661d12b5e6cb61f54086d48b865ef5989ec00379f52b92fdb68b2ef59eddef43

Analysis

max time kernel
51s
max time network
54s
platform
windows10_x64
resource
win10v20201028
submitted
01-12-2020 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloads3/SetupFille-v48.09.45.bin.exe
Size

4.5MB
MD5

c05ddb2a410ea04438f007017b097a86
SHA1

11f49966eec106ebb28c902ac1a98b8d7a4d7df1
SHA256

a4ed325ac7da7720a5426ca756d2c700a46cd087eab062ef287734360deebd4f
SHA512

fba4a5af7371f7991f5dfed9597f8d90579e0224db3a917fab47e6bf439d143c9e7c6e4732c7241d734b0f5bdca5a66ae44e1c6ec19abd2b596b78bdc3df4ec2

Score

8^/10

bootkit macro persistence spyware

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

setup.exealiens.exe343FDE4AA8FEB634.exe343FDE4AA8FEB634.exe1606832152306.exe1606832160869.exe1606832167447.exe1606832170771.exe

pid	process
524	setup.exe
4268	aliens.exe
1672	343FDE4AA8FEB634.exe
4496	343FDE4AA8FEB634.exe
2212	1606832152306.exe
2644	1606832160869.exe
3696	1606832167447.exe
1084	1606832170771.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Loads dropped DLL 4 IoCs

Processes:

SetupFille-v48.09.45.bin.exeMsiExec.exe

pid process

4728 SetupFille-v48.09.45.bin.exe
4728 SetupFille-v48.09.45.bin.exe
4728 SetupFille-v48.09.45.bin.exe
4492 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4728	SetupFille-v48.09.45.bin.exe
4728	SetupFille-v48.09.45.bin.exe
4728	SetupFille-v48.09.45.bin.exe
4492	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	js

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

343FDE4AA8FEB634.exealiens.exe343FDE4AA8FEB634.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	343FDE4AA8FEB634.exe
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	343FDE4AA8FEB634.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

aliens.exe

pid process

4268 aliens.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

343FDE4AA8FEB634.exe

description	pid	process	target process
PID 1672 set thread context of 1236	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 set thread context of 3052	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 set thread context of 1328	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 set thread context of 4604	1672	343FDE4AA8FEB634.exe	firefox.exe

Drops file in Program Files directory 4 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\1owwofvjzp22	setup.exe
File created	C:\Program Files (x86)\1owwofvjzp22\__tmp_rar_sfx_access_check_259278390	setup.exe
File created	C:\Program Files (x86)\1owwofvjzp22\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\1owwofvjzp22\aliens.exe	setup.exe

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\1owwofvjzp22\aliens.exe	nsis_installer_1
C:\Program Files (x86)\1owwofvjzp22\aliens.exe	nsis_installer_2
C:\Program Files (x86)\1owwofvjzp22\aliens.exe	nsis_installer_1
C:\Program Files (x86)\1owwofvjzp22\aliens.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

343FDE4AA8FEB634.exe343FDE4AA8FEB634.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	343FDE4AA8FEB634.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	343FDE4AA8FEB634.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	343FDE4AA8FEB634.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	343FDE4AA8FEB634.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	343FDE4AA8FEB634.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	343FDE4AA8FEB634.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	343FDE4AA8FEB634.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	343FDE4AA8FEB634.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	343FDE4AA8FEB634.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	343FDE4AA8FEB634.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	343FDE4AA8FEB634.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	343FDE4AA8FEB634.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1592 taskkill.exe

pid	process
1592	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

aliens.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

640 PING.EXE
2656 PING.EXE

pid	process
640	PING.EXE
2656	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

1606832152306.exe1606832160869.exe1606832167447.exe1606832170771.exe

pid	process
2212	1606832152306.exe
2212	1606832152306.exe
2644	1606832160869.exe
2644	1606832160869.exe
3696	1606832167447.exe
3696	1606832167447.exe
1084	1606832170771.exe
1084	1606832170771.exe

