Malware Analysis Report

2024-11-30 04:48

Sample ID 240221-1lqphsgc37
Target ep_setup.exe
SHA256 0d46bd6e83d661567efd6d79ae760a041f6a1ea72b4b043da428c7fbb93ad27f
Tags
lumma discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d46bd6e83d661567efd6d79ae760a041f6a1ea72b4b043da428c7fbb93ad27f

Threat Level: Known bad

The file ep_setup.exe was found to be: Known bad.

Malicious Activity Summary

lumma discovery evasion persistence

Detect Lumma Stealer payload V4

Lumma family

Stops running service(s)

Registers COM server for autorun

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-21 21:44

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A

Lumma family

lumma

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-21 21:44

Reported

2024-02-21 21:44

Platform

win7-20240221-en

Max time kernel

0s

Max time network

3s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ep_setup.exe

"C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-21 21:44

Reported

2024-02-21 21:45

Platform

win10v2004-20240221-en

Max time kernel

10s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"

Signatures

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ExplorerPatcher\ep_setup.exe C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ep_gui.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ep_dwm.exe C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ep_weather_host.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ep_setup.exe C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\WebView2Loader.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\dxgi.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32\ = "{CDBF3734-F847-4F1B-B953-A605434DC1E7}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\DllSurrogate C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\AppID = "{A6EA9C2D-4982-4827-9204-0AC532959F6D}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "IEPWeather" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods\ = "28" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "PSFactoryBuffer" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Interface C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ep_setup.exe

"C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"

C:\Windows\system32\sc.exe

"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

C:\Windows\system32\sc.exe

"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 25.63.96.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp

Files

C:\Program Files\ExplorerPatcher\ep_weather_host.dll

MD5 bf39429762a6ac4606516dd454ee3d32
SHA1 8388f4ddd5c91a3dc3c64ec7572ff0c9a16cb304
SHA256 a3429b8060930cdfed715f5baf4cb9bf1d48a9fcaa25bf84c02587cbf502da88
SHA512 054270517c3b6800f9efcbcf40bd49a5f845e5687f8b9ada07ac23dec993c9dcb4085fc941df56f8a5aae38ddd54d2520ecfd5fa520e33dd36c44b9fc58e0954

C:\Program Files\ExplorerPatcher\WebView2Loader.dll

MD5 c44baed957b05b9327bd371dbf0dbe99
SHA1 80b48c656b8555ebc588de3de0ec6c7e75ae4bf1
SHA256 ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef
SHA512 ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35

C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

MD5 27db891c07f48b2aa217916e313b4290
SHA1 4e78b077ee65244c04261de5cee48af9db527a45
SHA256 c37861c2d351366d55b39f95336625f5d4a23b83839b8c419531322aded6d679
SHA512 4b3792ffc63a2dc44ecace6716b5cac09fff326abb5932e2ae42bb77fefff9acddbdbf7443caaa9fba12b41dd41ab7887dbdaa15066ace23b91ab24c34bd4727

C:\Windows\dxgi.dll

MD5 7638f76208571b7c3a2a42dd9b2fcd4c
SHA1 71dda667c93210c880115044eaf9e8b22c64466d
SHA256 ecd3d3961c5dc287413bccc5554250a0baa032326617db5140d9c23f4a51a024
SHA512 957304e779851d27b5b0b1f936ed26a7bf4e65db56ea4fb845c4ddb1f695c220524b133b374825cff93c0b55e0138010d05153ea373fa9fcba848c11b5761349

memory/2044-20-0x00007FF925A10000-0x00007FF92614F000-memory.dmp

memory/2044-21-0x00007FF925A10000-0x00007FF92614F000-memory.dmp

memory/2044-22-0x00007FF910280000-0x00007FF9104A0000-memory.dmp

memory/2044-23-0x00007FF910280000-0x00007FF9104A0000-memory.dmp

memory/2044-24-0x00007FF910280000-0x00007FF9104A0000-memory.dmp

memory/2044-25-0x00007FF910280000-0x00007FF9104A0000-memory.dmp

memory/2044-26-0x00007FF910280000-0x00007FF9104A0000-memory.dmp

memory/2044-27-0x00007FF910280000-0x00007FF9104A0000-memory.dmp

memory/2044-28-0x00007FF925100000-0x00007FF9252A1000-memory.dmp

memory/2044-29-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-30-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-31-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-32-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-33-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-34-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-35-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-36-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-37-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-38-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-39-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-40-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-41-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-42-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-43-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-44-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-45-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-46-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-47-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-48-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-49-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-50-0x00007FF90F980000-0x00007FF90FFA6000-memory.dmp

memory/2044-51-0x00007FF90F200000-0x00007FF90F7F3000-memory.dmp

memory/2044-53-0x00007FF919210000-0x00007FF919262000-memory.dmp

memory/2044-52-0x00007FF919210000-0x00007FF919262000-memory.dmp

memory/2044-54-0x00007FF919210000-0x00007FF919262000-memory.dmp

memory/2044-55-0x00007FF919210000-0x00007FF919262000-memory.dmp

memory/2044-57-0x00007FF90EDB0000-0x00007FF90EFC9000-memory.dmp

memory/2044-58-0x00007FF90EDB0000-0x00007FF90EFC9000-memory.dmp

memory/2044-56-0x00007FF9186F0000-0x00007FF918736000-memory.dmp

memory/2044-59-0x00007FF9186A0000-0x00007FF9186F0000-memory.dmp

memory/2044-62-0x00007FF91CF80000-0x00007FF91CFBB000-memory.dmp

memory/2044-61-0x00007FF9186A0000-0x00007FF9186F0000-memory.dmp

memory/2044-66-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-65-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/2044-70-0x0000000002E80000-0x0000000002F95000-memory.dmp

memory/4416-72-0x00007FF925A10000-0x00007FF92614F000-memory.dmp

memory/4416-74-0x00007FF91A660000-0x00007FF91A880000-memory.dmp

memory/4416-76-0x00007FF91A660000-0x00007FF91A880000-memory.dmp

memory/4416-78-0x00007FF91A660000-0x00007FF91A880000-memory.dmp

memory/4416-77-0x00007FF91A660000-0x00007FF91A880000-memory.dmp

memory/4416-75-0x00007FF91A660000-0x00007FF91A880000-memory.dmp

memory/4416-79-0x00007FF91A660000-0x00007FF91A880000-memory.dmp

memory/4416-73-0x00007FF925A10000-0x00007FF92614F000-memory.dmp

memory/4416-80-0x00007FF925100000-0x00007FF9252A1000-memory.dmp

memory/4416-81-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/4416-82-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/4416-83-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/4416-85-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/4416-84-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/4416-86-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/4416-87-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/4416-88-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/4416-89-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

memory/4416-90-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp