lumma | aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f

Analysis

max time kernel
111s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f.msi
Size

4.2MB
MD5

93a70c58cbc42d4362fd4cc206d5a35e
SHA1

f769777dec440d5e8900927b42d6c4232d6d58b7
SHA256

aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f
SHA512

db54faa43d5fc83f7160edbda953ba763080f499d8ce20cc0502a357a564d1be60dc44ece4425f5ddfc0d4ce6e47cf5b7e79bf1dfa680ea98cf728191df28a23
SSDEEP

98304:Fn3X3JlbT6t/B7ALNsrYr82OvJ2p9TSNV1+jjz:B3X33bT6dB76NsrYFcw+o

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3952 set thread context of 2244	3952	iScrPaint.exe	101

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8C672847-3E4C-4D02-B74A-68C757912E7C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBFD5.tmp	msiexec.exe
File created	C:\Windows\Installer\e57bf2b.msi	msiexec.exe
File created	C:\Windows\Installer\e57bf29.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bf29.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4880	iScrPaint.exe
3952	iScrPaint.exe

Loads dropped DLL 2 IoCs

pid	Process
4880	iScrPaint.exe
3952	iScrPaint.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3336	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iScrPaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iScrPaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3444	msiexec.exe
3444	msiexec.exe
4880	iScrPaint.exe
3952	iScrPaint.exe
3952	iScrPaint.exe
2244	cmd.exe
2244	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3952	iScrPaint.exe
2244	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3336	msiexec.exe
Token: SeSecurityPrivilege	3444	msiexec.exe
Token: SeCreateTokenPrivilege	3336	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3336	msiexec.exe
Token: SeLockMemoryPrivilege	3336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3336	msiexec.exe
Token: SeMachineAccountPrivilege	3336	msiexec.exe
Token: SeTcbPrivilege	3336	msiexec.exe
Token: SeSecurityPrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeLoadDriverPrivilege	3336	msiexec.exe
Token: SeSystemProfilePrivilege	3336	msiexec.exe
Token: SeSystemtimePrivilege	3336	msiexec.exe
Token: SeProfSingleProcessPrivilege	3336	msiexec.exe
Token: SeIncBasePriorityPrivilege	3336	msiexec.exe
Token: SeCreatePagefilePrivilege	3336	msiexec.exe
Token: SeCreatePermanentPrivilege	3336	msiexec.exe
Token: SeBackupPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeShutdownPrivilege	3336	msiexec.exe
Token: SeDebugPrivilege	3336	msiexec.exe
Token: SeAuditPrivilege	3336	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3336	msiexec.exe
Token: SeChangeNotifyPrivilege	3336	msiexec.exe
Token: SeRemoteShutdownPrivilege	3336	msiexec.exe
Token: SeUndockPrivilege	3336	msiexec.exe
Token: SeSyncAgentPrivilege	3336	msiexec.exe
Token: SeEnableDelegationPrivilege	3336	msiexec.exe
Token: SeManageVolumePrivilege	3336	msiexec.exe
Token: SeImpersonatePrivilege	3336	msiexec.exe
Token: SeCreateGlobalPrivilege	3336	msiexec.exe
Token: SeBackupPrivilege	3728	vssvc.exe
Token: SeRestorePrivilege	3728	vssvc.exe
Token: SeAuditPrivilege	3728	vssvc.exe
Token: SeBackupPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3336	msiexec.exe
3336	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4180	3444	msiexec.exe	97
PID 3444 wrote to memory of 4180	3444	msiexec.exe	97
PID 3444 wrote to memory of 4880	3444	msiexec.exe	99
PID 3444 wrote to memory of 4880	3444	msiexec.exe	99
PID 3444 wrote to memory of 4880	3444	msiexec.exe	99
PID 4880 wrote to memory of 3952	4880	iScrPaint.exe	100
PID 4880 wrote to memory of 3952	4880	iScrPaint.exe	100
PID 4880 wrote to memory of 3952	4880	iScrPaint.exe	100
PID 3952 wrote to memory of 2244	3952	iScrPaint.exe	101
PID 3952 wrote to memory of 2244	3952	iScrPaint.exe	101
PID 3952 wrote to memory of 2244	3952	iScrPaint.exe	101
PID 3952 wrote to memory of 2244	3952	iScrPaint.exe	101
PID 2244 wrote to memory of 4860	2244	cmd.exe	109
PID 2244 wrote to memory of 4860	2244	cmd.exe	109
PID 2244 wrote to memory of 4860	2244	cmd.exe	109
PID 2244 wrote to memory of 4860	2244	cmd.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3336

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4180
- C:\Users\Admin\AppData\Local\Limerick\iScrPaint.exe
  "C:\Users\Admin\AppData\Local\Limerick\iScrPaint.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Roaming\NotepadLoadZC_test\iScrPaint.exe
    C:\Users\Admin\AppData\Roaming\NotepadLoadZC_test\iScrPaint.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57bf2a.rbs

Filesize
8KB

MD5
9d7b4ad450ffc0e54ec2029c3df00800

SHA1
feb125877510c71b31944279d9c0ad884e8970c0

SHA256
9f69ed1c956e1ebe24f58a5e533a145fc4f85f8a94c2c46a0bc7ae6640a79200

SHA512
d2024fb40b0a06c72ce0a74bc48c5d9848278d553e7ac368f73cbb14725b8ecd2c6b59395e437ae9a0859d93668e2e08ee0a2713340f823e4eeff34b535ed386