Suspicious use of AdjustPrivilegeToken 96 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2136	msiexec.exe
Token: SeSecurityPrivilege	4444	msiexec.exe
Token: SeCreateTokenPrivilege	2136	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2136	msiexec.exe
Token: SeLockMemoryPrivilege	2136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2136	msiexec.exe
Token: SeMachineAccountPrivilege	2136	msiexec.exe
Token: SeTcbPrivilege	2136	msiexec.exe
Token: SeSecurityPrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeLoadDriverPrivilege	2136	msiexec.exe
Token: SeSystemProfilePrivilege	2136	msiexec.exe
Token: SeSystemtimePrivilege	2136	msiexec.exe
Token: SeProfSingleProcessPrivilege	2136	msiexec.exe
Token: SeIncBasePriorityPrivilege	2136	msiexec.exe
Token: SeCreatePagefilePrivilege	2136	msiexec.exe
Token: SeCreatePermanentPrivilege	2136	msiexec.exe
Token: SeBackupPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeShutdownPrivilege	2136	msiexec.exe
Token: SeDebugPrivilege	2136	msiexec.exe
Token: SeAuditPrivilege	2136	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2136	msiexec.exe
Token: SeChangeNotifyPrivilege	2136	msiexec.exe
Token: SeRemoteShutdownPrivilege	2136	msiexec.exe
Token: SeUndockPrivilege	2136	msiexec.exe
Token: SeSyncAgentPrivilege	2136	msiexec.exe
Token: SeEnableDelegationPrivilege	2136	msiexec.exe
Token: SeManageVolumePrivilege	2136	msiexec.exe
Token: SeImpersonatePrivilege	2136	msiexec.exe
Token: SeCreateGlobalPrivilege	2136	msiexec.exe
Token: SeCreateTokenPrivilege	2136	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2136	msiexec.exe
Token: SeLockMemoryPrivilege	2136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2136	msiexec.exe
Token: SeMachineAccountPrivilege	2136	msiexec.exe
Token: SeTcbPrivilege	2136	msiexec.exe
Token: SeSecurityPrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeLoadDriverPrivilege	2136	msiexec.exe
Token: SeSystemProfilePrivilege	2136	msiexec.exe
Token: SeSystemtimePrivilege	2136	msiexec.exe
Token: SeProfSingleProcessPrivilege	2136	msiexec.exe
Token: SeIncBasePriorityPrivilege	2136	msiexec.exe
Token: SeCreatePagefilePrivilege	2136	msiexec.exe
Token: SeCreatePermanentPrivilege	2136	msiexec.exe
Token: SeBackupPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeShutdownPrivilege	2136	msiexec.exe
Token: SeDebugPrivilege	2136	msiexec.exe
Token: SeAuditPrivilege	2136	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2136	msiexec.exe
Token: SeChangeNotifyPrivilege	2136	msiexec.exe
Token: SeRemoteShutdownPrivilege	2136	msiexec.exe
Token: SeUndockPrivilege	2136	msiexec.exe
Token: SeSyncAgentPrivilege	2136	msiexec.exe
Token: SeEnableDelegationPrivilege	2136	msiexec.exe
Token: SeManageVolumePrivilege	2136	msiexec.exe
Token: SeImpersonatePrivilege	2136	msiexec.exe
Token: SeCreateGlobalPrivilege	2136	msiexec.exe
Token: SeCreateTokenPrivilege	2136	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2136	msiexec.exe
Token: SeLockMemoryPrivilege	2136	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2136 msiexec.exe

pid	process
2136	msiexec.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

aliens.exe343FDE4AA8FEB634.exe343FDE4AA8FEB634.exefirefox.exe1606832152306.exefirefox.exe1606832160869.exefirefox.exe1606832167447.exefirefox.exe1606832170771.exe

pid	process
4268	aliens.exe
1672	343FDE4AA8FEB634.exe
4496	343FDE4AA8FEB634.exe
1236	firefox.exe
2212	1606832152306.exe
3052	firefox.exe
2644	1606832160869.exe
1328	firefox.exe
3696	1606832167447.exe
4604	firefox.exe
1084	1606832170771.exe

Suspicious use of WriteProcessMemory 72 IoCs

Processes:

SetupFille-v48.09.45.bin.exesetup.exealiens.exemsiexec.execmd.exe343FDE4AA8FEB634.exe343FDE4AA8FEB634.execmd.execmd.exe

