lumma | 97f3cdbd70d325b46be415aa5c26cf5fdc0b40a2d513aeb2333bb62d197e636c

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iVgo3EsQ.ps1
Size

5.7MB
MD5

3250b4b574d23e89b23a2969d313f5b8
SHA1

5ef2378f4aa0ed8c720c7af00471f9fe7578f382
SHA256

97f3cdbd70d325b46be415aa5c26cf5fdc0b40a2d513aeb2333bb62d197e636c
SHA512

6f5fae577d34f255a7de885e359b8b8139c518a788bc702b3c30ff47a514286afa7efd4564d988a40936f717fa8301707397721aaa2e0c71052fe65152b7274c
SSDEEP

768:3Vd4nG1SSVAd1FOrXDdsePBiVtXsOEt5FzxSiMyIVwapmiwkUFcDmWuwR60C3e/R:3VoRbq3rW

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	MemorialHardcore.exe

Executes dropped EXE 2 IoCs

pid	Process
3368	MemorialHardcore.exe
3156	Templates.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
896	tasklist.exe
5084	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AdoptedSeek	MemorialHardcore.exe
File opened for modification	C:\Windows\KentuckyWx	MemorialHardcore.exe
File opened for modification	C:\Windows\CapacityTeen	MemorialHardcore.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1504	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MemorialHardcore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Templates.com

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1504	powershell.exe
1504	powershell.exe
3156	Templates.com
3156	Templates.com
3156	Templates.com
3156	Templates.com
3156	Templates.com
3156	Templates.com

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	896	tasklist.exe
Token: SeDebugPrivilege	5084	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3156	Templates.com
3156	Templates.com
3156	Templates.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3156	Templates.com
3156	Templates.com
3156	Templates.com

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 3368	1504	powershell.exe	85
PID 1504 wrote to memory of 3368	1504	powershell.exe	85
PID 1504 wrote to memory of 3368	1504	powershell.exe	85
PID 3368 wrote to memory of 1628	3368	MemorialHardcore.exe	86
PID 3368 wrote to memory of 1628	3368	MemorialHardcore.exe	86
PID 3368 wrote to memory of 1628	3368	MemorialHardcore.exe	86
PID 1628 wrote to memory of 896	1628	cmd.exe	88
PID 1628 wrote to memory of 896	1628	cmd.exe	88
PID 1628 wrote to memory of 896	1628	cmd.exe	88
PID 1628 wrote to memory of 4936	1628	cmd.exe	89
PID 1628 wrote to memory of 4936	1628	cmd.exe	89
PID 1628 wrote to memory of 4936	1628	cmd.exe	89
PID 1628 wrote to memory of 5084	1628	cmd.exe	92
PID 1628 wrote to memory of 5084	1628	cmd.exe	92
PID 1628 wrote to memory of 5084	1628	cmd.exe	92
PID 1628 wrote to memory of 3584	1628	cmd.exe	93
PID 1628 wrote to memory of 3584	1628	cmd.exe	93
PID 1628 wrote to memory of 3584	1628	cmd.exe	93
PID 1628 wrote to memory of 4636	1628	cmd.exe	94
PID 1628 wrote to memory of 4636	1628	cmd.exe	94
PID 1628 wrote to memory of 4636	1628	cmd.exe	94
PID 1628 wrote to memory of 3832	1628	cmd.exe	95
PID 1628 wrote to memory of 3832	1628	cmd.exe	95
PID 1628 wrote to memory of 3832	1628	cmd.exe	95
PID 1628 wrote to memory of 2820	1628	cmd.exe	96
PID 1628 wrote to memory of 2820	1628	cmd.exe	96
PID 1628 wrote to memory of 2820	1628	cmd.exe	96
PID 1628 wrote to memory of 3156	1628	cmd.exe	97
PID 1628 wrote to memory of 3156	1628	cmd.exe	97
PID 1628 wrote to memory of 3156	1628	cmd.exe	97
PID 1628 wrote to memory of 2936	1628	cmd.exe	98
PID 1628 wrote to memory of 2936	1628	cmd.exe	98
PID 1628 wrote to memory of 2936	1628	cmd.exe	98

