Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10_x64 -
resource
win10 -
submitted
01-08-2020 02:09
Static task
static1
Behavioral task
behavioral1
Sample
edp_ragnarlocker.exe
Resource
win7
Behavioral task
behavioral2
Sample
edp_ragnarlocker.exe
Resource
win10
General
-
Target
edp_ragnarlocker.exe
-
Size
47KB
-
MD5
3ca359f5085bb96a7950d4735b089ffe
-
SHA1
60747604d54a18c4e4dc1a2c209e77a793e64dde
-
SHA256
7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929
-
SHA512
67ac9a483062f42b984f8d2798a02461f27a718f5b93b6f84645170b65e8edbbfddae52c8bee4fd6735fea0e977d8615d1d5c49481e4fbf1480e5e2113af0426
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_2D08E9B5.txt
ragnarlocker
http://p6o7m73ujalhgkiv.onion/?p=171
http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
http://p6o7m73ujalhgkiv.onion/?page_id=171
Signatures
-
Drops file in Program Files directory 19473 IoCs
Processes:
edp_ragnarlocker.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Lift.Engine.winmd edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\AquariumDeck4.jpg edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml edp_ragnarlocker.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\eu_16x11.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16_altform-unplated.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreBadgeLogo.scale-200.png edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close2x.png edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\ui-strings.js edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\root\mcxml\x-none\OneDriveSetup.x-none.msi.16_OneDriveSetup.mcxml edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\Scale.scale-100.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5311_32x32x32.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-100.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-48_altform-unplated.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\hm_60x42.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-200.png edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_selectlist_checkmark_18.svg edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_rate_and_review.png edp_ragnarlocker.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\RGNR_2D08E9B5.txt edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js edp_ragnarlocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\RGNR_2D08E9B5.txt edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Regular.otf edp_ragnarlocker.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\RGNR_2D08E9B5.txt edp_ragnarlocker.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\RGNR_2D08E9B5.txt edp_ragnarlocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\RGNR_2D08E9B5.txt edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10178_40x40x32.png edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\ui-strings.js edp_ragnarlocker.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\RGNR_2D08E9B5.txt edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-125.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-40.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-32.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-100.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\ui-strings.js edp_ragnarlocker.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\RGNR_2D08E9B5.txt edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-125_contrast-black.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-16.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\WideTile.scale-200.png edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\ui-strings.js edp_ragnarlocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\RGNR_2D08E9B5.txt edp_ragnarlocker.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.LEX edp_ragnarlocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\RGNR_2D08E9B5.txt edp_ragnarlocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\RGNR_2D08E9B5.txt edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.scale-200.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_EyeLookingUp.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6478_32x32x32.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectAppList.targetsize-60.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\WideTile.scale-125.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\PlaneCutKeepTop.scale-100.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-30_altform-unplated.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-100.png edp_ragnarlocker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ph_16x11.png edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\ui-strings.js edp_ragnarlocker.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\RGNR_2D08E9B5.txt edp_ragnarlocker.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1664 notepad.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
edp_ragnarlocker.exedescription pid process target process PID 2920 wrote to memory of 3900 2920 edp_ragnarlocker.exe wmic.exe PID 2920 wrote to memory of 3900 2920 edp_ragnarlocker.exe wmic.exe PID 2920 wrote to memory of 3780 2920 edp_ragnarlocker.exe vssadmin.exe PID 2920 wrote to memory of 3780 2920 edp_ragnarlocker.exe vssadmin.exe PID 2920 wrote to memory of 1664 2920 edp_ragnarlocker.exe notepad.exe PID 2920 wrote to memory of 1664 2920 edp_ragnarlocker.exe notepad.exe PID 2920 wrote to memory of 1664 2920 edp_ragnarlocker.exe notepad.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3900 wmic.exe Token: SeSecurityPrivilege 3900 wmic.exe Token: SeTakeOwnershipPrivilege 3900 wmic.exe Token: SeLoadDriverPrivilege 3900 wmic.exe Token: SeSystemProfilePrivilege 3900 wmic.exe Token: SeSystemtimePrivilege 3900 wmic.exe Token: SeProfSingleProcessPrivilege 3900 wmic.exe Token: SeIncBasePriorityPrivilege 3900 wmic.exe Token: SeCreatePagefilePrivilege 3900 wmic.exe Token: SeBackupPrivilege 3900 wmic.exe Token: SeRestorePrivilege 3900 wmic.exe Token: SeShutdownPrivilege 3900 wmic.exe Token: SeDebugPrivilege 3900 wmic.exe Token: SeSystemEnvironmentPrivilege 3900 wmic.exe Token: SeRemoteShutdownPrivilege 3900 wmic.exe Token: SeUndockPrivilege 3900 wmic.exe Token: SeManageVolumePrivilege 3900 wmic.exe Token: 33 3900 wmic.exe Token: 34 3900 wmic.exe Token: 35 3900 wmic.exe Token: 36 3900 wmic.exe Token: SeBackupPrivilege 864 vssvc.exe Token: SeRestorePrivilege 864 vssvc.exe Token: SeAuditPrivilege 864 vssvc.exe Token: SeIncreaseQuotaPrivilege 3900 wmic.exe Token: SeSecurityPrivilege 3900 wmic.exe Token: SeTakeOwnershipPrivilege 3900 wmic.exe Token: SeLoadDriverPrivilege 3900 wmic.exe Token: SeSystemProfilePrivilege 3900 wmic.exe Token: SeSystemtimePrivilege 3900 wmic.exe Token: SeProfSingleProcessPrivilege 3900 wmic.exe Token: SeIncBasePriorityPrivilege 3900 wmic.exe Token: SeCreatePagefilePrivilege 3900 wmic.exe Token: SeBackupPrivilege 3900 wmic.exe Token: SeRestorePrivilege 3900 wmic.exe Token: SeShutdownPrivilege 3900 wmic.exe Token: SeDebugPrivilege 3900 wmic.exe Token: SeSystemEnvironmentPrivilege 3900 wmic.exe Token: SeRemoteShutdownPrivilege 3900 wmic.exe Token: SeUndockPrivilege 3900 wmic.exe Token: SeManageVolumePrivilege 3900 wmic.exe Token: 33 3900 wmic.exe Token: 34 3900 wmic.exe Token: 35 3900 wmic.exe Token: 36 3900 wmic.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3780 vssadmin.exe -
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Drops startup file 1 IoCs
Processes:
edp_ragnarlocker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_2D08E9B5.txt edp_ragnarlocker.exe -
Suspicious behavior: EnumeratesProcesses 100 IoCs
Processes:
edp_ragnarlocker.exepid process 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe 2920 edp_ragnarlocker.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
edp_ragnarlocker.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 edp_ragnarlocker.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
edp_ragnarlocker.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MeasureUninstall.tiff edp_ragnarlocker.exe File renamed C:\Users\Admin\Pictures\MeasureUninstall.tiff => C:\Users\Admin\Pictures\MeasureUninstall.tiff.ragnar_2D08E9B5 edp_ragnarlocker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edp_ragnarlocker.exe"C:\Users\Admin\AppData\Local\Temp\edp_ragnarlocker.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Writes to the Master Boot Record (MBR)
- Modifies extensions of user files
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_2D08E9B5.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\RGNR_2D08E9B5.txt
-
memory/1664-102-0x0000000000000000-mapping.dmp
-
memory/2920-31-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-71-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-5-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-7-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-9-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-11-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-15-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-17-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-21-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-25-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-1-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-0-0x0000000002670000-0x0000000002671000-memory.dmpFilesize
4KB
-
memory/2920-61-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-59-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-49-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-65-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-3-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-79-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-83-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-99-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2920-2-0x0000000002670000-0x0000000002671000-memory.dmpFilesize
4KB
-
memory/2920-37-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3780-101-0x0000000000000000-mapping.dmp
-
memory/3900-100-0x0000000000000000-mapping.dmp