description	pid	process	target process
PID 4728 wrote to memory of 524	4728	SetupFille-v48.09.45.bin.exe	setup.exe
PID 4728 wrote to memory of 524	4728	SetupFille-v48.09.45.bin.exe	setup.exe
PID 4728 wrote to memory of 524	4728	SetupFille-v48.09.45.bin.exe	setup.exe
PID 524 wrote to memory of 4268	524	setup.exe	aliens.exe
PID 524 wrote to memory of 4268	524	setup.exe	aliens.exe
PID 524 wrote to memory of 4268	524	setup.exe	aliens.exe
PID 4268 wrote to memory of 2136	4268	aliens.exe	msiexec.exe
PID 4268 wrote to memory of 2136	4268	aliens.exe	msiexec.exe
PID 4268 wrote to memory of 2136	4268	aliens.exe	msiexec.exe
PID 4268 wrote to memory of 1672	4268	aliens.exe	343FDE4AA8FEB634.exe
PID 4268 wrote to memory of 1672	4268	aliens.exe	343FDE4AA8FEB634.exe
PID 4268 wrote to memory of 1672	4268	aliens.exe	343FDE4AA8FEB634.exe
PID 4268 wrote to memory of 4496	4268	aliens.exe	343FDE4AA8FEB634.exe
PID 4268 wrote to memory of 4496	4268	aliens.exe	343FDE4AA8FEB634.exe
PID 4268 wrote to memory of 4496	4268	aliens.exe	343FDE4AA8FEB634.exe
PID 4444 wrote to memory of 4492	4444	msiexec.exe	MsiExec.exe
PID 4444 wrote to memory of 4492	4444	msiexec.exe	MsiExec.exe
PID 4444 wrote to memory of 4492	4444	msiexec.exe	MsiExec.exe
PID 4268 wrote to memory of 660	4268	aliens.exe	cmd.exe
PID 4268 wrote to memory of 660	4268	aliens.exe	cmd.exe
PID 4268 wrote to memory of 660	4268	aliens.exe	cmd.exe
PID 660 wrote to memory of 640	660	cmd.exe	PING.EXE
PID 660 wrote to memory of 640	660	cmd.exe	PING.EXE
PID 660 wrote to memory of 640	660	cmd.exe	PING.EXE
PID 4496 wrote to memory of 1216	4496	343FDE4AA8FEB634.exe	cmd.exe
PID 4496 wrote to memory of 1216	4496	343FDE4AA8FEB634.exe	cmd.exe
PID 4496 wrote to memory of 1216	4496	343FDE4AA8FEB634.exe	cmd.exe
PID 1672 wrote to memory of 1236	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 1236	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 1236	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 1236	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 1236	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 1236	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1216 wrote to memory of 1592	1216	cmd.exe	taskkill.exe
PID 1216 wrote to memory of 1592	1216	cmd.exe	taskkill.exe
PID 1216 wrote to memory of 1592	1216	cmd.exe	taskkill.exe
PID 1672 wrote to memory of 2212	1672	343FDE4AA8FEB634.exe	1606832152306.exe
PID 1672 wrote to memory of 2212	1672	343FDE4AA8FEB634.exe	1606832152306.exe
PID 1672 wrote to memory of 2212	1672	343FDE4AA8FEB634.exe	1606832152306.exe
PID 4496 wrote to memory of 2392	4496	343FDE4AA8FEB634.exe	cmd.exe
PID 4496 wrote to memory of 2392	4496	343FDE4AA8FEB634.exe	cmd.exe
PID 4496 wrote to memory of 2392	4496	343FDE4AA8FEB634.exe	cmd.exe
PID 2392 wrote to memory of 2656	2392	cmd.exe	PING.EXE
PID 2392 wrote to memory of 2656	2392	cmd.exe	PING.EXE
PID 2392 wrote to memory of 2656	2392	cmd.exe	PING.EXE
PID 1672 wrote to memory of 3052	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 3052	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 3052	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 3052	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 3052	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 3052	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 2644	1672	343FDE4AA8FEB634.exe	1606832160869.exe
PID 1672 wrote to memory of 2644	1672	343FDE4AA8FEB634.exe	1606832160869.exe
PID 1672 wrote to memory of 2644	1672	343FDE4AA8FEB634.exe	1606832160869.exe
PID 1672 wrote to memory of 1328	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 1328	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 1328	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 1328	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 1328	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 1328	1672	343FDE4AA8FEB634.exe	firefox.exe
PID 1672 wrote to memory of 3696	1672	343FDE4AA8FEB634.exe	1606832167447.exe
PID 1672 wrote to memory of 3696	1672	343FDE4AA8FEB634.exe	1606832167447.exe
PID 1672 wrote to memory of 3696	1672	343FDE4AA8FEB634.exe	1606832167447.exe
PID 1672 wrote to memory of 4604	1672	343FDE4AA8FEB634.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\Downloads3\SetupFille-v48.09.45.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Downloads3\SetupFille-v48.09.45.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4728

C:\Users\Admin\AppData\Local\Temp\sib3AEE.tmp\0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\sib3AEE.tmp\0\setup.exe" -s
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:524

C:\Program Files (x86)\1owwofvjzp22\aliens.exe
"C:\Program Files (x86)\1owwofvjzp22\aliens.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2136

C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe
C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe 0011 installp2
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:1236

C:\Users\Admin\AppData\Roaming\1606832152306.exe
"C:\Users\Admin\AppData\Roaming\1606832152306.exe" /sjson "C:\Users\Admin\AppData\Roaming\1606832152306.txt"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:3052

C:\Users\Admin\AppData\Roaming\1606832160869.exe
"C:\Users\Admin\AppData\Roaming\1606832160869.exe" /sjson "C:\Users\Admin\AppData\Roaming\1606832160869.txt"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Users\Admin\AppData\Roaming\1606832167447.exe
"C:\Users\Admin\AppData\Roaming\1606832167447.exe" /sjson "C:\Users\Admin\AppData\Roaming\1606832167447.txt"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Users\Admin\AppData\Roaming\1606832170771.exe
"C:\Users\Admin\AppData\Roaming\1606832170771.exe" /sjson "C:\Users\Admin\AppData\Roaming\1606832170771.txt"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe
C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe 200 installp2
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\1owwofvjzp22\aliens.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BDF832EDE5AA95E1E69EA7D5946F94C2 C
2⤵
- Loads dropped DLL
PID:4492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1owwofvjzp22\aliens.exe
MD5
dadf1a1c7cc6dc56799d981af6c00c4f

SHA1
6d3c2589cbad2d9f4c5b19f337c897bb7e8009e3

SHA256
38fb720b6637288f80f6b5d9b5e18e83c461da6429c2a505a260e618193aec17

SHA512
ca9361456fd19514596ea58f3bbf7d1480a864decf7abb34484dcdd44f525385f85b5a2ebd9dacc69c0749ccc40c1f93d414cc0e52f5a0aa7aa52218fc9b368d

Download Submit
C:\Program Files (x86)\1owwofvjzp22\aliens.exe
MD5
bda8e714914ad3c65caae55e50314f37

SHA1
6d2f9611fed2595b727b5932a54b27b425903f4c

SHA256
4a86f9ea71275fb3e80ae4a655e826079631ed238bb09b369deb86dae944b9a5

SHA512
103b0b9b30fb9d0b40f64bac2bb304c6255b4f2224eabe23339bff6e3e91c82e4bf478426145342726c5617a708515520c18b99f4ba69db3c02f2e381e760f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe
MD5
8bcf17d84fe713c078672e1ae28ade35

SHA1
6aa140c95db0ff9294320b536bcdde58bad4e99d

SHA256
8f7c2586ac759549d2b578b53a22c56927c7ce3827a7511c7e918dd7ca3227e3

SHA512
4cdf29dbe793d1a7b34aa9600041f96c1eb282d2235da461b890bdd7d2758fcfd0c35af0c12e23bb8cc26e5bb2d5463fae808f7295fab506d62e61a662623cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe
MD5
c9f6fc48c9d00a210081c599a2b0ac5d

SHA1
0bf78830b909c574b13d1e0ad66368b9d9c84b9d

SHA256
7042f618b5842108e8cfbbc46de1dd79625e0f53744973a1e5a4579c6d642eeb

SHA512
91ce5b9f9f005f5fbb594e95e911757a21b582d84dbf14d187a3f549f2921a5471eab51ba91f3af5e34bca8aead66ad26d82797b77cb09852579f044cce50608

Download Submit
C:\Users\Admin\AppData\Local\Temp\343FDE4AA8FEB634.exe
MD5
d86d1e0713484680682b3ba00022590c

SHA1
e3fb78a5c76dd0f5d84628448e34064f5e1249d7

SHA256
eacf6a493a1a192fd4dd42ec9c049f978029636cda39d1a72615cc74a62342b1

SHA512
70d542e3dbf457419e65daff56f1bf0a1a1bcabb9fec04e99a24c73f8f3b1336db5e22a03750b8da43860f0368fcafaf6145f7416f3124d5eebb5cf742e14963

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7804.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib3AEE.tmp\0\setup.exe
MD5
71746b40c5c4df186468a8fd3dba31cc

SHA1
aa81d696731c349c91679711b1c72e189bbfae37

SHA256
8665b7655ba510f6496d7fe8c974335a162be9c4f6892a1bc38e01dc4e3b04e1

SHA512
52f35c0e7a7c5947eb46fea37db662729e9446eca8b08e2c49c7deea9d21f5ffb44d5de2521f8259ca9e589e980833a9803534d09377a2066b29875515995e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib3AEE.tmp\0\setup.exe
MD5
71746b40c5c4df186468a8fd3dba31cc

