Analysis
-
max time kernel
53s -
max time network
113s -
platform
windows10_x64 -
resource
win10 -
submitted
30-07-2020 11:01
Static task
static1
Behavioral task
behavioral1
Sample
CWT_company_ragnar_locker.exe
Resource
win7
Behavioral task
behavioral2
Sample
CWT_company_ragnar_locker.exe
Resource
win10
General
-
Target
CWT_company_ragnar_locker.exe
-
Size
54KB
-
MD5
574f3513f6d7e15f102e82e4d35bf164
-
SHA1
f7a38385fe41bcd154fc7b6da034bfe719d6a0a7
-
SHA256
04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87
-
SHA512
a6ffed4af6cbbeb0bd95ce4ea801d25669540d71ddf4d41aaf2fbf51b0820802fee90bca5981cb498ed0945c1149acf820990e57f6deb845380d343d2a6e9350
Malware Config
Extracted
C:\Users\Public\Documents\!$R4GN4R_2D08E9B5$!.txt
ragnarlocker
http://prntscr.com/to31n0
https://prnt.sc/to2kqq
https://prnt.sc/to2lbp
https://prnt.sc/tnzooz
https://prnt.sc/tnzqxf
https://prnt.sc/to2qlx
http://prnt.sc/to2rab
http://p6o7m73ujalhgkiv.onion/?BatxqaHm8rKxIP16Z1xB
http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?bC2aAD71E2976da53FC1Efc3193c8FDeA0BAeF8A37883c9e05d3BFF82CCfE8Ee
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3624 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 204 IoCs
Processes:
CWT_company_ragnar_locker.exepid process 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe 3888 CWT_company_ragnar_locker.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
CWT_company_ragnar_locker.exewmic.exevssvc.exedescription pid process Token: SeTakeOwnershipPrivilege 3888 CWT_company_ragnar_locker.exe Token: SeRestorePrivilege 3888 CWT_company_ragnar_locker.exe Token: SeIncreaseQuotaPrivilege 3748 wmic.exe Token: SeSecurityPrivilege 3748 wmic.exe Token: SeTakeOwnershipPrivilege 3748 wmic.exe Token: SeLoadDriverPrivilege 3748 wmic.exe Token: SeSystemProfilePrivilege 3748 wmic.exe Token: SeSystemtimePrivilege 3748 wmic.exe Token: SeProfSingleProcessPrivilege 3748 wmic.exe Token: SeIncBasePriorityPrivilege 3748 wmic.exe Token: SeCreatePagefilePrivilege 3748 wmic.exe Token: SeBackupPrivilege 3748 wmic.exe Token: SeRestorePrivilege 3748 wmic.exe Token: SeShutdownPrivilege 3748 wmic.exe Token: SeDebugPrivilege 3748 wmic.exe Token: SeSystemEnvironmentPrivilege 3748 wmic.exe Token: SeRemoteShutdownPrivilege 3748 wmic.exe Token: SeUndockPrivilege 3748 wmic.exe Token: SeManageVolumePrivilege 3748 wmic.exe Token: 33 3748 wmic.exe Token: 34 3748 wmic.exe Token: 35 3748 wmic.exe Token: 36 3748 wmic.exe Token: SeBackupPrivilege 2572 vssvc.exe Token: SeRestorePrivilege 2572 vssvc.exe Token: SeAuditPrivilege 2572 vssvc.exe Token: SeIncreaseQuotaPrivilege 3748 wmic.exe Token: SeSecurityPrivilege 3748 wmic.exe Token: SeTakeOwnershipPrivilege 3748 wmic.exe Token: SeLoadDriverPrivilege 3748 wmic.exe Token: SeSystemProfilePrivilege 3748 wmic.exe Token: SeSystemtimePrivilege 3748 wmic.exe Token: SeProfSingleProcessPrivilege 3748 wmic.exe Token: SeIncBasePriorityPrivilege 3748 wmic.exe Token: SeCreatePagefilePrivilege 3748 wmic.exe Token: SeBackupPrivilege 3748 wmic.exe Token: SeRestorePrivilege 3748 wmic.exe Token: SeShutdownPrivilege 3748 wmic.exe Token: SeDebugPrivilege 3748 wmic.exe Token: SeSystemEnvironmentPrivilege 3748 wmic.exe Token: SeRemoteShutdownPrivilege 3748 wmic.exe Token: SeUndockPrivilege 3748 wmic.exe Token: SeManageVolumePrivilege 3748 wmic.exe Token: 33 3748 wmic.exe Token: 34 3748 wmic.exe Token: 35 3748 wmic.exe Token: 36 3748 wmic.exe -
Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exepid process 3596 bcdedit.exe 2204 bcdedit.exe 3040 bcdedit.exe -
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Drops file in Program Files directory 2426 IoCs
Processes:
CWT_company_ragnar_locker.exedescription ioc process File created C:\Program Files\7-Zip\!$R4GN4R_2D08E9B5$!.txt CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\local_policy.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar CWT_company_ragnar_locker.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\!$R4GN4R_2D08E9B5$!.txt CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansRegular.ttf CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaTypewriterRegular.ttf CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.bfc CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml CWT_company_ragnar_locker.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\!$R4GN4R_2D08E9B5$!.txt CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-nodes.xml CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\sa-jdi.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\trusted.libraries CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_hu.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jfxrt.jar CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms CWT_company_ragnar_locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms CWT_company_ragnar_locker.exe File created C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\!$R4GN4R_2D08E9B5$!.txt CWT_company_ragnar_locker.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
CWT_company_ragnar_locker.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 CWT_company_ragnar_locker.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
