lumma | 6d11d8339ed8917190ba15dfbdf12c46d0a9d90b4b680edf54a8c65585e76e74

Resubmissions

26-11-2024 18:47

241126-xfj31atpdv 6

26-11-2024 18:46

241126-xe42sazqgq 10

Analysis

max time kernel
88s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26-11-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Application.bat
Size

1KB
MD5

1f886633d8933efe74279e6519035ac2
SHA1

e0b8ed8660b546dbe6a6cd6808d8ea33569647ea
SHA256

c8bd116c303dbf8c8f539a8353a180a1b5b51d771c820ef176359bf0f194e49e
SHA512

766a3452dc1265defb8168c87d8e187c33f42bfc936aaa061678fc23093a6ca10e32c06038f4e8127c53fddf1c2994550e01e059e4581c6ab6513e2a178a63c4

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://blade-govern.sbs/api

https://story-tense-faz.sbs/api

https://disobey-curly.sbs/api

https://motion-treesz.sbs/api

https://powerful-avoids.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Application.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Application.exe

Executes dropped EXE 2 IoCs

Processes:

Application.exeBirmingham.com

pid	Process
1924	Application.exe
4612	Birmingham.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
2864	tasklist.exe
3396	tasklist.exe

Drops file in Windows directory 3 IoCs

Processes:

luajit.exeApplication.exe

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	luajit.exe
File opened for modification	C:\Windows\CatholicContainer	Application.exe
File opened for modification	C:\Windows\BoxLaptops	Application.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exeBirmingham.comApplication.execmd.exefindstr.exechoice.exefindstr.exetasklist.exetasklist.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birmingham.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Application.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
1520	schtasks.exe
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Birmingham.com

pid	Process
4612	Birmingham.com
4612	Birmingham.com
4612	Birmingham.com
4612	Birmingham.com
4612	Birmingham.com
4612	Birmingham.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description	pid	Process
Token: SeDebugPrivilege	2864	tasklist.exe
Token: SeDebugPrivilege	3396	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Birmingham.com

pid	Process
4612	Birmingham.com
4612	Birmingham.com
4612	Birmingham.com

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Birmingham.com

pid	Process
4612	Birmingham.com
4612	Birmingham.com
4612	Birmingham.com

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

cmd.exeluajit.exeApplication.execmd.exe

description	pid	Process	procid_target
PID 5104 wrote to memory of 3084	5104	cmd.exe	82
PID 5104 wrote to memory of 3084	5104	cmd.exe	82
PID 3084 wrote to memory of 2620	3084	luajit.exe	90
PID 3084 wrote to memory of 2620	3084	luajit.exe	90
PID 3084 wrote to memory of 1520	3084	luajit.exe	91
PID 3084 wrote to memory of 1520	3084	luajit.exe	91
PID 3084 wrote to memory of 1924	3084	luajit.exe	94
PID 3084 wrote to memory of 1924	3084	luajit.exe	94
PID 3084 wrote to memory of 1924	3084	luajit.exe	94
PID 1924 wrote to memory of 1156	1924	Application.exe	96
PID 1924 wrote to memory of 1156	1924	Application.exe	96
PID 1924 wrote to memory of 1156	1924	Application.exe	96
PID 1156 wrote to memory of 2864	1156	cmd.exe	98
PID 1156 wrote to memory of 2864	1156	cmd.exe	98
PID 1156 wrote to memory of 2864	1156	cmd.exe	98
PID 1156 wrote to memory of 3096	1156	cmd.exe	99
PID 1156 wrote to memory of 3096	1156	cmd.exe	99
PID 1156 wrote to memory of 3096	1156	cmd.exe	99
PID 1156 wrote to memory of 3396	1156	cmd.exe	100
PID 1156 wrote to memory of 3396	1156	cmd.exe	100
PID 1156 wrote to memory of 3396	1156	cmd.exe	100
PID 1156 wrote to memory of 4932	1156	cmd.exe	101
PID 1156 wrote to memory of 4932	1156	cmd.exe	101
PID 1156 wrote to memory of 4932	1156	cmd.exe	101
PID 1156 wrote to memory of 4732	1156	cmd.exe	102
PID 1156 wrote to memory of 4732	1156	cmd.exe	102
PID 1156 wrote to memory of 4732	1156	cmd.exe	102
PID 1156 wrote to memory of 2576	1156	cmd.exe	103
PID 1156 wrote to memory of 2576	1156	cmd.exe	103
PID 1156 wrote to memory of 2576	1156	cmd.exe	103
PID 1156 wrote to memory of 4612	1156	cmd.exe	104
PID 1156 wrote to memory of 4612	1156	cmd.exe	104
PID 1156 wrote to memory of 4612	1156	cmd.exe	104
PID 1156 wrote to memory of 3192	1156	cmd.exe	105
PID 1156 wrote to memory of 3192	1156	cmd.exe	105
PID 1156 wrote to memory of 3192	1156	cmd.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Application.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\luajit.exe
  luajit.exe cfg.txt
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc daily /st 11:58 /f /tn MicrosoftEdgeUpdateTaskMachineCore_ODA3 /tr ""C:\Users\Admin\AppData\Local\ODA3\ODA3.exe" "C:\Users\Admin\AppData\Local\ODA3\cfg.txt""
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2620
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc daily /st 11:58 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1520
- - C:\Users\Admin\AppData\Roaming\Games\x86\Application.exe
    "C:\Users\Admin\AppData\Roaming\Games\x86\Application.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Revision Revision.cmd && Revision.cmd
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3096
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3396
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 415471
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Parish + ..\Merchants + ..\Fog + ..\Weblog + ..\Rel + ..\Dairy + ..\Invasion M
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
    - - C:\Users\Admin\AppData\Local\Temp\415471\Birmingham.com
        