SHA1
aa81d696731c349c91679711b1c72e189bbfae37

SHA256
8665b7655ba510f6496d7fe8c974335a162be9c4f6892a1bc38e01dc4e3b04e1

SHA512
52f35c0e7a7c5947eb46fea37db662729e9446eca8b08e2c49c7deea9d21f5ffb44d5de2521f8259ca9e589e980833a9803534d09377a2066b29875515995e7c

Download Submit
C:\Users\Admin\AppData\Roaming\1606832152306.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1606832152306.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1606832152306.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1606832160869.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1606832160869.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1606832160869.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1606832167447.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1606832167447.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1606832167447.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1606832170771.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1606832170771.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1606832170771.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
\Users\Admin\AppData\Local\Temp\MSI7804.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\nsu3937.tmp\Sibuia.dll
MD5
eb948284236e2d61eae0741280265983

SHA1
d5180db7f54de24c27489b221095871a52dc9156

SHA256
dbe5a7daf5bcff97f7c48f9b5476db3072cc85fbffd660adaff2e0455132d026

SHA512
6d8087022ee62acd823cfa871b8b3e3251e44f316769dc04e2ad169e9df6a836dba95c3b268716f2397d6c6a3624a9e50dbe0bc847f3c4f3ef8e09bff30f2d75

Download Submit
\Users\Admin\AppData\Local\Temp\sib3AEE.tmp\SibClr.dll
MD5
928e680dea22c19febe9fc8e05d96472

SHA1
0a4a749ddfd220e2b646b878881575ff9352cf73

SHA256
8b6b56f670d59ff93a1c7e601468127fc21f02dde567b5c21a5d53594cdaef94

SHA512
5fbc72c3fa98dc2b5ad2ed556d2c6dc9279d4be3eb90ffd7fa2ada39cb976eba7cb34033e5786d1cb6137c64c869027002be2f2cad408acefd5c22006a1fef34

Download Submit
\Users\Admin\AppData\Local\Temp\sib3AEE.tmp\SibClr.dll
MD5
928e680dea22c19febe9fc8e05d96472

SHA1
0a4a749ddfd220e2b646b878881575ff9352cf73

SHA256
8b6b56f670d59ff93a1c7e601468127fc21f02dde567b5c21a5d53594cdaef94

SHA512
5fbc72c3fa98dc2b5ad2ed556d2c6dc9279d4be3eb90ffd7fa2ada39cb976eba7cb34033e5786d1cb6137c64c869027002be2f2cad408acefd5c22006a1fef34

Download Submit
memory/524-9-0x0000000000000000-mapping.dmp

Download
memory/640-29-0x0000000000000000-mapping.dmp

Download
memory/660-26-0x0000000000000000-mapping.dmp

Download
memory/1084-55-0x0000000000000000-mapping.dmp

Download
memory/1216-32-0x0000000000000000-mapping.dmp

Download
memory/1236-34-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/1236-33-0x00007FF7E01D8270-mapping.dmp

Download
memory/1328-48-0x00007FF7E01D8270-mapping.dmp

Download
memory/1592-35-0x0000000000000000-mapping.dmp

Download
memory/1672-30-0x00000000056A0000-0x0000000005B51000-memory.dmp

Filesize
4.7MB

Download
memory/1672-18-0x0000000000000000-mapping.dmp

Download
memory/2136-16-0x0000000000000000-mapping.dmp

Download
memory/2212-36-0x0000000000000000-mapping.dmp

Download
memory/2392-39-0x0000000000000000-mapping.dmp

Download
memory/2644-43-0x0000000000000000-mapping.dmp

Download
memory/2656-41-0x0000000000000000-mapping.dmp

Download
memory/3052-42-0x00007FF7E01D8270-mapping.dmp

Download
memory/3696-49-0x0000000000000000-mapping.dmp

Download
memory/4268-15-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/4268-12-0x0000000000000000-mapping.dmp

Download
memory/4492-22-0x0000000000000000-mapping.dmp

Download
memory/4496-31-0x0000000004D40000-0x00000000051F1000-memory.dmp

Filesize
4.7MB

Download
memory/4496-21-0x0000000000000000-mapping.dmp

Download
memory/4604-54-0x00007FF7E01D8270-mapping.dmp

Download
memory/4728-8-0x0000000010C70000-0x0000000010C71000-memory.dmp

Filesize
4KB

Download
memory/4728-6-0x0000000010C50000-0x0000000010C51000-memory.dmp

Filesize
4KB

Download
memory/4728-3-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download