CWT_company_ragnar_locker.exedescription pid process target process PID 3888 wrote to memory of 3748 3888 CWT_company_ragnar_locker.exe wmic.exe PID 3888 wrote to memory of 3748 3888 CWT_company_ragnar_locker.exe wmic.exe PID 3888 wrote to memory of 3624 3888 CWT_company_ragnar_locker.exe vssadmin.exe PID 3888 wrote to memory of 3624 3888 CWT_company_ragnar_locker.exe vssadmin.exe PID 3888 wrote to memory of 3596 3888 CWT_company_ragnar_locker.exe bcdedit.exe PID 3888 wrote to memory of 3596 3888 CWT_company_ragnar_locker.exe bcdedit.exe PID 3888 wrote to memory of 2204 3888 CWT_company_ragnar_locker.exe bcdedit.exe PID 3888 wrote to memory of 2204 3888 CWT_company_ragnar_locker.exe bcdedit.exe PID 3888 wrote to memory of 3040 3888 CWT_company_ragnar_locker.exe bcdedit.exe PID 3888 wrote to memory of 3040 3888 CWT_company_ragnar_locker.exe bcdedit.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
CWT_company_ragnar_locker.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2066881839-3229799743-3576549721-1000\desktop.ini CWT_company_ragnar_locker.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CWT_company_ragnar_locker.exe"C:\Users\Admin\AppData\Local\Temp\CWT_company_ragnar_locker.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
- Drops desktop.ini file(s)
PID:3888 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3624 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:3596 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
PID:2204 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit /set {globalsettings} advancedoptions false2⤵
- Modifies boot configuration data using bcdedit
PID:3040
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2572
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2204-105-0x0000000000000000-mapping.dmp
-
memory/3040-106-0x0000000000000000-mapping.dmp
-
memory/3596-104-0x0000000000000000-mapping.dmp
-
memory/3624-103-0x0000000000000000-mapping.dmp
-
memory/3748-102-0x0000000000000000-mapping.dmp
-
memory/3888-154-0x0000000006AE0000-0x0000000006AE1000-memory.dmpFilesize
4KB
-
memory/3888-110-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3888-2-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/3888-3-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-7-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-9-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-11-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-17-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-19-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-20-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/3888-23-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-29-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-31-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-33-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-35-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-47-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-57-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-59-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-61-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-69-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-81-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-93-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-107-0x0000000006200000-0x0000000006201000-memory.dmpFilesize
4KB
-
memory/3888-108-0x0000000006A00000-0x0000000006A01000-memory.dmpFilesize
4KB
-
memory/3888-109-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/3888-157-0x00000000069C0000-0x00000000069C1000-memory.dmpFilesize
4KB
-
memory/3888-111-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-112-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-114-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3888-116-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-117-0x00000000066E0000-0x00000000066E1000-memory.dmpFilesize
4KB
-
memory/3888-118-0x0000000007040000-0x0000000007041000-memory.dmpFilesize
4KB
-
memory/3888-120-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3888-121-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-122-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-123-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/3888-124-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3888-125-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/3888-126-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3888-127-0x0000000005F40000-0x0000000005F43000-memory.dmpFilesize
12KB
-
memory/3888-128-0x0000000006800000-0x0000000006801000-memory.dmpFilesize
4KB
-
memory/3888-129-0x0000000007000000-0x0000000007001000-memory.dmpFilesize
4KB
-
memory/3888-130-0x0000000005F40000-0x0000000005F43000-memory.dmpFilesize
12KB
-
memory/3888-131-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-132-0x00000000066E0000-0x00000000066E1000-memory.dmpFilesize
4KB
-
memory/3888-134-0x00000000069C0000-0x00000000069C1000-memory.dmpFilesize
4KB
-
memory/3888-133-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/3888-136-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-137-0x0000000005F60000-0x0000000005F63000-memory.dmpFilesize
12KB
-
memory/3888-138-0x0000000005F60000-0x0000000005F63000-memory.dmpFilesize
12KB
-
memory/3888-139-0x0000000005F60000-0x0000000005F63000-memory.dmpFilesize
12KB
-
memory/3888-140-0x0000000005F60000-0x0000000005F63000-memory.dmpFilesize
12KB
-
memory/3888-141-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-142-0x0000000006360000-0x0000000006361000-memory.dmpFilesize