        Birmingham.com M
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4612
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\415471\M

Filesize
470KB

MD5
1eb4f1ad3a33045ff577d9afe1e69466

SHA1
0a68d99f8d9be186cc9a5678da56699a63ced664

SHA256
cd5661e127db6fcdced932919416afeb107c0915d100b439b5a4b6fdb9c468bb

SHA512
ea20397316c65b93c0d098158ba4a3aa077eb18b0a75f72bfdc70efeba49a8518641aee41905f18186101ef94f17edda2588b727b21d3d63a02ad5b948896b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dairy

Filesize
79KB

MD5
aaecc697c418f0e68f8fabc430b550fe

SHA1
075933a5ce35ee04c2ec14ad78f98e3559946eed

SHA256
1ea4e0c2149a4c9346cea80e946d2cb297ec874633fef2f21bc246074eef4fe9

SHA512
01fff5e3ddb5113015e77c9529077fc26444b4b3029c55da3521d08639e99ac1ee683632fb7771854ada6a4bbc8d07dd359a4bd70cae13aa7f19bfa9eb5924b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fog

Filesize
82KB

MD5
4ec19af8cd06be8f066f98105c0f68ad

SHA1
926e5ea68fee6c191686f9e685fc5727d3c0340b

SHA256
41d903f0c53df01b24792993f3f51e9cae09348648025a670f83da5b42896856

SHA512
a25de2b384ed1a24ef2b6dbcf7ce0094598a6972ba222ad14f4cf1caa03edee5df97b1baf7b18fcd534aec69e293740ac83d9756e04032df4584faa6ed60c52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Invasion

Filesize
22KB

MD5
0b94751985c5cc1b4d36d08ef1079776

SHA1
88785b64a0dcde83243cd2db5fe66ac8631c9350

SHA256
3739ba9b1e3a6aebd88c9a81bde77510ab5d3a84ca68e39a651df4ba55dbbc70

SHA512
9e06db7d097369ca78d229c4913ab000171ea554c714351abbd341a755a093b3bbeda7e2203d5fb745341dd7a9b3b546b255d3be02c42c06d8b79ec0da9acc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Merchants

Filesize
55KB

MD5
c8fee1cffcdf4c723d44bb813ee6c011

SHA1
eea5dd182b46ddf4ba8c88bf5b373e00b116b579

SHA256
af717df977ffc73c7c2011e6c052daae01f8801d8f9b78ef609177a3d37ab4f1

SHA512
411cdde218b1c661841b0bfd9b398756774535e65ac9b61f7319ededfde178dbb06e064e6ddcf0fd714ccd7ecc6d6060eae26b435eb3cc41460c79004c200f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Parish

Filesize
93KB

MD5
a7e24c868a7e97c7859dbe877e04e0ba

SHA1
3927bb39b7a79c53943f161ea8cf241fb4028aea

SHA256
76f3c5b19af5e4869b1619569ec09339867f212fea6e1d4d0dc09331574a977f

SHA512
95cfa327d981bb9e14be8d00b4f7b25f8213079ad460dd1e2d6c03da43b7b85f15c726553c94f6a03ec8cfa076fb5e77cb3f6ea2df28bc5e91d87f7cb9f4eef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rel

Filesize
76KB

MD5
2c062d5033d880aa2d565187c505e44d

SHA1
0a0fda31e2d2c52409f727cef680644a18dcc443

SHA256
a8e50612f6bf418e8a2fb87c37cbf2e92c483f88b77a7d2f1530395cad40d2e1

SHA512
bdde04cf4bca0c4953c4310c6c4b0622d2c7bbe88d651a735f585d1ff97f8acf6ada24ed7a91bd0e5a5e7ee765191ff5e950dd2153111422c2614f35f9115a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Revision

Filesize
7KB

MD5
6a61b446b20420fedb86cd3638ccfccf

SHA1
c9f40008be95f03bf81bcc99bba41cc1caaf3abb

SHA256
376f29efd12b2312963cd5b33430105f7d88b581f1a5bc1530a6dc89285ac3ca

SHA512
5a580c7aa4d78906f23781cfcb25ac1f73c085f67f34875e8752d3cf2e75c93af760789a0be0aa6225405c6e34725bfcc32e0c03d6992ca45dda0ec2b17e5a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tabs

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weblog

Filesize
63KB

MD5
6574aa1b9b0d1d458eb7c7559688150d

SHA1
d5a38753250e039ca48f0d74d86fd26eb4410c54

SHA256
542ad5772656fe92679586642dc21a0e210f77519b5d2c250d02b9b5719844e2

SHA512
1eec8daf0bd19baf3e17dc84a2fb317c9212770246de51cb7d6d3c2c338bc4617d85e5eeab990ee72ff71f21281916b81887c09264fe80a9d32ebc9b1399dd29

Download Submit
memory/3084-34-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-29-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-85-0x000001D79C6C0000-0x000001D79C6C1000-memory.dmp

Filesize
4KB

Download
memory/3084-76-0x000001D79C680000-0x000001D79C681000-memory.dmp

Filesize
4KB

Download
memory/3084-62-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-61-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-60-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-59-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-58-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-56-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-55-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-54-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-53-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-52-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-51-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-50-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-49-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-48-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-47-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-46-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-45-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-44-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-43-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-42-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-41-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-39-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-38-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-37-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-36-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-35-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-87-0x000001D79C6E0000-0x000001D79C6E1000-memory.dmp

Filesize
4KB

Download
memory/3084-33-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-32-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-31-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-30-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-86-0x000001D79C6E0000-0x000001D79C6E1000-memory.dmp

Filesize
4KB

Download
memory/3084-28-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-27-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-26-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-25-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-24-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-22-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-21-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-20-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-19-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-18-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-17-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-16-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-15-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-14-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-12-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-11-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-10-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-9-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-8-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-7-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-6-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-5-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-4-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-3-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-2-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-1-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-88-0x000001D79C6E0000-0x000001D79C6E1000-memory.dmp

Filesize
4KB

Download
memory/3084-77-0x000001D79C680000-0x000001D79C681000-memory.dmp

Filesize
4KB

Download
memory/3084-63-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-40-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-57-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-23-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-13-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-0-0x00007FFC1AFB0000-0x00007FFC1AFC0000-memory.dmp

Filesize
64KB

Download
memory/3084-121-0x000001D79C680000-0x000001D79C681000-memory.dmp

Filesize
4KB

Download
memory/3084-172-0x000001D79C6E0000-0x000001D79C6E1000-memory.dmp

Filesize
4KB

Download