lockbit | 7f899996d4bc193a1739b8f9ca51a7f46a7d41007f472df5622208e2db62b232

Analysis

max time kernel
94s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lockbit-Ransomware-Builder-main (1).zip
Size

283KB
MD5

0f4c1f0cbe1e3ad1b4fdb0f8de101938
SHA1

c7edeff3353e58c4133fb456d17ac6593c1882c4
SHA256

7f899996d4bc193a1739b8f9ca51a7f46a7d41007f472df5622208e2db62b232
SHA512

98793bae94bfb3baff6f3f76d2c9251eee64d5ec305f3b2384b2bf5157872a1cb83809fa4a5fdb40ed4bd14761936ce43a6c3575e17a2c91b6df7319db06ecbc
SSDEEP

6144:eW+LYvU1+OsOtX2lUFW+LYvU1+OsOtX2lUpW+LYvU1+OsOtX2lUK:WeItX2l2eItX2lUeItX2l9

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023b76-4.dat	family_lockbit

Renames multiple (594) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C8B0.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	C8B0.tmp

Executes dropped EXE 2 IoCs

Processes:

Builder.exeC8B0.tmp

pid	Process
1700	Builder.exe
4848	C8B0.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

Processes:

Builder.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini	Builder.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini	Builder.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPd2_73xjk1z0rxj8650yo0x34c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP7v0hiy84l3d0v5yytkp9_e31.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPoefh70pgr6fhzopw3g5wyihlc.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Builder.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\1pvSvxmZY.bmp"	Builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1pvSvxmZY.bmp"	Builder.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

C8B0.tmp

pid	Process
4848	C8B0.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Builder.exeC8B0.tmpcmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C8B0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

Builder.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop	Builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\WallpaperStyle = "10"	Builder.exe

Modifies registry class 5 IoCs

Processes:

Builder.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1pvSvxmZY	Builder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1pvSvxmZY\ = "1pvSvxmZY"	Builder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1pvSvxmZY\DefaultIcon	Builder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1pvSvxmZY	Builder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1pvSvxmZY\DefaultIcon\ = "C:\\ProgramData\\1pvSvxmZY.ico"	Builder.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
3920	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid	Process
648	ONENOTE.EXE
648	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Builder.exe

pid	Process
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe
1700	Builder.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
5056	7zFM.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

Builder.exe

pid	Process
1700	Builder.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exeBuilder.exe

description	pid	Process
Token: SeRestorePrivilege	5056	7zFM.exe
Token: 35	5056	7zFM.exe
Token: SeSecurityPrivilege	5056	7zFM.exe
Token: SeAssignPrimaryTokenPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeDebugPrivilege	1700	Builder.exe
Token: 36	1700	Builder.exe
Token: SeImpersonatePrivilege	1700	Builder.exe
Token: SeIncBasePriorityPrivilege	1700	Builder.exe
Token: SeIncreaseQuotaPrivilege	1700	Builder.exe
Token: 33	1700	Builder.exe
Token: SeManageVolumePrivilege	1700	Builder.exe
Token: SeProfSingleProcessPrivilege	1700	Builder.exe
Token: SeRestorePrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeSystemProfilePrivilege	1700	Builder.exe
Token: SeTakeOwnershipPrivilege	1700	Builder.exe
Token: SeShutdownPrivilege	1700	Builder.exe
Token: SeDebugPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeSecurityPrivilege	1700	Builder.exe
Token: SeBackupPrivilege	1700	Builder.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exeNOTEPAD.EXE

pid	Process
5056	7zFM.exe
5056	7zFM.exe
3920	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

ONENOTE.EXE

pid	Process
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE
648	ONENOTE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7zFM.exeBuilder.exeprintfilterpipelinesvc.exeC8B0.tmp

description	pid	Process	procid_target
PID 5056 wrote to memory of 1700	5056	7zFM.exe	88
PID 5056 wrote to memory of 1700	5056	7zFM.exe	88
PID 5056 wrote to memory of 1700	5056	7zFM.exe	88
PID 1700 wrote to memory of 3820	1700	Builder.exe	93
PID 1700 wrote to memory of 3820	1700	Builder.exe	93
PID 2064 wrote to memory of 648	2064	printfilterpipelinesvc.exe	96
PID 2064 wrote to memory of 648	2064	printfilterpipelinesvc.exe	96
PID 1700 wrote to memory of 4848	1700	Builder.exe	97
PID 1700 wrote to memory of 4848	1700	Builder.exe	97
PID 1700 wrote to memory of 4848	1700	Builder.exe	97
PID 1700 wrote to memory of 4848	1700	Builder.exe	97
PID 4848 wrote to memory of 2356	4848	C8B0.tmp	98
PID 4848 wrote to memory of 2356	4848	C8B0.tmp	98
PID 4848 wrote to memory of 2356	4848	C8B0.tmp	98

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Lockbit-Ransomware-Builder-main (1).zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\7zO0C33ABA7\Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0C33ABA7\Builder.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    - Drops file in System32 directory
    PID:3820
- - C:\ProgramData\C8B0.tmp
    "C:\ProgramData\C8B0.tmp"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C8B0.tmp >> NUL
      4⤵
      System Location Discovery: System Language Discovery
      PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3320

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{96658D8A-FEC1-4C07-98FE-26B4F1A688C3}.xps" 133772066510970000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:648

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\1pvSvxmZY.README.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\JJJJJJJJJJJ

Filesize
129B

MD5
77607057fdf4456b0e78c2f70d0acb5e

SHA1
a9718b83f73409dc8a646f263f41f84ac62f5211

SHA256
ef6a9f1bb51921789c0958945de807b7910ef39013fe7a374c83d16d0a0340fb

SHA512
2528c6a5f6d346cb4d316db235a8b22c741d826ba6df13aa411b5d1b5a9c9ebce6fb7c7a32b4c0ba40d34b7e2eff0c6b7369e63c94b5a8c0f2d5abdadd0fe054

Download Submit
C:\1pvSvxmZY.README.txt

Filesize
348B

MD5
9810eed5ecd966874ebeb398ac6531ed

SHA1
17d2e2bc15df652734b79185cb323e652559fd6a

SHA256
53183e5ed0cf42bed46b17c9dcc92ea49737bb57dce34f1e20675a913796566e

SHA512
b26ca61461ed8b09f037e33d209cd0a22959b89e3e7895e057f544010fd5ae037e4fa76311763c121cd6e8b3050de22fa7d2163b4d9cf40585e14f5024e0cb79

Download Submit
C:\ProgramData\C8B0.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0C33ABA7\Builder.exe

Filesize
146KB

MD5
39c9477cf131ca5ccc05c8871c0e10e6

SHA1
07b2581b2cb41053d09c4bb896aaabc1d28f2a7b

SHA256
939281eac1c6e5aa2e4238a1e545e67b2609c15f517474b2a5133bb64fe9c1eb

SHA512
689fd585232031f746b1573d3ed66ac329420611d4e1092ce6952b49ab0c168091726bd02189a4e183d1196ced4f51953e4eb25a5219a36f86d8f6761da9f129

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0C33ABA7\DDDDDDDDDDD

Filesize
146KB

MD5
16e0383b63e701cfd47a97b5933b7d3f

SHA1
da5648d00ded64398d71f0cc2aca11dcea9644f8

SHA256
a6236454c11236ad03827676f65b42a9126f64ee99b56b00147292fefee3064e

SHA512
fc06e2aa699d5991948b6d7e811134f1ca5dfbd6411194e0c15c5df7ceed898ea9932f73c81e480f450a2973ee6451023e48e2bd625f58ba8a21c6a13418b23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{283C8853-E193-42EB-8BCF-74A61DD09143}

Filesize
4KB

MD5
34476f13b23830801b75369ba4d7fcc7

SHA1
3f5a83412564339bca5f1cfa43b1ef8278914470

SHA256
73d8fdab6ce04c1c8ca9ae7ef4d6a94946b4d445825cb89da6b1c60fb419992d

SHA512
81da320890e76809fc69eaa8569ea9187f75cd7a45a3fadea5036d31683d4bbb0a3b6493b598f891efe5a45300f523444a8ee7c77663124ee2be4ada3c3a7f66

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\DDDDDDDDDDD

Filesize
129B

MD5
da5830a893c0c6718be49130396a7142

SHA1
f973e9061fe95112909ffb394a873a467425d1bd

SHA256
2134ee8a9ae18020d05e8b4e5327721f8d2a00166472d7f4649964c8ba596b6e

SHA512
df0e4a41ff3d0a5133e1f998937c60960b84934dc5d10130b0fe88fa724ee5e8513c475efb6499d1b84db4bd0ad0edb6aed9497eb06a34198fa0a1dd0c34de81

Download Submit
memory/648-2801-0x00007FFBB06F0000-0x00007FFBB0700000-memory.dmp

Filesize
64KB

Download
memory/648-2800-0x00007FFBB06F0000-0x00007FFBB0700000-memory.dmp

Filesize
64KB

Download
memory/648-2802-0x00007FFBB06F0000-0x00007FFBB0700000-memory.dmp

Filesize
64KB

Download
memory/648-2803-0x00007FFBB06F0000-0x00007FFBB0700000-memory.dmp

Filesize
64KB

Download
memory/648-2804-0x00007FFBB06F0000-0x00007FFBB0700000-memory.dmp

Filesize
64KB

Download
memory/648-2833-0x00007FFBADE70000-0x00007FFBADE80000-memory.dmp

Filesize
64KB

Download
memory/648-2834-0x00007FFBADE70000-0x00007FFBADE80000-memory.dmp

Filesize
64KB

Download
memory/1700-2783-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/1700-2784-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/1700-2782-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/1700-9-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/1700-11-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/1700-10-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download