lumma | d0a7fdf90ae6737edbe06f66193cd16258c1702f078aa62f88755e83826dfa6a

Analysis

max time kernel
154s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FieroHack.exe
Size

838.7MB
MD5

1d0585eab895c1fd0a71078255f0389d
SHA1

bf47c52f76e3e9fab779ec6cf527377454e05ec9
SHA256

cb1ae1c234b97b5f75d8c8e1f05649b284f9146d89ca5853fcf49ecc0883fd8d
SHA512

0dd7a3b4e8e6f291808113466d2ff29a068531660ec4958f0898fd08102e167859620174878c6e013420611e98efb94754a9ceb8e7dc677ad3d3184994a6d9c9
SSDEEP

98304:YSYl+O1E/Uo8EoT9AfvDm+CIUzwNhSkPsiQ5HiGIzH:YS7Uo/bfyhIUzilXI

Score

10^/10

lumma xmrig discovery evasion execution miner persistence stealer upx

Malware Config

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral2/memory/2716-111-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/2716-118-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/2716-117-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/2716-116-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/2716-114-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/2716-115-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/2716-112-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/2716-125-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2216	powershell.exe
2584	powershell.exe
1676	powershell.exe
4080	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
3652	WeMod.exe
868	Sirus.exe
3956	Sirus.exe
5108	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2876	powercfg.exe
3128	powercfg.exe
4980	powercfg.exe
4280	powercfg.exe
316	powercfg.exe
3684	powercfg.exe
3144	powercfg.exe
2296	powercfg.exe
1836	powercfg.exe
4208	powercfg.exe
4448	powercfg.exe
4364	powercfg.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\2992.obs	blvsiwuhlygz.exe
File opened for modification	C:\Windows\system32\MRT.exe	blvsiwuhlygz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}	blvsiwuhlygz.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\5108.obs	blvsiwuhlygz.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	WeMod.exe
File opened for modification	C:\Windows\system32\MRT.exe	blvsiwuhlygz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}	blvsiwuhlygz.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3652	WeMod.exe
5108	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 868 set thread context of 3956	868	Sirus.exe	91
PID 5108 set thread context of 4544	5108	blvsiwuhlygz.exe	149
PID 5108 set thread context of 2716	5108	blvsiwuhlygz.exe	153
PID 2992 set thread context of 4156	2992	blvsiwuhlygz.exe	180