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\iVgo3EsQ.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Roaming\YsIsRh9q\MemorialHardcore.exe
  "C:\Users\Admin\AppData\Roaming\YsIsRh9q\MemorialHardcore.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Picking Picking.cmd && Picking.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:896
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4936
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5084
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3584
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 774391
      4⤵
      System Location Discovery: System Language Discovery
      PID:4636
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "EcuadorHeightsHusbandSoleFilenameHisTonerAlike" Lip
      4⤵
      System Location Discovery: System Language Discovery
      PID:3832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Bangladesh + ..\Colonial + ..\Confirmed + ..\Recipients + ..\Sexo + ..\Pattern + ..\Purpose + ..\Logging o
      4⤵
      System Location Discovery: System Language Discovery
      PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\774391\Templates.com
      Templates.com o
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3156
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\774391\Templates.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\774391\o

Filesize
462KB

MD5
40766d833bd9931437db7edabad4a1f4

SHA1
9ec8fad0ff497c358dd47c721f336bd672729771

SHA256
646e00c6f291d8db33be0bbff7e9662566426eef1ea83a4adee4ffb297f7e849

SHA512
ab0fddae53530eb3988aa0195ff33310a4afb69f1567657fdeab83ae3cee3cbfadc47b412f1bf3b6f138f7d58b4a79f3932677e7eb1fbe7e6929f98dd37eaa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adrian

Filesize
82KB

MD5
e538abfd5596c95829a0ff345744ee41

SHA1
5483472d27f6d37877ca60e07f86ddd9e4aef980

SHA256
5272b47394e63f1e3a8cbafd308e7d03d371a5394365c727c40f72e8b796c6f5

SHA512
39bc98f9726dcd2617600b2e9ae823bebf175a461707c68fc7b6a070353b44df055f8ed148f22e134193013c90394fcb15bb48927697f07589802a226f692aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Attractive

Filesize
124KB

MD5
5b742cc107f9437f1fb28be762f7c9ba

SHA1
91043d8746d1ebeaf8642d68b642a24cf350f498

SHA256
ad99086249341ab60a5ee70ee07789e50d34a12a84e4326669d2aa24ee0c13c2

SHA512
fe26d0648e353e8d7546593d13424af47455a19e267761ec79cabddd61686bfc0ce80ccecf192f04cb5856b751192690a06e2d1fc248faa9e34fbc9f20ca0ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bangladesh

Filesize
56KB

MD5
8785e36b45de76b0d971740226280916

SHA1
2b78da2d36fae5d5a1a9b60ae6161f9babbbd610

SHA256
c8243d0798f0c05a00d411dd46104f07a5b7918bd33354d39c0508a6bcaa66a3

SHA512
2b60010616115ede7d16f23f3ea0a1069c77643be7c411dc180910bdb54409160bc6f17b0e66892a1e68de3fcabe8649cd665f9f574db822b11fe3a5d221ca8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Colonial

Filesize
97KB

MD5
bb5aadecb20dae3a18e728d1cad86b1d

SHA1
23562e833b13f5ab21c076be70649d4dcf5b374e

SHA256
6302e122823366ab09dfd0495d5ecc498c77cae5c5a1fbe5e7b38999f2e20d65

SHA512
82a15dc5f834613bbbc29ab2f998423a78ddc04cb342d7e8c0343006c8ff9f171cc901bdfdd441af26e2a541cfe031f5f621b76fa855fbc38ef195141d0ca7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Confirmed

Filesize
69KB

MD5
687bb68290a4f2eebb81856f5d26d797

SHA1
a86095f11731af246797e5b38ca0333b5a5cd8f1

SHA256
5edb1b51489ca17175434919ba660e743f84b2cdb37e1833c419d6df3bd0a32b

SHA512
31ddb9d9394803e68c15e6648ee74b885c2c962ebcd799c967467494528b974c5d19d9558fe9a384168c5d59d216351d58648393853cff884598c30db56828c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\France

Filesize
53KB

MD5
0d94f8e52b9e9d7543427d40752b8ca0

SHA1
3edbb16b62ea922277c1837f30218bf19a54c118

SHA256
1eb744aa59cacdc9498131842d3145a9b56604b124ac851338e8cf873d4d2a95

SHA512
5d04e72de63c61bffd8cbc43edbc6e57969ee9cdeb7e7ea047fe70c5931a912b09bf7d96d0adb52b07c8e9ae4c6b43944a28416d0f9e75a6fc4557641fc2858f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hungarian

Filesize
83KB

MD5
929ddfb0b578d40b905f4c76a6a24c78

SHA1
6168b5e8ed91ca3c03342229ccf853345c5cbc6c

SHA256
b13ff2f2eb071a198ad2520a104d07efbf0541bdab089cebfc9fa2c4db605ae4

SHA512
2b46ccd388fb28ff35a64c01816bcdaa9982325bc7a895d49885b30c600a743606fba5d7140560cdb4fa575e32f356aac4853ccb099941081d6d575c1c701ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lip

Filesize
97KB

MD5
b5bed4fc26b328385440ade408350345

SHA1
37f16bacc2d8e74f1c0e5721b96ee2974a757132

SHA256
315bcdad2e221b79a72d8322e84094cf04816b26550e8f962b84afa4126a9ca5

SHA512
240f0d9af7d8bf98b18deaa067239c511105f4899a294c62896cb290411eefaab7121ae4f040dd0398448f98ca68929d18b1c2aa42984c23001056c79ccaa9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logging

Filesize
1KB

MD5
53224366aa22965ba7e215f31420bade

SHA1
098764859c677cb0344309dfb173aed758119d43

SHA256
c642b480c35f4f1458338dc08e9e89ac8662984ff5884624589f6a2151365e17

SHA512
2daf580c8831e20bcd8e071fc31ade0de3914e157d3a8d84a3821c193b1b87dbc6e0b931c6ba3e504695701092baa240201637b5a8babf28cb1f0c3c0f662e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mobility

Filesize
124KB

MD5
d4b9ffdff2cc3891a54fca8646aacba1

SHA1
62b454788276c3073cab6200232f5696cb22b831

SHA256
6e6e2b2c0450b1e6c0d81f9ae71f2292110a014a02b8250e95ea1690470ba9a1

SHA512
c41236f7708f0ddaacaa5905a9f65ba0db10685feb812760114ab51038a94417ac7204d4b66a32af5da6d8803d7f78f26c7e60bfe1e8033ce574af6be41ffe81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pattern

Filesize
71KB

MD5
ab7d134ee6e87eb2254669fa6fe13da3

SHA1
840f9e89e6bc3e5fe4582a2dc0c561d5d6c2bc76

SHA256
32e8a70c61c12e7fa348b8985423aec8848ba084a5e7d4e8a332538280df1532

SHA512
bef5e2cdfd660d9dd3ce9e0d717ed35d5e588729cabbc4645af45678ec5ef677db59e58c0f90cdf623cdc373d6f71543ae1207439e8e590226b675cb0f9d4d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Picking

Filesize
23KB

MD5
d6e7b63cee8042e379db74e5ea09a56a

SHA1
b5f695ace3f451eae9ec7ab20a34eefce0561de5

SHA256
32ed2c5de1938b73cbb14ce3363bc2f291895d317ef463786b867ca411656816

SHA512
411bb6502926e53594f141b8ed4f816251fff76ff877a49b32ff43bf83735a2007aac8202956e7212431e9fff52e552510cdf96d8baa13865617ed0c5c329753

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purpose

Filesize
54KB

MD5
4c87dfd6cbade6c8e97c57d87b5122f2

SHA1
a41b2bd4c92ca07a27cd50ea7eecb4ebb324498d

SHA256
e17091e30122240d89565c3a25e599aa05c29504f4cca5574fbdc66d118b152d

SHA512
f6e8f81e2bbc212cf3d4316b90b145487b27f97848d363417437156f12da48629f41ecd4b0c6954598d5fb046e7d0218d06047223de65175d5f7a6645970bbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recipients

Filesize
53KB

MD5
8539d91fc8989d321d582189876ec5fa

SHA1
72fbe4320b799885a7a98af5df7442182f6eb610

SHA256
d111c18bb2f2f5ac635b5da8ad17cdb8fd0dc6194467f13ab4c74a747282782f

SHA512
d6f854bd1f9f4f8c3e0b8dbb9abd387eda73afee7770e1aa5c5141c4fd84278f1c2dc848c1f31e11d6332eb6f8dad4f02fe21bff97a46167cfa6c1ad39b1acbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sexo

Filesize
61KB

MD5
d7c0804886af0246c06c89bad4cae200

SHA1
ed750ab801d7639192aa117a3685236d9ac353f5

SHA256
d6d779542f718238c6a4e6ba8b8d7ea97a6e5a8d4ed0e096b02913ab667b1f57

SHA512
12bdeef54d51106bfc2d8e770cbfb4e326557c2b06e294d1f11d131d241c6754dfe32e69ea3ae3a2bc9fa5a9d814f034b10a3e1aa24369eac6549323d3d875fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sleeps

Filesize
145KB

MD5
6a7fc127dabfd893e5156d05a3b3f74e

SHA1
ffb1927a221db1c183be3a559561929501fc9bdb

SHA256
b7be44bc1e1e06336ebe772b4ceac453924c8169180f640bfc7bead742b83416

SHA512
f564da41ad45ef1d0b4d2440d6030dfcf2ed053585f0369053c6390954750db46eb8c478760aff811f4e0793ef8658b40199ddb2a67bbb7441ff9b4fe0c57f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Terminal

Filesize
96KB

MD5
e61971090511e5f78a97d544338fff12

SHA1
d9a166b0b3bb9b3da397b66c25d1fa4e755e10c4

SHA256
b157cbad501fdc7215c153ba5b0d3fdbd891241b812e068459e92ed871497e07

SHA512
dca5ea7325bd7e894904fcb3aa6dd6e5a842eb2525eaab2b41ef84c483eee45cedc13cd0fbd5bb62a06afcec6d1a0f401d5ebe30dd729cace8df37b9cbe00af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vt

Filesize
121KB

MD5
06d2dd593476bec0f8a246f477138e46

SHA1
399288236865896c76aaff1f78b50efdd33fb0c0

SHA256
50a5fba00dda9654a0d23555aa57894fa9d688c3cd1b9b3c888f5f63c061a876

SHA512
0a2d932312def35879f81ce3733901cd0fe94c8dbef4e834af3e5db3b25c2a410b462ead4b616e8ee98896728c9ff52353562d44cdebc88abbb418c77c768512

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wau1krmn.blt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\YsIsRh9q\MemorialHardcore.exe

Filesize
1.0MB

MD5
39f9a465a0bd04fca31010b36652c127

SHA1
ed3c2d79212566bf91508feeb47579149e19a544

SHA256
27f21fe9fc9f4aa1bcbbf90afa8b6c496c24b2b96e86ea5fca1b77ca4ff5c06b

SHA512
e60120327ea6f2db13af20ea15155aa7169844dae2f2a4262bdc5efcce837dc605df83c718eeaa1837b37aace84effeb2b2502966644c3e76637d8b25f1fb272

Download Submit
memory/1504-0-0x00007FFC9D1A0000-0x00007FFC9D26D000-memory.dmp

Filesize
820KB

Download
memory/1504-12-0x000001F821F30000-0x000001F821F42000-memory.dmp

Filesize
72KB

Download
memory/1504-26-0x00007FFC9D1A0000-0x00007FFC9D26D000-memory.dmp

Filesize
820KB

Download
memory/1504-13-0x000001F8204A0000-0x000001F8204AA000-memory.dmp

Filesize
40KB

Download
memory/1504-1-0x000001F821F00000-0x000001F821F22000-memory.dmp

Filesize
136KB

Download
memory/3156-589-0x00000000004D0000-0x0000000000527000-memory.dmp

Filesize
348KB

Download
memory/3156-590-0x00000000004D0000-0x0000000000527000-memory.dmp

Filesize
348KB

Download
memory/3156-592-0x00000000004D0000-0x0000000000527000-memory.dmp

Filesize
348KB

Download
memory/3156-591-0x00000000004D0000-0x0000000000527000-memory.dmp

Filesize
348KB

Download
memory/3156-594-0x00000000004D0000-0x0000000000527000-memory.dmp

Filesize
348KB

Download
memory/3156-593-0x00000000004D0000-0x0000000000527000-memory.dmp

Filesize
348KB

Download