Download Submit
C:\Users\Admin\AppData\Local\Limerick\WebUI.dll

Filesize
7.6MB

MD5
d4ad539ff52c5af062bdd88deb9d08a9

SHA1
c4264de99b628fc9afd320ec47e004ef1ade1d54

SHA256
44e5c6ac6131bf6b55b9a4c0bd5db41b56da3efcf0797f044bc693abed28dbbd

SHA512
a87696e66564aba54311f49e06fb6948f51531a323dfceae5d3af4b62a140ab009429853e72124ecb03058a0e85c5277b3329cb52f9c3b034f840eee15a45904

Download Submit
C:\Users\Admin\AppData\Local\Limerick\cajun.sql

Filesize
43KB

MD5
10d06a63ea6f430da50e26ed3441ea1b

SHA1
15f43b1d9a5723c6851db5de307df3f0b220a972

SHA256
8a58cca115c3e3c1afd2ba4c4af776306f3b4dbfd6d16704c180d60dd192e40a

SHA512
9669dccc63440c9942a7a13b4f715c8dc65dbb11482d0144c4b7dcbe451b9af0f2c9f894cbc186cc8880b6b68fc70e5191bf54faa4e65e8dff0662afdb21bda5

Download Submit
C:\Users\Admin\AppData\Local\Limerick\iScrPaint.exe

Filesize
1.8MB

MD5
098ac4621ee0e855e0710710736c2955

SHA1
ce7b88657c3449d5d05591314aaa43bd3e32bdaa

SHA256
46afbf1cbd2e1b5e108c133d4079faddc7347231b0c48566fd967a3070745e7f

SHA512
3042785b81bd18b641f0a2b5d8aec8ef86f9bf1269421fb96d1db35a913e744eaff16d9da7a02c8001435d59befb9f26bc0bbfa6e794811abf4282ed68b185fe

Download Submit
C:\Users\Admin\AppData\Local\Limerick\jaculator.app

Filesize
799KB

MD5
eaed4e7f6c2a9d9558061db4f88b6083

SHA1
0992fe807fb82aa4a4cc6a2eebb76346222643f9

SHA256
b6b3c597d404fe24f1f87f1fe5b2cae0b6476e796c6acac1ada9ed02ede1ec07

SHA512
c42ea74bbb9276cc671f9635d8f4df9365d95b43c0d108c02c223a40765df517549a2332c3c427b09ef74d0e7b36a1340dbb733dd4bd14d1c8c2099ce0e5cfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c5c7d4a

Filesize
1.0MB

MD5
50c188da464999634d7669f796e1771e

SHA1
146ce730e2da984feaaba7619b0c6f3bd1475a06

SHA256
0bd6bc9f7fbf05756b9c5dfb8331a1eb2d0efb03c7a0240e331a2411faf2c760

SHA512
bc0c0202031a487018022a9c0d91e4db35ac2be6bdfb5aa266b98b46599b1466269941fcba793ac0838c50918b7fc081676358d9e8f15351b24569f00cc02106

Download Submit
C:\Windows\Installer\e57bf29.msi

Filesize
4.2MB

MD5
93a70c58cbc42d4362fd4cc206d5a35e

SHA1
f769777dec440d5e8900927b42d6c4232d6d58b7

SHA256
aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f

SHA512
db54faa43d5fc83f7160edbda953ba763080f499d8ce20cc0502a357a564d1be60dc44ece4425f5ddfc0d4ce6e47cf5b7e79bf1dfa680ea98cf728191df28a23

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
2cce2d3975d93b93592835ab8c3fddf2

SHA1
79cbf0801c533592755e830ad4d4032b83ee4cea

SHA256
6eae70f10aaf87d1465095e73a2993387bf7945cde4b5455702e4fe57e5611a6

SHA512
cb5e74e31cf445e913f9aaf353f63737e5cd4322cfe464dd9db8e2aaf6c65271b947e7b03d8220aecb0704c61dd4c60a88a050b2795e71e8337f63dbfb11edf7

Download Submit
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b879854e-bfdf-481b-9b45-6f65d976f17a}_OnDiskSnapshotProp

Filesize
6KB

MD5
9d42a10ee9a496705b57f12a30db22b4

SHA1
5dd6f32a2b78d8f928dbc585089485d81529528a

SHA256
38ec12e0abccf50586eec57fdf2d289f9818326493e262d1665035082ddadd1f

SHA512
4118f930f7a6b34c57be92fb14ef326fd0cfa140db93e6cc47cc5feadb7e37cc1343f85b8f3394573d944626ae660e3452f52cc3bf824c40ab4025be7c1eefc7

Download Submit
memory/2244-52-0x00007FFD85850000-0x00007FFD85A45000-memory.dmp

Filesize
2.0MB

Download
memory/2244-55-0x00000000743F0000-0x000000007456B000-memory.dmp

Filesize
1.5MB

Download
memory/3952-46-0x00000000743F0000-0x000000007456B000-memory.dmp

Filesize
1.5MB

Download
memory/3952-47-0x00007FFD85850000-0x00007FFD85A45000-memory.dmp

Filesize
2.0MB

Download
memory/3952-48-0x00000000743F0000-0x000000007456B000-memory.dmp

Filesize
1.5MB

Download
memory/4860-57-0x00007FFD85850000-0x00007FFD85A45000-memory.dmp

Filesize
2.0MB

Download
memory/4860-58-0x0000000000ED0000-0x0000000000F2C000-memory.dmp

Filesize
368KB

Download
memory/4860-61-0x0000000000ED0000-0x0000000000F2C000-memory.dmp

Filesize
368KB

Download
memory/4880-40-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/4880-33-0x00007FFD85850000-0x00007FFD85A45000-memory.dmp

Filesize
2.0MB

Download
memory/4880-32-0x00000000743F0000-0x000000007456B000-memory.dmp

Filesize
1.5MB

Download