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2716-109-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/2716-111-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/2716-118-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/2716-117-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/2716-116-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/2716-114-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/2716-115-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/2716-110-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/2716-112-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/2716-107-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/2716-108-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/2716-106-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/2716-125-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1676	sc.exe
2564	sc.exe
1748	sc.exe
1056	sc.exe
4324	sc.exe
4556	sc.exe
4596	sc.exe
5036	sc.exe
2292	sc.exe
1700	sc.exe
1840	sc.exe
4524	sc.exe
2080	sc.exe
5044	sc.exe
4600	sc.exe
1384	sc.exe
4592	sc.exe
5112	sc.exe
1936	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FieroHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sirus.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
2216	powershell.exe
2216	powershell.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
3652	WeMod.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
2584	powershell.exe
2584	powershell.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
5108	blvsiwuhlygz.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
4544	conhost.exe
1676	powershell.exe
1676	powershell.exe
4544	conhost.exe
2992	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe
4080	powershell.exe
4080	powershell.exe
2992	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe
2992	blvsiwuhlygz.exe
4156	explorer.exe
4156	explorer.exe
4156	explorer.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeShutdownPrivilege	4980	powercfg.exe
Token: SeCreatePagefilePrivilege	4980	powercfg.exe
Token: SeShutdownPrivilege	1836	powercfg.exe
Token: SeCreatePagefilePrivilege	1836	powercfg.exe
Token: SeShutdownPrivilege	4208	powercfg.exe
Token: SeCreatePagefilePrivilege	4208	powercfg.exe
Token: SeShutdownPrivilege	2876	powercfg.exe
Token: SeCreatePagefilePrivilege	2876	powercfg.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeShutdownPrivilege	316	powercfg.exe
Token: SeCreatePagefilePrivilege	316	powercfg.exe
Token: SeShutdownPrivilege	3128	powercfg.exe
Token: SeCreatePagefilePrivilege	3128	powercfg.exe
Token: SeShutdownPrivilege	3684	powercfg.exe
Token: SeCreatePagefilePrivilege	3684	powercfg.exe
Token: SeLockMemoryPrivilege	2716	explorer.exe
Token: SeShutdownPrivilege	4280	powercfg.exe
Token: SeCreatePagefilePrivilege	4280	powercfg.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeShutdownPrivilege	4364	powercfg.exe
Token: SeCreatePagefilePrivilege	4364	powercfg.exe
Token: SeShutdownPrivilege	4448	powercfg.exe
Token: SeCreatePagefilePrivilege	4448	powercfg.exe
Token: SeShutdownPrivilege	2296	powercfg.exe
Token: SeCreatePagefilePrivilege	2296	powercfg.exe
Token: SeShutdownPrivilege	3144	powercfg.exe
Token: SeCreatePagefilePrivilege	3144	powercfg.exe
Token: SeLockMemoryPrivilege	4156	explorer.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 3652	3520	FieroHack.exe	81
PID 3520 wrote to memory of 3652	3520	FieroHack.exe	81
PID 3520 wrote to memory of 868	3520	FieroHack.exe	86
PID 3520 wrote to memory of 868	3520	FieroHack.exe	86
PID 3520 wrote to memory of 868	3520	FieroHack.exe	86
PID 868 wrote to memory of 3956	868	Sirus.exe	91
PID 868 wrote to memory of 3956	868	Sirus.exe	91
PID 868 wrote to memory of 3956	868	Sirus.exe	91
PID 868 wrote to memory of 3956	868	Sirus.exe	91
PID 868 wrote to memory of 3956	868	Sirus.exe	91
PID 868 wrote to memory of 3956	868	Sirus.exe	91
PID 868 wrote to memory of 3956	868	Sirus.exe	91
PID 868 wrote to memory of 3956	868	Sirus.exe	91
PID 868 wrote to memory of 3956	868	Sirus.exe	91
PID 868 wrote to memory of 3956	868	Sirus.exe	91
PID 4904 wrote to memory of 3644	4904	cmd.exe	99
PID 4904 wrote to memory of 3644	4904	cmd.exe	99
PID 1228 wrote to memory of 1708	1228	cmd.exe	127
PID 1228 wrote to memory of 1708	1228	cmd.exe	127
PID 1812 wrote to memory of 1596	1812	cmd.exe	136
PID 1812 wrote to memory of 1596	1812	cmd.exe	136
PID 5108 wrote to memory of 4544	5108	blvsiwuhlygz.exe	149
PID 5108 wrote to memory of 4544	5108	blvsiwuhlygz.exe	149
PID 5108 wrote to memory of 4544	5108	blvsiwuhlygz.exe	149
PID 5108 wrote to memory of 4544	5108	blvsiwuhlygz.exe	149
PID 5108 wrote to memory of 4544	5108	blvsiwuhlygz.exe	149
PID 5108 wrote to memory of 4544	5108	blvsiwuhlygz.exe	149
PID 5108 wrote to memory of 4544	5108	blvsiwuhlygz.exe	149
PID 5108 wrote to memory of 4544	5108	blvsiwuhlygz.exe	149
PID 5108 wrote to memory of 4544	5108	blvsiwuhlygz.exe	149
PID 5108 wrote to memory of 2716	5108	blvsiwuhlygz.exe	153
PID 5108 wrote to memory of 2716	5108	blvsiwuhlygz.exe	153
PID 5108 wrote to memory of 2716	5108	blvsiwuhlygz.exe	153
PID 5108 wrote to memory of 2716	5108	blvsiwuhlygz.exe	153
PID 5108 wrote to memory of 2716	5108	blvsiwuhlygz.exe	153
PID 4492 wrote to memory of 4296	4492	cmd.exe	164
PID 4492 wrote to memory of 4296	4492	cmd.exe	164
PID 2992 wrote to memory of 4156	2992	blvsiwuhlygz.exe	180
PID 2992 wrote to memory of 4156	2992	blvsiwuhlygz.exe	180
PID 2992 wrote to memory of 4156	2992	blvsiwuhlygz.exe	180
PID 2992 wrote to memory of 4156	2992	blvsiwuhlygz.exe	180
PID 2992 wrote to memory of 4156	2992	blvsiwuhlygz.exe	180

