2.txt true.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml true.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-24_altform-unplated.png true.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.winmd true.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war true.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated_contrast-white.png true.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\en-us\officons.ttf true.bin.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Fonts\RGNR_FB7C60F2.txt true.bin.exe -
Drops startup file 1 IoCs
Processes:
true.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_FB7C60F2.txt true.bin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2960 notepad.exe -
Suspicious behavior: EnumeratesProcesses 100 IoCs
Processes:
true.bin.exepid process 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe 3216 true.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2108 vssadmin.exe -
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
true.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\RedoNew.tiff => C:\Users\Admin\Pictures\RedoNew.tiff.ragnar_FB7C60F2 true.bin.exe File opened for modification C:\Users\Admin\Pictures\SendSearch.tiff true.bin.exe File renamed C:\Users\Admin\Pictures\SendSearch.tiff => C:\Users\Admin\Pictures\SendSearch.tiff.ragnar_FB7C60F2 true.bin.exe File renamed C:\Users\Admin\Pictures\UnprotectCopy.crw => C:\Users\Admin\Pictures\UnprotectCopy.crw.ragnar_FB7C60F2 true.bin.exe File opened for modification C:\Users\Admin\Pictures\ResizeJoin.tiff true.bin.exe File renamed C:\Users\Admin\Pictures\ResizeJoin.tiff => C:\Users\Admin\Pictures\ResizeJoin.tiff.ragnar_FB7C60F2 true.bin.exe File opened for modification C:\Users\Admin\Pictures\RedoNew.tiff true.bin.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
true.bin.exedescription pid process target process PID 3216 wrote to memory of 2104 3216 true.bin.exe wmic.exe PID 3216 wrote to memory of 2104 3216 true.bin.exe wmic.exe PID 3216 wrote to memory of 2108 3216 true.bin.exe vssadmin.exe PID 3216 wrote to memory of 2108 3216 true.bin.exe vssadmin.exe PID 3216 wrote to memory of 2960 3216 true.bin.exe notepad.exe PID 3216 wrote to memory of 2960 3216 true.bin.exe notepad.exe PID 3216 wrote to memory of 2960 3216 true.bin.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\true.bin.exe"C:\Users\Admin\AppData\Local\Temp\true.bin.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_FB7C60F2.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\RGNR_FB7C60F2.txt
-
memory/3216-25-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-3-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-35-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-5-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-9-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-11-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-13-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-19-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-45-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-0-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/3216-1-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-2-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/3216-21-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-47-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-49-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-50-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/3216-57-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-65-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-69-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-79-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-95-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3216-31-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB