banload | 0ca3b1c2202d5107d74e28fca4a84a8da8fbe9799297ea82f016e9aecce3fdab

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ezcd.exe
Size

8.5MB
MD5

98169506fec94c2b12ba9930ad704515
SHA1

bce662a9fb94551f648ba2d7e29659957fd6a428
SHA256

9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363
SHA512

7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30
SSDEEP

196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK

Score

10^/10

banload lumma downloader dropper evasion persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

lumma

https://unwielldyzpwo.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 1876	1448	ezcd.exe	86

Executes dropped EXE 1 IoCs

pid	Process
1448	ezcd.exe

Loads dropped DLL 3 IoCs

pid	Process
1448	ezcd.exe
1448	ezcd.exe
1448	ezcd.exe

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\GovPzntaxs	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\qgwsrymu\ = "ciB\\_CIfFAdDY\\w\\ikuNClFiS"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\qgwsrymu\ = "@TkReVVSvVsyiLcFRx]~BLoVY"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\twvjchiky\ = "rFtC]}W@\x7f^tAdiFt~FQc\x7fp[W}"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\agRbnqwledkLs\ = "Dj\x7fph`"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\Assembly = "Microsoft.Vbe.Interop, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\15.0.0.0\Class = "Microsoft.Vbe.Interop.VBProjectClass"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\GovPzntaxs\ = "gnIGbuQqkgiAuJOAEiLtWru"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\bgvec\ = "leaDka`jNsGC^BAe\x7f"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\GovPzntaxs\ = "l\x7fwyK~BXgdtmJ@mfj\x7f`ZaAI"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\hFunkcVu	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\bgvec	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\qgwsrymu	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\agRbnqwledkLs	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\agRbnqwledkLs	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\zufMwyqn\ = "_T}UrLvAuCACHEMJZ@KwiDDvrlt"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\qgwsrymu\ = "@TkReVVSvVsyiLcFRx]bBLoVY"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\Wqzba	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\zufMwyqn	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\agRbnqwledkLs\ = "lelpm@"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Vbe.Interop, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\bgvec\ = "lk_INzGR}dduRD{[o"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\twvjchiky	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\agRbnqwledkLs\ = "m_wKo`"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\twvjchiky\ = "K~OZ^Qeaz]VgYrBLleT`~\|e\\L"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\pxth\ = "fqgLGwBd~AkZ@OI[VDCKujyHMYtS"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\hFunkcVu	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\bgvec	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\pxth	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\agRbnqwledkLs\ = "EPdKj@"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\twvjchiky\ = "rFtC]}W@\x7f^xAdiFt~F]c\x7fp[W}"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\RuntimeVersion = "v2.0.50727"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\15.0.0.0	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\Class = "Microsoft.Vbe.Interop.VBProjectClass"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\pxth	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\GovPzntaxs	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\qgwsrymu	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\hFunkcVu\ = "Dvm{XTkcV@Mu_jkbli][]inP\\@F"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\qgwsrymu\ = "ciB\\_CIfFAdDY\\w\\ikuRClFiS"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\hFunkcVu\ = "SFiCRbo_XPCd^SNFVBdaolEW^^k"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Wqzba	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Wqzba\ = "uHBd\x7fyiROEFBcsXXnHTl^[KCSuk]I\|ud"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\twvjchiky	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\twvjchiky\ = "K~OZ^Qeaz]ZgYrBLleX`~\|e\\L"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\zufMwyqn\ = "RqmppFkrdU\|cpquDqGnuVo\|]E@g"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\pxth\ = "vpg]LvVRdb}N\\gaA\|@sldvpMdaqy"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\zufMwyqn	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\Wqzba\ = "dbWNaDLm\\nO\\phFkJfZL[ho_~]\\SWIKW"	ezcd.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:8934AEBA	ezcd.exe
File opened for modification	C:\ProgramData\TEMP:8934AEBA	ezcd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2856	ezcd.exe
1448	ezcd.exe
1448	ezcd.exe
1876	more.com
1876	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1448	ezcd.exe
1876	more.com

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1448	2856	ezcd.exe	85
PID 2856 wrote to memory of 1448	2856	ezcd.exe	85
PID 1448 wrote to memory of 1876	1448	ezcd.exe	86
PID 1448 wrote to memory of 1876	1448	ezcd.exe	86
PID 1448 wrote to memory of 1876	1448	ezcd.exe	86
PID 1448 wrote to memory of 1876	1448	ezcd.exe	86
PID 1876 wrote to memory of 704	1876	more.com	90
PID 1876 wrote to memory of 704	1876	more.com	90
PID 1876 wrote to memory of 704	1876	more.com	90
PID 1876 wrote to memory of 704	1876	more.com	90

C:\Users\Admin\AppData\Local\Temp\ezcd.exe
"C:\Users\Admin\AppData\Local\Temp\ezcd.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Roaming\PatchTls\ezcd.exe
  C:\Users\Admin\AppData\Roaming\PatchTls\ezcd.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\more.com
    C:\Windows\SysWOW64\more.com
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\SearchIndexer.exe
      C:\Windows\SysWOW64\SearchIndexer.exe
      4⤵
      PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\01D69EEBF42E950EA.Lic

