lumma | 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541

Analysis

max time kernel
94s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2025, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe
Size

1.1MB
MD5

9fd74d2abba10ddd2f4c525749fcd84f
SHA1

3f48f29bc8ff8b334dca5e8abac0b47613cf9904
SHA256

18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541
SHA512

cfa970e441e75ec6134dc2bf91b0080807de6755a7d33ebc04826f3b1afe2e84e4845a54989de394385ccdcb4f909565e91a5d3f6f4ef4791b9a317a49aaac89
SSDEEP

24576:FYGnICgom1O8yC68YfUjmCDhSvYROnWAIVwUJB/r3b7Tb7j:eHjI8JDSAcnWAIO4

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://sheayingero.shop/api

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe

Executes dropped EXE 1 IoCs

pid	Process
3656	Transsexual.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2812	tasklist.exe
1544	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AgreementsSpa	18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe
File opened for modification	C:\Windows\HorrorPhotographic	18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe
File opened for modification	C:\Windows\BrokenAwful	18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe
File opened for modification	C:\Windows\NotedSterling	18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe
File opened for modification	C:\Windows\CyclesAntarctica	18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transsexual.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3656	Transsexual.com
3656	Transsexual.com
3656	Transsexual.com
3656	Transsexual.com
3656	Transsexual.com
3656	Transsexual.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	tasklist.exe
Token: SeDebugPrivilege	1544	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3656	Transsexual.com
3656	Transsexual.com
3656	Transsexual.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3656	Transsexual.com
3656	Transsexual.com
3656	Transsexual.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 4176	2004	18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe	83
PID 2004 wrote to memory of 4176	2004	18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe	83
PID 2004 wrote to memory of 4176	2004	18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe	83
PID 4176 wrote to memory of 2812	4176	cmd.exe	85
PID 4176 wrote to memory of 2812	4176	cmd.exe	85
PID 4176 wrote to memory of 2812	4176	cmd.exe	85
PID 4176 wrote to memory of 3568	4176	cmd.exe	86
PID 4176 wrote to memory of 3568	4176	cmd.exe	86
PID 4176 wrote to memory of 3568	4176	cmd.exe	86
PID 4176 wrote to memory of 1544	4176	cmd.exe	88
PID 4176 wrote to memory of 1544	4176	cmd.exe	88
PID 4176 wrote to memory of 1544	4176	cmd.exe	88
PID 4176 wrote to memory of 4504	4176	cmd.exe	89
PID 4176 wrote to memory of 4504	4176	cmd.exe	89
PID 4176 wrote to memory of 4504	4176	cmd.exe	89
PID 4176 wrote to memory of 4584	4176	cmd.exe	90
PID 4176 wrote to memory of 4584	4176	cmd.exe	90
PID 4176 wrote to memory of 4584	4176	cmd.exe	90
PID 4176 wrote to memory of 2936	4176	cmd.exe	91
PID 4176 wrote to memory of 2936	4176	cmd.exe	91
PID 4176 wrote to memory of 2936	4176	cmd.exe	91
PID 4176 wrote to memory of 740	4176	cmd.exe	92
PID 4176 wrote to memory of 740	4176	cmd.exe	92
PID 4176 wrote to memory of 740	4176	cmd.exe	92
PID 4176 wrote to memory of 4936	4176	cmd.exe	93
PID 4176 wrote to memory of 4936	4176	cmd.exe	93
PID 4176 wrote to memory of 4936	4176	cmd.exe	93
PID 4176 wrote to memory of 4088	4176	cmd.exe	94
PID 4176 wrote to memory of 4088	4176	cmd.exe	94
PID 4176 wrote to memory of 4088	4176	cmd.exe	94
PID 4176 wrote to memory of 3656	4176	cmd.exe	95
PID 4176 wrote to memory of 3656	4176	cmd.exe	95
PID 4176 wrote to memory of 3656	4176	cmd.exe	95
PID 4176 wrote to memory of 2652	4176	cmd.exe	96
PID 4176 wrote to memory of 2652	4176	cmd.exe	96
PID 4176 wrote to memory of 2652	4176	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe
"C:\Users\Admin\AppData\Local\Temp\18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Estate Estate.cmd & Estate.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3568
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 473462
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4584
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Vote
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Transit" Kirk
    3⤵
    - System Location Discovery: System Language Discovery
    PID:740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 473462\Transsexual.com + Recipes + Carrier + Insulin + Butterfly + Pools + Shade + Arrivals + Ohio + Conflicts 473462\Transsexual.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Page + ..\Eat + ..\Simply + ..\Execution + ..\Paragraphs + ..\Shown + ..\Counter T
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4088
- - C:\Users\Admin\AppData\Local\Temp\473462\Transsexual.com
    Transsexual.com T
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3656
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\473462\T

Filesize
510KB

MD5
54eb596437eab636696ff49e5a6d88a1

SHA1
188b4d1c3be90e866442b95674fca99d85647cf4

SHA256
41fe531e5fecb8fa023e91fb5b58d086c3d878dd53fda9c079e998abd84c9924

SHA512
4347da154c706ff679fb77a2c530b354b0e1b7ee3cd9c536685b0e73f104faa3d6cd2a4719e2903ec1e1e63024d0fb8c57b180c5a75df544c793cb0aaee0c2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\473462\Transsexual.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Arrivals

Filesize
119KB

MD5
b02c6a9d78a70c70c36db6295f34d2fe

SHA1
59ef7165f409a45191b6fee988a840371ef8b206

SHA256
1e18b1414bf3b90ef200953c0736652769b91a531cbb01f22a7aad349b78e8b1

SHA512
8c13db2acd991882bd640a07c8d8ddfaa52e03be8d729d08a8ef4a79f62c1c2d1338f0133c979fffaee1d54e8153c7117171152d0556f36111526fb23420a6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Butterfly

Filesize
145KB

MD5
67af633bcda822a689f0d4159fc8192a

SHA1
ffe4e31f976d0505a8a3c1f7c78d4fc251a33652

SHA256
70e8300674ed637f96039b6a8998e1efa860607477660c6f86d711cdf7e3c0a3

SHA512
a5d28c2a81e9a5a208550593b659c86e04aa5e364ce506e3591572c6ccbd0c375d53e1c2ec619576e234be833e769a0a89496f503b69f338a95bdd6bdb491c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Carrier

Filesize
68KB

MD5
0b43c7d364ea52cb2daee807ea1de1b2

SHA1
2197675133941ccf9d146980997a15653de91a66

SHA256
92c6ebcd144863128d41b579de74c0701637d23240a5ee24b52a37be54c01c82

SHA512
f503651880ecc6ec5fdacd701d7d3e677da466bad03707553f6b9aaba0464661f42d8ef236d7faf08372d4d23b74455d33b9b68627b6c46f9ccb8a2d39f39318

Download Submit
C:\Users\Admin\AppData\Local\Temp\Conflicts

Filesize
39KB

MD5
8c4c90b55cccf4d12b55654b49efd119

SHA1
315d93961d4086debb5afed9ac579f4fd336b070

SHA256
954c5f25acc2e21b2e3a6321b33786c52986b261b033b86d6701d08875452c8f

SHA512
58d3d2735bf2e20841dc4b57eaba4f9984769f75dc3afe13b91c4e27338e980b55401517f7d34958696b42025bd571f1e49f7e147969fda7c44224f3266e1bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Counter

Filesize
47KB

MD5
cc9e1534682bb14d0932d6bc78bd140d

SHA1
ce945013808efaa776137f03b1e07b2100269b09

SHA256
2358e6bc4b72178104734968cee422c75b96ee4354362cef63b3981121336a1b

SHA512
57098b6a96dc410a99ba35f918ba8801b4ed0e445adab24c3ae29a592f886909198464e6c5db2bbc5bb46d2bd172b9a53842b81ca21615e3767e4242cd8f00e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eat

Filesize
86KB

MD5
5a824be63819a34585f200bc2ce6ee4f

SHA1
b0048413ffd4dddbc6ee9a0af53e21caee214444

SHA256
741867abf544fb3bfeb5f17d9c20f5a6416aa45a9488cf4cc622d954659bb839

SHA512
8a7f73e33f922c318fd278bdff55cf68126d300e1a2ed19ff3124ab8f10344b71bae181946f7aa1f5299a4411916019da32afa4657d26ea177cd569c6cbd8ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Estate

Filesize
9KB

MD5
c9fb74eb2912ded3889c7e1be8348c50

SHA1
ab9252f33396c225c772aba1316a53fc1a43e0eb

SHA256
5a9ec479d60db60529bb293ae2744fb6cbc7dfdb5f93704ed6c35a87bb673900

SHA512
04a1d21b9a72c75bbd9d6b1019084176b024edfd820db35345f3f31d36359392bd25ea8172507cb2070ab1ec2fc792c500a6be38cf63d8bda2e0408bb5c00c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Execution

Filesize
78KB

MD5
424366f48020245d52f442457522c72e

SHA1
7630d1c80d44e3883babe26f8a44ec4b9962e153

SHA256
3914f3721ba95c0a41f475b9b382ac51328ef30a3896307886cba72d0887a00b

SHA512
869b521f8d1169a3b9e5a49c4922375661e1c991a8adf0504fa2b98d73ba0de6b3ba18c0f2a193e117b704608713bc469d3e736c70de74efc0cd49d90ca4a49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insulin

Filesize
134KB

MD5
07572d6804ff4c19469ed4fea527bb0a

SHA1
f564790ea9ba9c62ca66583b718616b0c3298abf

SHA256
7e0755755fac87ef4326ecd21ffd389b4e01b43fad2bdc606368a4de795019cc

SHA512
5aa52f77fd56d8df76436c6425ba95fe6c5cd5456799413ebf6fb9cae35dc2ee50c9a78349cab8a5ab9a7eff387de69a59139ea48dc9219d33aefb76d204e779

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kirk

Filesize
2KB

MD5
627cc51aa5928b7afac996f84c65edda

SHA1
c8a03c880af3ff8a0d73d060790fe8c75f51680b

SHA256
422b8ff276a89a97e19fc47001d6d369f9fa4f939a73591e42d01df0571dcb0d

SHA512
d01ec7623eb50f15d1dbd07def27e9875a82c6c53e7edb2d3be1086a388a8b93473c1c04cec61a9ac520dbb75dca7904f9364af5122d6bea776319c908d46173

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ohio

Filesize
89KB

MD5
9e81df2e6e72aef938fc607308721c4f

SHA1
b7b612b1cb2e9ffd44bccac72c6b0f9ecb9fafd5

SHA256
fea887fbe65c4174306adc0d8fd0cb3f766504e297e983ed1bcd5ace0d33bf20

SHA512
4711474cd1722ce67538f91ff6e5207b8dbb02d932bafb9adc5920856cbe08684e52b5cd7129825a87a81113a46f9cd8e76f0e252ab12129147ca1e1ffc4d575

Download Submit
C:\Users\Admin\AppData\Local\Temp\Page

Filesize
91KB

MD5
0813761c0e8d31fe32f24966b2014e8f

SHA1
3560e330b82cc811cf029c94d9baf490f9c8debe

SHA256
839dc45030ffeb4f9fb743e6b09d6ec672231800159373a57b3e75a2f661bf6f

SHA512
91addd2042e71c55cd64afdc94d4be93c68898fc326e67c02c1a457d727a9285693e639aba74a6ad2463511c75a5e89e0056b450c14c5573424754ae03e3ceb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Paragraphs

Filesize
57KB

MD5
ff9050acccd78752d3b159d25f03ab8b

SHA1
0559e970ead75ed0a376e46e764f3f0649b95fd6

SHA256
fc616895d20bf6f3c9aa49a4f767141131770860cc8935ef4ffdd33f568b883f

SHA512
597014cb667c42b9fd7344b060a86c6c5b498b194c2f14c279daa0122b919d848acd7f9cd470c8525ac1f5fc692194cd76ba61af34395ac229600b08398c70ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pools

Filesize
107KB

MD5
9f82c59bec6378bbc2e2a9df4096eeb3

SHA1
e6859ec91cb35762a22fe56882f7b22bddb3f364

SHA256
6977e79b088006aa1c041dcad49d5e7d6b87a2b471dd3474ada45aa4cdfff96b

SHA512
bdf4b7d42c4ba0950b55f9cb3bc6f21d044bea359ca8af3054367c25fc08ee95ac564807a3ceb7547be5869c8daa18a74a37fc225f587739ca400582207a2feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recipes

Filesize
119KB

MD5
63c71b6d776cecc47c9139062276e8d6

SHA1
3e5cfb7ab1ae0cf691b8bad6d6d0bf2e4a14e12b

SHA256
f0c1488318cf5ba2b32781d0d90fba285173a64926bdaa367033459ee03026cd

SHA512
960b57102d3d7f0dedbae071e281f5aef41f7573eb0a88838f9a50a7d15304abe4eb766902429a340d2d4f8356c2ec208a1047e1bfaac5248de60c625d1ac541

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shade

Filesize
102KB

MD5
e7e6d855492b77e14b7b9af97dadcec2

SHA1
706a330bce9fe64a1de299926eab72b068f3f2f5

SHA256
7b4c95b4d6a3e5643910b428621d799b1128565c1afb89d93565877c6c134722

SHA512
20ed2098bb858a85f68696e661e7d8cc178010f52a212914e4031af9e125eb9c192f52bfc659967e74eb6a6c15ea0cd59d629aa09ef171eebc6a52d5422794f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shown

Filesize
67KB

MD5
76c8328d94671a268957210f3e5087b2

SHA1
7a7fb61eee7df7d32b9602af0b05a2c432915884

SHA256
81e4fc4bfc6d9a29bc5609fd230cd7f6a29bcffd5b6ac3572e133cce468f02d4

SHA512
26d2cd04a444e1ca43d76dfcd7a8ac8df0326df96ccef2cabf0618db14e83cc2a421191fdd51a8d1006e4ee4858beb664f1e5f9d29ee7fea4bdf3f394a00994f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Simply

Filesize
84KB

MD5
8a4d89ea47e3268bd38caa62b72e6387

SHA1
63f3940e484dee842f7c0133f0b787b5fc8ef4ca

SHA256
df840ffdd49f51c24d02cd99a1cb85471688d982660b83f5420e0ebfd938093e

SHA512
317fb7c9ab1d390f9b43a220530cf93ec7c8c9f4bccb91f69cb9ac3b29523116b3fbf7fc49fbac4b2c52d9cd34833a02424725f745f6eb7b08b4d137a7d76453

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vote

Filesize
477KB

MD5
d28db7fd22dc2fbce397bafd6b6fcdb4

SHA1
dd8afc636ea9714c135747275f6877f206f75ba5

SHA256
e5af4a5d579d966d088995f47a8980c2856082d9531f3f01b4767e43c940471d

SHA512
4d4501f128840c1be7308475ad5f0ffe2afebdf191643826777fb527793207c613bd07c5a6fa07d7dbf5ab7910e79a8cd84e1486439ca1568ec2b0ee3a4d5d2f

Download Submit
memory/3656-277-0x00000000039E0000-0x0000000003A3D000-memory.dmp

Filesize
372KB

Download
memory/3656-279-0x00000000039E0000-0x0000000003A3D000-memory.dmp

Filesize
372KB

Download
memory/3656-276-0x00000000039E0000-0x0000000003A3D000-memory.dmp

Filesize
372KB

Download
memory/3656-280-0x00000000039E0000-0x0000000003A3D000-memory.dmp

Filesize
372KB

Download
memory/3656-278-0x00000000039E0000-0x0000000003A3D000-memory.dmp

Filesize
372KB

Download