C:\Users\Admin\AppData\Local\Temp\FieroHack.exe
"C:\Users\Admin\AppData\Local\Temp\FieroHack.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Roaming\WeMod.exe
  C:\Users\Admin\AppData\Roaming\WeMod.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3644
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1748
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2564
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4596
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1840
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1676
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WHAMNXEF"
    3⤵
    - Launches sc.exe
    PID:1700
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WHAMNXEF" binpath= "C:\ProgramData\jlspkeimqrvm\blvsiwuhlygz.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4592
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1056
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WHAMNXEF"
    3⤵
    - Launches sc.exe
    PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\WeMod.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1708
- C:\Users\Admin\AppData\Roaming\Sirus.exe
  C:\Users\Admin\AppData\Roaming\Sirus.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Users\Admin\AppData\Roaming\Sirus.exe
    "C:\Users\Admin\AppData\Roaming\Sirus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3956

C:\ProgramData\jlspkeimqrvm\blvsiwuhlygz.exe
C:\ProgramData\jlspkeimqrvm\blvsiwuhlygz.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1596
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4556
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5044
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5036
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4324
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2080
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3684
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\ProgramData\jlspkeimqrvm\blvsiwuhlygz.exe
    "C:\ProgramData\jlspkeimqrvm\blvsiwuhlygz.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4296
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:5112
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1936
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1384
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:4600
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2292
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4364
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4448
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2296
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3144
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4156
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gzthfica.n1c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\TEMP\ridqcffpegqe.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b76a21ed1d8ecb1a9fc98c3cb10282b2

SHA1
6d5bf9404816e7be86553b556b0c59f76197181f

SHA256
4dd2e781cc86f7da5d4acabf23399cf326c0cf1eecda79558fcd67193c24fc45

SHA512
0c4e37dc5c42042c7fb8cc413ab053164171038d7d30ed5c86b7823c7442b5d6898747d0377ca506a4143a3cfbc25c378bc33c9116a1b3a3a137e24b230dbcf6

Download Submit
memory/868-31-0x0000000000E5F000-0x0000000000E60000-memory.dmp

Filesize
4KB

Download
memory/2216-33-0x000001673C020000-0x000001673C042000-memory.dmp

Filesize
136KB

Download
memory/2584-93-0x000001E4ABCF0000-0x000001E4ABCF8000-memory.dmp

Filesize
32KB

Download
memory/2584-95-0x000001E4ABD30000-0x000001E4ABD3A000-memory.dmp

Filesize
40KB

Download
memory/2584-91-0x000001E4ABCE0000-0x000001E4ABCEA000-memory.dmp

Filesize
40KB

Download
memory/2584-90-0x000001E4ABD00000-0x000001E4ABD1C000-memory.dmp

Filesize
112KB

Download
memory/2584-89-0x000001E4ABB90000-0x000001E4ABB9A000-memory.dmp

Filesize
40KB

Download
memory/2584-87-0x000001E4ABAB0000-0x000001E4ABACC000-memory.dmp

Filesize
112KB

Download
memory/2584-88-0x000001E4ABAD0000-0x000001E4ABB85000-memory.dmp

Filesize
724KB

Download
memory/2584-94-0x000001E4ABD20000-0x000001E4ABD26000-memory.dmp

Filesize
24KB

Download
memory/2584-92-0x000001E4ABD40000-0x000001E4ABD5A000-memory.dmp

Filesize
104KB

Download
memory/2716-116-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2716-107-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2716-111-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2716-118-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2716-125-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2716-106-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2716-108-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2716-109-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2716-112-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2716-110-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2716-113-0x0000000000980000-0x00000000009A0000-memory.dmp

Filesize
128KB

Download
memory/2716-115-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2716-114-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2716-117-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2992-157-0x00007FF6092C0000-0x00007FF609805000-memory.dmp

Filesize
5.3MB

Download
memory/2992-198-0x00007FF6092C0000-0x00007FF609805000-memory.dmp

Filesize
5.3MB

Download
memory/3652-12-0x00007FF77FAB0000-0x00007FF77FFF5000-memory.dmp

Filesize
5.3MB

Download
memory/3652-21-0x00007FFC1FF50000-0x00007FFC20219000-memory.dmp

Filesize
2.8MB

Download
memory/3652-5-0x00007FF77FAB0000-0x00007FF77FFF5000-memory.dmp

Filesize
5.3MB

Download
memory/3652-6-0x00007FF77FD41000-0x00007FF77FFF5000-memory.dmp

Filesize
2.7MB

Download
memory/3652-20-0x00007FFC22490000-0x00007FFC22685000-memory.dmp

Filesize
2.0MB

Download
memory/3652-22-0x00007FFC20C10000-0x00007FFC20CAE000-memory.dmp

Filesize
632KB

Download
memory/3652-19-0x00007FF77FAB0000-0x00007FF77FFF5000-memory.dmp

Filesize
5.3MB

Download
memory/3652-7-0x00007FF77FAB0000-0x00007FF77FFF5000-memory.dmp

Filesize
5.3MB

Download
memory/3652-9-0x00007FF77FAB0000-0x00007FF77FFF5000-memory.dmp

Filesize
5.3MB

Download
memory/3652-16-0x00007FFC20C10000-0x00007FFC20CAE000-memory.dmp

Filesize
632KB

Download
memory/3652-17-0x0000020E41D90000-0x0000020E41D91000-memory.dmp

Filesize
4KB

Download
memory/3652-11-0x0000020E41D30000-0x0000020E41D8F000-memory.dmp

Filesize
380KB

Download
memory/3652-10-0x00007FF77FAB0000-0x00007FF77FFF5000-memory.dmp

Filesize
5.3MB

Download
memory/3652-8-0x00007FF77FAB0000-0x00007FF77FFF5000-memory.dmp

Filesize
5.3MB

Download
memory/3652-23-0x00007FF77FD41000-0x00007FF77FFF5000-memory.dmp

Filesize
2.7MB

Download
memory/3652-46-0x00007FFC20C10000-0x00007FFC20CAE000-memory.dmp

Filesize
632KB

Download
memory/3652-43-0x00007FF77FAB0000-0x00007FF77FFF5000-memory.dmp

Filesize
5.3MB

Download
memory/3652-54-0x00007FF77FAB0000-0x00007FF77FFF5000-memory.dmp

Filesize
5.3MB

Download
memory/3652-53-0x00007FFC20C10000-0x00007FFC20CAE000-memory.dmp

Filesize
632KB

Download
memory/3652-52-0x00007FFC1FF50000-0x00007FFC20219000-memory.dmp

Filesize
2.8MB

Download
memory/3652-51-0x00007FFC22490000-0x00007FFC22685000-memory.dmp

Filesize
2.0MB

Download
memory/3652-4-0x00007FF77FAB0000-0x00007FF77FFF5000-memory.dmp

Filesize
5.3MB

Download
memory/3956-32-0x0000000000DD0000-0x0000000000EF2000-memory.dmp

Filesize
1.1MB

Download
memory/3956-27-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3956-30-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4544-102-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4544-99-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4544-98-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4544-100-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4544-101-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4544-105-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5108-62-0x0000025F7C790000-0x0000025F7C7EF000-memory.dmp

Filesize
380KB

Download
memory/5108-59-0x00007FF7091D0000-0x00007FF709715000-memory.dmp

Filesize
5.3MB

Download
memory/5108-61-0x00007FF7091D0000-0x00007FF709715000-memory.dmp

Filesize
5.3MB

Download
memory/5108-122-0x00007FFC20C10000-0x00007FFC20CAE000-memory.dmp

Filesize
632KB

Download
memory/5108-123-0x00007FF7091D0000-0x00007FF709715000-memory.dmp

Filesize
5.3MB

Download
memory/5108-58-0x00007FF7091D0000-0x00007FF709715000-memory.dmp

Filesize
5.3MB

Download
memory/5108-67-0x00007FFC20C10000-0x00007FFC20CAE000-memory.dmp

Filesize
632KB

Download
memory/5108-120-0x00007FFC22490000-0x00007FFC22685000-memory.dmp

Filesize
2.0MB

Download
memory/5108-121-0x00007FFC1FF50000-0x00007FFC20219000-memory.dmp

Filesize
2.8MB

Download
memory/5108-57-0x00007FF7091D0000-0x00007FF709715000-memory.dmp

Filesize
5.3MB

Download
memory/5108-63-0x00007FF7091D0000-0x00007FF709715000-memory.dmp

Filesize
5.3MB

Download
memory/5108-60-0x00007FF7091D0000-0x00007FF709715000-memory.dmp

Filesize
5.3MB

Download