Filesize
156B

MD5
212b2a93f97153f48546003527fa3c98

SHA1
ff40b5352a4bbc7fdb9a18876dfa381527e1c91d

SHA256
e2d55120636ac94ad44bee18727d57738d4451f4d97f3989573366e30f053f3c

SHA512
9aa44e1167ec9bcd9542264c3eba03a03714ab82c3810c59d67aa95d69908557b71e4ded8f04bb5f460e9dc8300a58fbb1fbee8868a06e83e61c7af59eb2e992

Download Submit
C:\Users\Admin\AppData\Local\Temp\974c7520

Filesize
1.1MB

MD5
7e7f101dfb6616b9a16bab8397c4f5cb

SHA1
1d2003f17e005b8286daa76873834bfa6ff5d49b

SHA256
0e9eea99cba157b8f8db242b02f8a82e3c6b72913d84b4bbcb5ecaf274b2b33f

SHA512
57d8ffad82823b5ba5f4e848e6a6fe957415085466eef8ddc6c1b1d78863017036ab36d418a2492cd71510290b03954925395461cf098a5039f087bfd8fc79cb

Download Submit
C:\Users\Admin\AppData\Roaming\PatchTls\ACDBASE.DLL

Filesize
2.9MB

MD5
dace23695dcfa0f7309b65366ac75bc0

SHA1
c5b1bad2dec36852fae90f81f0dbd00518479c01

SHA256
cf8b85beeff99b13d06ed15c79e555ab74e30dfa1491a36c4332f54ed09887e4

SHA512
0e1e5fc158fb39c3c3c7733226cb846407cd01ca1c49800fb7668134ebef129ab43030f2768a8b149b5ba9a18b2d1b0f8bf23d1a8de487a482e9268e0b679bbb

Download Submit
C:\Users\Admin\AppData\Roaming\PatchTls\assured.doc

Filesize
36KB

MD5
a285fc5707d7197e033594c2964f4fd5

SHA1
2ef147d12ba18602e176937a364f215b1aa7dde7

SHA256
67d660868b2f5b271ffdeb59ac915f2c978a51495b51ec11a41ac376e8bc8a19

SHA512
aa4400f70471d3e698ca0d5fed1d83d9be3c13b5cd472ac43adfed82a71f2a0f2bc6aef9dda5167fb8a598446d48475dfc7907ac03d8f07cd16e999b56baa8e7

Download Submit
C:\Users\Admin\AppData\Roaming\PatchTls\ezcd.exe

Filesize
8.5MB

MD5
98169506fec94c2b12ba9930ad704515

SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428

SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

Download Submit
C:\Users\Admin\AppData\Roaming\PatchTls\gripe.log

Filesize
867KB

MD5
9b85e3b3f633ea90014072dce70235b2

SHA1
96b4e72bd4bce885bcf86233b8eb86fea1204343

SHA256
67d8405ec6ee146f77ec9b0a431ba1cc42d38664b2b668a1583e7bf0dafec9d1

SHA512
8a1f5b377c4a0dc4582f9ddd063a373a15b898dfbc933360064e1c419a0148906777fd62d260e03db95f466229723e62fe04f09809a0ff8e68f50339bb3d5cf9

Download Submit
C:\Users\Admin\AppData\Roaming\PatchTls\libmmd.dll

Filesize
4.0MB

MD5
49f7afd53010fdce18e22ec9e4ee83b8

SHA1
cf5486d460b81aed957338c5c0c49e788cce2a87

SHA256
9e6d457f282e19fb0e0c80748f4827d77c9668ebecdff1c0e7e47b676c383126

SHA512
f6efb30d0c67302899d8ef037aa6d6c3f1227b7f35134418329dd39a062995722f677f2e52bc8958d1173b57ce6f3f137c3988be3259c9dcd7464e787108ddbf

Download Submit
C:\Users\Admin\AppData\Roaming\PatchTls\vcruntime140.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
memory/704-77-0x0000000000AA0000-0x0000000000B0E000-memory.dmp

Filesize
440KB

Download
memory/704-76-0x0000000000AA0000-0x0000000000B0E000-memory.dmp

Filesize
440KB

Download
memory/704-75-0x00007FFDE0630000-0x00007FFDE0825000-memory.dmp

Filesize
2.0MB

Download
memory/1448-68-0x00007FFDDFE50000-0x00007FFDE02C2000-memory.dmp

Filesize
4.4MB

Download
memory/1448-69-0x00007FFDDFE50000-0x00007FFDE02C2000-memory.dmp

Filesize
4.4MB

Download
memory/1448-55-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1448-56-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1448-37-0x0000000003F30000-0x0000000004118000-memory.dmp

Filesize
1.9MB

Download
memory/1448-57-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1448-59-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1448-52-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1448-54-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1448-51-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1876-72-0x00007FFDE0630000-0x00007FFDE0825000-memory.dmp

Filesize
2.0MB

Download
memory/1876-73-0x0000000075850000-0x0000000075C8C000-memory.dmp

Filesize
4.2MB

Download
memory/2856-17-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2856-16-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2856-0-0x0000000003ED0000-0x00000000040B8000-memory.dmp

Filesize
1.9MB

Download
memory/2856-19-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2856-14-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2856-20-0x00007FFDDFE50000-0x00007FFDE02C2000-memory.dmp

Filesize
4.4MB

Download
memory/2856-15-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2856-12-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2856-11-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download