f0f90338553ab244d779b2f172c2e6c82f7fc5725cba6ddb8d09c48d5f481e07

Analysis

max time kernel
233s
max time network
212s
platform
windows10_x64
resource
win10-en-20211014
submitted
30/10/2021, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SS.exe
Size

30.3MB
MD5

d6d78e94de610fad6749338f855edbcc
SHA1

0fb9d7b713ae158bf35f480f62d20255b6d14a97
SHA256

f0f90338553ab244d779b2f172c2e6c82f7fc5725cba6ddb8d09c48d5f481e07
SHA512

33f36597a642af214f2e349015f5a0a625014536ae00016e9fdc110f2a37ea84cdfb7c6e9039a02830730314fc8358bc7076c7fdfec12c140f4394cfb0e4079f

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Windows\Vss\ReadIt.txt

Ransom Note

Hello my friend Your system was vulnerable I'm here to teach you a lesson,The Security Lesson!!!! All your files are encrypted and the important one stolen You must pay an anount of Bitcoin in exchange for decrypting files and understanding the flaws in your system And prevent your files from becoming public Don't worry about the amount, it's spent on the security of your system and it's fair. To show our good intentions and trust, you can send us a small, worthless file to test the decryption. This is your ID : 1BC1EC48 And this is my email :[email protected] Send your ID to my email to speack about it If I don't respond for 8 hours, send messages to these emails : - [email protected] - [email protected] Don't forget if you try to decypt them yourself, never come back to us. So the first thing you have to do is email us because no one can decrypt them.

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Loads dropped DLL 59 IoCs

pid	Process
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe
3104	SS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3104	SS.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\LargeTile.scale-100.png+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.LEX+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ui-strings.js+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Keywords.HxK+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\ReadIt.txt	SS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\ReadIt.txt	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\ReadIt.txt	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\ReadIt.txt	SS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\ReadIt.txt	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main.css+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\ReadIt.txt	SS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\ui-strings.js+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.ELM+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\ReadIt.txt	SS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\ReadIt.txt	SS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dcpr.dll+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\oledbjvs.inc+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\ReadIt.txt	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\ReadIt.txt	SS.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\ReadIt.txt	SS.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\ReadIt.txt	SS.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE+Id(1BC1EC48) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms+Id(1BC1EC48) mail([email protected]).REAL	SS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Yes.txt	SS.exe
File created	C:\Windows\Vss\ReadIt.txt	SS.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3208	vssadmin.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2200	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1100	powershell.exe
1100	powershell.exe
1100	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	SS.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeIncreaseQuotaPrivilege	1100	powershell.exe
Token: SeSecurityPrivilege	1100	powershell.exe
Token: SeTakeOwnershipPrivilege	1100	powershell.exe
Token: SeLoadDriverPrivilege	1100	powershell.exe
Token: SeSystemProfilePrivilege	1100	powershell.exe
Token: SeSystemtimePrivilege	1100	powershell.exe
Token: SeProfSingleProcessPrivilege	1100	powershell.exe
Token: SeIncBasePriorityPrivilege	1100	powershell.exe
Token: SeCreatePagefilePrivilege	1100	powershell.exe
Token: SeBackupPrivilege	1100	powershell.exe
Token: SeRestorePrivilege	1100	powershell.exe
Token: SeShutdownPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeSystemEnvironmentPrivilege	1100	powershell.exe
Token: SeRemoteShutdownPrivilege	1100	powershell.exe
Token: SeUndockPrivilege	1100	powershell.exe
Token: SeManageVolumePrivilege	1100	powershell.exe
Token: 33	1100	powershell.exe
Token: 34	1100	powershell.exe
Token: 35	1100	powershell.exe
Token: 36	1100	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeBackupPrivilege	2252	vssvc.exe
Token: SeRestorePrivilege	2252	vssvc.exe
Token: SeAuditPrivilege	2252	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 3104	2756	SS.exe	69
PID 2756 wrote to memory of 3104	2756	SS.exe	69
PID 3104 wrote to memory of 3412	3104	SS.exe	70
PID 3104 wrote to memory of 3412	3104	SS.exe	70
PID 3412 wrote to memory of 1100	3412	cmd.exe	72
PID 3412 wrote to memory of 1100	3412	cmd.exe	72
PID 3104 wrote to memory of 1508	3104	SS.exe	74
PID 3104 wrote to memory of 1508	3104	SS.exe	74
PID 1508 wrote to memory of 1532	1508	cmd.exe	76
PID 1508 wrote to memory of 1532	1508	cmd.exe	76
PID 1532 wrote to memory of 3208	1532	powershell.exe	77
PID 1532 wrote to memory of 3208	1532	powershell.exe	77
PID 3104 wrote to memory of 3564	3104	SS.exe	80
PID 3104 wrote to memory of 3564	3104	SS.exe	80
PID 3564 wrote to memory of 2200	3564	cmd.exe	82
PID 3564 wrote to memory of 2200	3564	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\SS.exe
"C:\Users\Admin\AppData\Local\Temp\SS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\SS.exe
  "C:\Users\Admin\AppData\Local\Temp\SS.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -C Set-MpPreference -DisableRealtimeMonitoring $true ;
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -C Set-MpPreference -DisableRealtimeMonitoring $true ;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -C vssadmin Delete Shadows /all /quiet ;
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -C vssadmin Delete Shadows /all /quiet ;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\system32\vssadmin.exe
        
        "C:\Windows\system32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\system32\reg.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-196-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-220-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-182-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-183-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-184-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-185-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-186-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-187-0x0000012C71190000-0x0000012C71191000-memory.dmp

Filesize
4KB

Download
memory/1100-188-0x0000012C71430000-0x0000012C71432000-memory.dmp

Filesize
8KB

Download
memory/1100-189-0x0000012C71433000-0x0000012C71435000-memory.dmp

Filesize
8KB

Download
memory/1100-190-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-191-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-192-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-193-0x0000012C73F30000-0x0000012C73F31000-memory.dmp

Filesize
4KB

Download
memory/1100-194-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-231-0x0000012C71438000-0x0000012C71439000-memory.dmp

Filesize
4KB

Download
memory/1100-197-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-201-0x0000012C71436000-0x0000012C71438000-memory.dmp

Filesize
8KB

Download
memory/1100-218-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1100-219-0x0000012C6F490000-0x0000012C6F492000-memory.dmp

Filesize
8KB

Download
memory/1532-237-0x0000017528710000-0x0000017528712000-memory.dmp

Filesize
8KB

Download
memory/1532-232-0x00000175426C0000-0x00000175426C2000-memory.dmp

Filesize
8KB

Download
memory/1532-223-0x0000017528710000-0x0000017528712000-memory.dmp

Filesize
8KB

Download
memory/1532-240-0x00000175426C6000-0x00000175426C8000-memory.dmp

Filesize
8KB

Download
memory/1532-225-0x0000017528710000-0x0000017528712000-memory.dmp

Filesize
8KB

Download
memory/1532-226-0x0000017528710000-0x0000017528712000-memory.dmp

Filesize
8KB

Download
memory/1532-227-0x0000017528710000-0x0000017528712000-memory.dmp

Filesize
8KB

Download
memory/1532-230-0x0000017528710000-0x0000017528712000-memory.dmp

Filesize
8KB

Download
memory/1532-229-0x0000017528710000-0x0000017528712000-memory.dmp

Filesize
8KB

Download
memory/1532-224-0x0000017528710000-0x0000017528712000-memory.dmp

Filesize
8KB

Download
memory/1532-234-0x00000175426C3000-0x00000175426C5000-memory.dmp

Filesize
8KB

Download
memory/1532-233-0x0000017528710000-0x0000017528712000-memory.dmp

Filesize
8KB

Download
memory/3104-241-0x000001E368430000-0x000001E368431000-memory.dmp

Filesize
4KB

Download