4KB
-
memory/3888-143-0x0000000006B60000-0x0000000006B61000-memory.dmpFilesize
4KB
-
memory/3888-145-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3888-146-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-147-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-148-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-158-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/3888-150-0x0000000006560000-0x0000000006561000-memory.dmpFilesize
4KB
-
memory/3888-151-0x0000000006D60000-0x0000000006D61000-memory.dmpFilesize
4KB
-
memory/3888-153-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-0-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/3888-166-0x0000000005F60000-0x0000000005F62000-memory.dmpFilesize
8KB
-
memory/3888-1-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3888-149-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/3888-160-0x00000000066E0000-0x00000000066E1000-memory.dmpFilesize
4KB
-
memory/3888-161-0x0000000006EE0000-0x0000000006EE1000-memory.dmpFilesize
4KB
-
memory/3888-162-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/3888-163-0x0000000006AC0000-0x0000000006AC1000-memory.dmpFilesize
4KB
-
memory/3888-164-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/3888-165-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3888-155-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-167-0x0000000005F60000-0x0000000005F62000-memory.dmpFilesize
8KB
-
memory/3888-169-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/3888-170-0x00000000069C0000-0x00000000069C1000-memory.dmpFilesize
4KB
-
memory/3888-171-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/3888-172-0x0000000006130000-0x0000000006131000-memory.dmpFilesize
4KB
-
memory/3888-173-0x0000000006930000-0x0000000006931000-memory.dmpFilesize
4KB
-
memory/3888-174-0x0000000006120000-0x0000000006121000-memory.dmpFilesize
4KB
-
memory/3888-175-0x0000000006920000-0x0000000006921000-memory.dmpFilesize
4KB
-
memory/3888-177-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-178-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-179-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-180-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-182-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-184-0x0000000006420000-0x0000000006421000-memory.dmpFilesize
4KB
-
memory/3888-185-0x0000000006C20000-0x0000000006C21000-memory.dmpFilesize
4KB
-
memory/3888-186-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-187-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-188-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/3888-189-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3888-190-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/3888-191-0x00000000069C0000-0x00000000069C1000-memory.dmpFilesize
4KB
-
memory/3888-193-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3888-198-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-199-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-200-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-201-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-202-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-203-0x0000000006200000-0x0000000006201000-memory.dmpFilesize
4KB
-
memory/3888-204-0x0000000006A00000-0x0000000006A01000-memory.dmpFilesize
4KB
-
memory/3888-205-0x0000000006090000-0x0000000006091000-memory.dmpFilesize
4KB
-
memory/3888-206-0x0000000006890000-0x0000000006891000-memory.dmpFilesize
4KB
-
memory/3888-207-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-208-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-209-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/3888-210-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3888-211-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-212-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-214-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3888-216-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/3888-219-0x0000000006800000-0x0000000006801000-memory.dmpFilesize
4KB
-
memory/3888-220-0x0000000007000000-0x0000000007001000-memory.dmpFilesize
4KB
-
memory/3888-221-0x0000000006800000-0x0000000006801000-memory.dmpFilesize
4KB
-
memory/3888-222-0x0000000005F50000-0x0000000005F53000-memory.dmpFilesize
12KB
-
memory/3888-223-0x00000000062F0000-0x00000000062F1000-memory.dmpFilesize
4KB
-
memory/3888-224-0x0000000006AF0000-0x0000000006AF1000-memory.dmpFilesize
4KB
-
memory/3888-225-0x0000000006090000-0x0000000006091000-memory.dmpFilesize
4KB
-
memory/3888-226-0x0000000006890000-0x0000000006891000-memory.dmpFilesize
4KB
-
memory/3888-227-0x0000000006090000-0x0000000006091000-memory.dmpFilesize
4KB
-
memory/3888-228-0x0000000006890000-0x0000000006891000-memory.dmpFilesize
4KB
-
memory/3888-229-0x0000000005F50000-0x0000000005F52000-memory.dmpFilesize
8KB
-
memory/3888-232-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-233-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-234-0x0000000005F50000-0x0000000005F52000-memory.dmpFilesize
8KB
-
memory/3888-236-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3888-238-0x00000000069E0000-0x00000000069E1000-memory.dmpFilesize
4KB
-
memory/3888-240-0x0000000006890000-0x0000000006891000-memory.dmpFilesize
4KB
-
memory/3888-242-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB