Analysis
-
max time kernel
56s -
max time network
54s -
platform
windows7_x64 -
resource
win7 -
submitted
03-08-2020 10:02
Static task
static1
Behavioral task
behavioral1
Sample
ragnar_locker_EDP (1).exe
Resource
win7
Behavioral task
behavioral2
Sample
ragnar_locker_EDP (1).exe
Resource
win10v200722
General
-
Target
ragnar_locker_EDP (1).exe
-
Size
69KB
-
MD5
00fb3f27bccef7c5658ff9f5ce487cec
-
SHA1
c24fedb9b8a592722d5a9adb34d276fc3b329d6f
-
SHA256
b670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186
-
SHA512
a2346683bbdb5c7d939c0eaa4fb3a411681fedfbf90bea2866482b699da56aeaa4a5b3ffe5f8f24fdb5f4966dd22b8293ed1ee0eed4552dd9bb81f708e2e0235
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_F0C1BF83.txt
ragnarlocker
http://p6o7m73ujalhgkiv.onion/?p=171
http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
http://p6o7m73ujalhgkiv.onion/?page_id=171
Signatures
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ragnar_locker_EDP (1).exedescription pid process target process PID 832 wrote to memory of 1908 832 ragnar_locker_EDP (1).exe wmic.exe PID 832 wrote to memory of 1908 832 ragnar_locker_EDP (1).exe wmic.exe PID 832 wrote to memory of 1908 832 ragnar_locker_EDP (1).exe wmic.exe PID 832 wrote to memory of 1908 832 ragnar_locker_EDP (1).exe wmic.exe PID 832 wrote to memory of 1988 832 ragnar_locker_EDP (1).exe vssadmin.exe PID 832 wrote to memory of 1988 832 ragnar_locker_EDP (1).exe vssadmin.exe PID 832 wrote to memory of 1988 832 ragnar_locker_EDP (1).exe vssadmin.exe PID 832 wrote to memory of 1988 832 ragnar_locker_EDP (1).exe vssadmin.exe PID 832 wrote to memory of 1332 832 ragnar_locker_EDP (1).exe notepad.exe PID 832 wrote to memory of 1332 832 ragnar_locker_EDP (1).exe notepad.exe PID 832 wrote to memory of 1332 832 ragnar_locker_EDP (1).exe notepad.exe PID 832 wrote to memory of 1332 832 ragnar_locker_EDP (1).exe notepad.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1988 vssadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 10173 IoCs
Processes:
ragnar_locker_EDP (1).exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00390_.WMF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Foundry.thmx ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\MENUS.JS ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGBORDER.DPV ragnar_locker_EDP (1).exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_hover.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\Sounds\Things\SHOVEL.WAV ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\LAUNCH.GIF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh ragnar_locker_EDP (1).exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\RGNR_F0C1BF83.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02736G.GIF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo ragnar_locker_EDP (1).exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png ragnar_locker_EDP (1).exe File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\RGNR_F0C1BF83.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXC ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.NZ.XML ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\IN00204_.WMF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14829_.GIF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF ragnar_locker_EDP (1).exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\RGNR_F0C1BF83.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert.css ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\Wordcnvpxy.cnv ragnar_locker_EDP (1).exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jre7\lib\zi\PST8PDT ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00526_.WMF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_es.properties ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF ragnar_locker_EDP (1).exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\RGNR_F0C1BF83.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\settings.js ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8B.GIF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD15302_.GIF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_spellcheck.gif ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0293240.WMF ragnar_locker_EDP (1).exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\RGNR_F0C1BF83.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00625_.WMF ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Krasnoyarsk ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar ragnar_locker_EDP (1).exe -
Drops startup file 1 IoCs
Processes:
ragnar_locker_EDP (1).exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_F0C1BF83.txt ragnar_locker_EDP (1).exe -
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ragnar_locker_EDP (1).exedescription ioc process File renamed C:\Users\Admin\Pictures\SetAdd.tif => C:\Users\Admin\Pictures\SetAdd.tif.ragnar_F0C1BF83 ragnar_locker_EDP (1).exe File renamed C:\Users\Admin\Pictures\DenyExport.tiff => C:\Users\Admin\Pictures\DenyExport.tiff.ragnar_F0C1BF83 ragnar_locker_EDP (1).exe File renamed C:\Users\Admin\Pictures\MoveUnprotect.raw => C:\Users\Admin\Pictures\MoveUnprotect.raw.ragnar_F0C1BF83 ragnar_locker_EDP (1).exe File renamed C:\Users\Admin\Pictures\ReadFind.raw => C:\Users\Admin\Pictures\ReadFind.raw.ragnar_F0C1BF83 ragnar_locker_EDP (1).exe File renamed C:\Users\Admin\Pictures\RegisterClear.raw => C:\Users\Admin\Pictures\RegisterClear.raw.ragnar_F0C1BF83 ragnar_locker_EDP (1).exe File opened for modification C:\Users\Admin\Pictures\TraceCompare.tiff ragnar_locker_EDP (1).exe File opened for modification C:\Users\Admin\Pictures\DenyExport.tiff ragnar_locker_EDP (1).exe File renamed C:\Users\Admin\Pictures\ShowCopy.png => C:\Users\Admin\Pictures\ShowCopy.png.ragnar_F0C1BF83 ragnar_locker_EDP (1).exe File renamed C:\Users\Admin\Pictures\TraceSkip.tif => C:\Users\Admin\Pictures\TraceSkip.tif.ragnar_F0C1BF83 ragnar_locker_EDP (1).exe File renamed C:\Users\Admin\Pictures\SwitchResolve.png => C:\Users\Admin\Pictures\SwitchResolve.png.ragnar_F0C1BF83 ragnar_locker_EDP (1).exe File renamed C:\Users\Admin\Pictures\TraceCompare.tiff => C:\Users\Admin\Pictures\TraceCompare.tiff.ragnar_F0C1BF83 ragnar_locker_EDP (1).exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
ragnar_locker_EDP (1).exepid process 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe 832 ragnar_locker_EDP (1).exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ragnar_locker_EDP (1).exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 ragnar_locker_EDP (1).exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1332 notepad.exe -
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1908 wmic.exe Token: SeSecurityPrivilege 1908 wmic.exe Token: SeTakeOwnershipPrivilege 1908 wmic.exe Token: SeLoadDriverPrivilege 1908 wmic.exe Token: SeSystemProfilePrivilege 1908 wmic.exe Token: SeSystemtimePrivilege 1908 wmic.exe Token: SeProfSingleProcessPrivilege 1908 wmic.exe Token: SeIncBasePriorityPrivilege 1908 wmic.exe Token: SeCreatePagefilePrivilege 1908 wmic.exe Token: SeBackupPrivilege 1908 wmic.exe Token: SeRestorePrivilege 1908 wmic.exe Token: SeShutdownPrivilege 1908 wmic.exe Token: SeDebugPrivilege 1908 wmic.exe Token: SeSystemEnvironmentPrivilege 1908 wmic.exe Token: SeRemoteShutdownPrivilege 1908 wmic.exe Token: SeUndockPrivilege 1908 wmic.exe Token: SeManageVolumePrivilege 1908 wmic.exe Token: 33 1908 wmic.exe Token: 34 1908 wmic.exe Token: 35 1908 wmic.exe Token: SeBackupPrivilege 740 vssvc.exe Token: SeRestorePrivilege 740 vssvc.exe Token: SeAuditPrivilege 740 vssvc.exe Token: SeIncreaseQuotaPrivilege 1908 wmic.exe Token: SeSecurityPrivilege 1908 wmic.exe Token: SeTakeOwnershipPrivilege 1908 wmic.exe Token: SeLoadDriverPrivilege 1908 wmic.exe Token: SeSystemProfilePrivilege 1908 wmic.exe Token: SeSystemtimePrivilege 1908 wmic.exe Token: SeProfSingleProcessPrivilege 1908 wmic.exe Token: SeIncBasePriorityPrivilege 1908 wmic.exe Token: SeCreatePagefilePrivilege 1908 wmic.exe Token: SeBackupPrivilege 1908 wmic.exe Token: SeRestorePrivilege 1908 wmic.exe Token: SeShutdownPrivilege 1908 wmic.exe Token: SeDebugPrivilege 1908 wmic.exe Token: SeSystemEnvironmentPrivilege 1908 wmic.exe Token: SeRemoteShutdownPrivilege 1908 wmic.exe Token: SeUndockPrivilege 1908 wmic.exe Token: SeManageVolumePrivilege 1908 wmic.exe Token: 33 1908 wmic.exe Token: 34 1908 wmic.exe Token: 35 1908 wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ragnar_locker_EDP (1).exe"C:\Users\Admin\AppData\Local\Temp\ragnar_locker_EDP (1).exe"1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Drops startup file
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Writes to the Master Boot Record (MBR)
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_F0C1BF83.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\RGNR_F0C1BF83.txt
-
memory/832-43-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-1-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-37-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-5-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-7-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-11-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-15-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-19-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-23-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-29-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-31-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-33-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-3-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-2-0x0000000002360000-0x0000000002371000-memory.dmpFilesize
68KB
-
memory/832-89-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-51-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-55-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-61-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-65-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-69-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-79-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-47-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-97-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/832-0-0x0000000002360000-0x0000000002371000-memory.dmpFilesize
68KB
-
memory/1332-102-0x0000000000000000-mapping.dmp
-
memory/1908-100-0x0000000000000000-mapping.dmp
-
memory/1988-101-0x0000000000000000-mapping.dmp