0acebaf80946be0cb3099233e8807aa775c8304fc3dee48d42241ff68b7ab318

Analysis

max time kernel
131s
max time network
133s
platform
windows10_x64
resource
win10v20201028
submitted
05-12-2020 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ca6df4914385efd4ba9cd239b5ed254.exe
Size

4.5MB
MD5

3ca6df4914385efd4ba9cd239b5ed254
SHA1

b66535ff43334177a5a167b9f2b07ade75484eec
SHA256

0acebaf80946be0cb3099233e8807aa775c8304fc3dee48d42241ff68b7ab318
SHA512

7951ab74ecd2ea26ed7bbcbc8bf34a770854a8fb009f256f93d72c705871b5a31c24153cc77581eec6544085cdbb51a170b2b7ef9f3f9139572b818d75424ca6

Score

8^/10

bootkit macro persistence spyware

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

setup.exealiens.exe1E1C360C582DF797.exe1E1C360C582DF797.exe1607156958849.exe1607156973458.exe1607157005020.exe1607157019208.exe

pid	process
3920	setup.exe
3824	aliens.exe
3704	1E1C360C582DF797.exe
3940	1E1C360C582DF797.exe
2132	1607156958849.exe
3468	1607156973458.exe
3700	1607157005020.exe
3972	1607157019208.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Loads dropped DLL 4 IoCs

Processes:

3ca6df4914385efd4ba9cd239b5ed254.exeMsiExec.exe

pid process

644 3ca6df4914385efd4ba9cd239b5ed254.exe
644 3ca6df4914385efd4ba9cd239b5ed254.exe
644 3ca6df4914385efd4ba9cd239b5ed254.exe
356 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
644	3ca6df4914385efd4ba9cd239b5ed254.exe
644	3ca6df4914385efd4ba9cd239b5ed254.exe
644	3ca6df4914385efd4ba9cd239b5ed254.exe
356	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	js

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

1E1C360C582DF797.exe1E1C360C582DF797.exealiens.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	1E1C360C582DF797.exe
File opened for modification	\??\PhysicalDrive0	1E1C360C582DF797.exe
File opened for modification	\??\PhysicalDrive0	aliens.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

aliens.exe

pid process

3824 aliens.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1E1C360C582DF797.exe

description	pid	process	target process
PID 3704 set thread context of 2280	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 set thread context of 2452	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 set thread context of 2160	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 set thread context of 864	3704	1E1C360C582DF797.exe	firefox.exe

Drops file in Program Files directory 4 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\71eza90awf48	setup.exe
File created	C:\Program Files (x86)\71eza90awf48\__tmp_rar_sfx_access_check_259299312	setup.exe
File created	C:\Program Files (x86)\71eza90awf48\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\71eza90awf48\aliens.exe	setup.exe

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\71eza90awf48\aliens.exe	nsis_installer_1
C:\Program Files (x86)\71eza90awf48\aliens.exe	nsis_installer_2
C:\Program Files (x86)\71eza90awf48\aliens.exe	nsis_installer_1
C:\Program Files (x86)\71eza90awf48\aliens.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1E1C360C582DF797.exe1E1C360C582DF797.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	1E1C360C582DF797.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	1E1C360C582DF797.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	1E1C360C582DF797.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	1E1C360C582DF797.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	1E1C360C582DF797.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	1E1C360C582DF797.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	1E1C360C582DF797.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	1E1C360C582DF797.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	1E1C360C582DF797.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	1E1C360C582DF797.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	1E1C360C582DF797.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	1E1C360C582DF797.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1032 taskkill.exe

pid	process
1032	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

aliens.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4064 PING.EXE
204 PING.EXE

pid	process
4064	PING.EXE
204	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

1607156958849.exe1607156973458.exe1607157005020.exe1607157019208.exe

pid	process
2132	1607156958849.exe
2132	1607156958849.exe
3468	1607156973458.exe
3468	1607156973458.exe
3700	1607157005020.exe
3700	1607157005020.exe
3972	1607157019208.exe
3972	1607157019208.exe

Suspicious use of AdjustPrivilegeToken 91 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2204	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2204	msiexec.exe
Token: SeSecurityPrivilege	1968	msiexec.exe
Token: SeCreateTokenPrivilege	2204	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2204	msiexec.exe
Token: SeLockMemoryPrivilege	2204	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2204	msiexec.exe
Token: SeMachineAccountPrivilege	2204	msiexec.exe
Token: SeTcbPrivilege	2204	msiexec.exe
Token: SeSecurityPrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeLoadDriverPrivilege	2204	msiexec.exe
Token: SeSystemProfilePrivilege	2204	msiexec.exe
Token: SeSystemtimePrivilege	2204	msiexec.exe
Token: SeProfSingleProcessPrivilege	2204	msiexec.exe
Token: SeIncBasePriorityPrivilege	2204	msiexec.exe
Token: SeCreatePagefilePrivilege	2204	msiexec.exe
Token: SeCreatePermanentPrivilege	2204	msiexec.exe
Token: SeBackupPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeShutdownPrivilege	2204	msiexec.exe
Token: SeDebugPrivilege	2204	msiexec.exe
Token: SeAuditPrivilege	2204	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2204	msiexec.exe
Token: SeChangeNotifyPrivilege	2204	msiexec.exe
Token: SeRemoteShutdownPrivilege	2204	msiexec.exe
Token: SeUndockPrivilege	2204	msiexec.exe
Token: SeSyncAgentPrivilege	2204	msiexec.exe
Token: SeEnableDelegationPrivilege	2204	msiexec.exe
Token: SeManageVolumePrivilege	2204	msiexec.exe
Token: SeImpersonatePrivilege	2204	msiexec.exe
Token: SeCreateGlobalPrivilege	2204	msiexec.exe
Token: SeCreateTokenPrivilege	2204	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2204	msiexec.exe
Token: SeLockMemoryPrivilege	2204	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2204	msiexec.exe
Token: SeMachineAccountPrivilege	2204	msiexec.exe
Token: SeTcbPrivilege	2204	msiexec.exe
Token: SeSecurityPrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeLoadDriverPrivilege	2204	msiexec.exe
Token: SeSystemProfilePrivilege	2204	msiexec.exe
Token: SeSystemtimePrivilege	2204	msiexec.exe
Token: SeProfSingleProcessPrivilege	2204	msiexec.exe
Token: SeIncBasePriorityPrivilege	2204	msiexec.exe
Token: SeCreatePagefilePrivilege	2204	msiexec.exe
Token: SeCreatePermanentPrivilege	2204	msiexec.exe
Token: SeBackupPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeShutdownPrivilege	2204	msiexec.exe
Token: SeDebugPrivilege	2204	msiexec.exe
Token: SeAuditPrivilege	2204	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2204	msiexec.exe
Token: SeChangeNotifyPrivilege	2204	msiexec.exe
Token: SeRemoteShutdownPrivilege	2204	msiexec.exe
Token: SeUndockPrivilege	2204	msiexec.exe
Token: SeSyncAgentPrivilege	2204	msiexec.exe
Token: SeEnableDelegationPrivilege	2204	msiexec.exe
Token: SeManageVolumePrivilege	2204	msiexec.exe
Token: SeImpersonatePrivilege	2204	msiexec.exe
Token: SeCreateGlobalPrivilege	2204	msiexec.exe
Token: SeCreateTokenPrivilege	2204	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2204	msiexec.exe
Token: SeLockMemoryPrivilege	2204	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2204 msiexec.exe

pid	process
2204	msiexec.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

aliens.exe1E1C360C582DF797.exe1E1C360C582DF797.exefirefox.exe1607156958849.exefirefox.exe1607156973458.exefirefox.exe1607157005020.exefirefox.exe1607157019208.exe

pid	process
3824	aliens.exe
3940	1E1C360C582DF797.exe
3704	1E1C360C582DF797.exe
2280	firefox.exe
2132	1607156958849.exe
2452	firefox.exe
3468	1607156973458.exe
2160	firefox.exe
3700	1607157005020.exe
864	firefox.exe
3972	1607157019208.exe

Suspicious use of WriteProcessMemory 72 IoCs

Processes:

3ca6df4914385efd4ba9cd239b5ed254.exesetup.exealiens.exemsiexec.execmd.exe1E1C360C582DF797.exe1E1C360C582DF797.execmd.execmd.exe

description	pid	process	target process
PID 644 wrote to memory of 3920	644	3ca6df4914385efd4ba9cd239b5ed254.exe	setup.exe
PID 644 wrote to memory of 3920	644	3ca6df4914385efd4ba9cd239b5ed254.exe	setup.exe
PID 644 wrote to memory of 3920	644	3ca6df4914385efd4ba9cd239b5ed254.exe	setup.exe
PID 3920 wrote to memory of 3824	3920	setup.exe	aliens.exe
PID 3920 wrote to memory of 3824	3920	setup.exe	aliens.exe
PID 3920 wrote to memory of 3824	3920	setup.exe	aliens.exe
PID 3824 wrote to memory of 2204	3824	aliens.exe	msiexec.exe
PID 3824 wrote to memory of 2204	3824	aliens.exe	msiexec.exe
PID 3824 wrote to memory of 2204	3824	aliens.exe	msiexec.exe
PID 3824 wrote to memory of 3704	3824	aliens.exe	1E1C360C582DF797.exe
PID 3824 wrote to memory of 3704	3824	aliens.exe	1E1C360C582DF797.exe
PID 3824 wrote to memory of 3704	3824	aliens.exe	1E1C360C582DF797.exe
PID 3824 wrote to memory of 3940	3824	aliens.exe	1E1C360C582DF797.exe
PID 3824 wrote to memory of 3940	3824	aliens.exe	1E1C360C582DF797.exe
PID 3824 wrote to memory of 3940	3824	aliens.exe	1E1C360C582DF797.exe
PID 1968 wrote to memory of 356	1968	msiexec.exe	MsiExec.exe
PID 1968 wrote to memory of 356	1968	msiexec.exe	MsiExec.exe
PID 1968 wrote to memory of 356	1968	msiexec.exe	MsiExec.exe
PID 3824 wrote to memory of 2932	3824	aliens.exe	cmd.exe
PID 3824 wrote to memory of 2932	3824	aliens.exe	cmd.exe
PID 3824 wrote to memory of 2932	3824	aliens.exe	cmd.exe
PID 2932 wrote to memory of 4064	2932	cmd.exe	PING.EXE
PID 2932 wrote to memory of 4064	2932	cmd.exe	PING.EXE
PID 2932 wrote to memory of 4064	2932	cmd.exe	PING.EXE
PID 3940 wrote to memory of 2616	3940	1E1C360C582DF797.exe	cmd.exe
PID 3940 wrote to memory of 2616	3940	1E1C360C582DF797.exe	cmd.exe
PID 3940 wrote to memory of 2616	3940	1E1C360C582DF797.exe	cmd.exe
PID 3704 wrote to memory of 2280	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2280	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2280	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2280	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2280	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2280	3704	1E1C360C582DF797.exe	firefox.exe
PID 2616 wrote to memory of 1032	2616	cmd.exe	taskkill.exe
PID 2616 wrote to memory of 1032	2616	cmd.exe	taskkill.exe
PID 2616 wrote to memory of 1032	2616	cmd.exe	taskkill.exe
PID 3940 wrote to memory of 3840	3940	1E1C360C582DF797.exe	cmd.exe
PID 3940 wrote to memory of 3840	3940	1E1C360C582DF797.exe	cmd.exe
PID 3940 wrote to memory of 3840	3940	1E1C360C582DF797.exe	cmd.exe
PID 3704 wrote to memory of 2132	3704	1E1C360C582DF797.exe	1607156958849.exe
PID 3704 wrote to memory of 2132	3704	1E1C360C582DF797.exe	1607156958849.exe
PID 3704 wrote to memory of 2132	3704	1E1C360C582DF797.exe	1607156958849.exe
PID 3840 wrote to memory of 204	3840	cmd.exe	PING.EXE
PID 3840 wrote to memory of 204	3840	cmd.exe	PING.EXE
PID 3840 wrote to memory of 204	3840	cmd.exe	PING.EXE
PID 3704 wrote to memory of 2452	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2452	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2452	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2452	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2452	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2452	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 3468	3704	1E1C360C582DF797.exe	1607156973458.exe
PID 3704 wrote to memory of 3468	3704	1E1C360C582DF797.exe	1607156973458.exe
PID 3704 wrote to memory of 3468	3704	1E1C360C582DF797.exe	1607156973458.exe
PID 3704 wrote to memory of 2160	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2160	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2160	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2160	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2160	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 2160	3704	1E1C360C582DF797.exe	firefox.exe
PID 3704 wrote to memory of 3700	3704	1E1C360C582DF797.exe	1607157005020.exe
PID 3704 wrote to memory of 3700	3704	1E1C360C582DF797.exe	1607157005020.exe
PID 3704 wrote to memory of 3700	3704	1E1C360C582DF797.exe	1607157005020.exe
PID 3704 wrote to memory of 864	3704	1E1C360C582DF797.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\3ca6df4914385efd4ba9cd239b5ed254.exe
"C:\Users\Admin\AppData\Local\Temp\3ca6df4914385efd4ba9cd239b5ed254.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\sib8787.tmp\0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\sib8787.tmp\0\setup.exe" -s
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3920

C:\Program Files (x86)\71eza90awf48\aliens.exe
"C:\Program Files (x86)\71eza90awf48\aliens.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2204

C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe 0011 installp3
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Users\Admin\AppData\Roaming\1607156958849.exe
"C:\Users\Admin\AppData\Roaming\1607156958849.exe" /sjson "C:\Users\Admin\AppData\Roaming\1607156958849.txt"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Users\Admin\AppData\Roaming\1607156973458.exe
"C:\Users\Admin\AppData\Roaming\1607156973458.exe" /sjson "C:\Users\Admin\AppData\Roaming\1607156973458.txt"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Users\Admin\AppData\Roaming\1607157005020.exe
"C:\Users\Admin\AppData\Roaming\1607157005020.exe" /sjson "C:\Users\Admin\AppData\Roaming\1607157005020.txt"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:864

C:\Users\Admin\AppData\Roaming\1607157019208.exe
"C:\Users\Admin\AppData\Roaming\1607157019208.exe" /sjson "C:\Users\Admin\AppData\Roaming\1607157019208.txt"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe 200 installp3
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:1032

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:204

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\71eza90awf48\aliens.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:4064

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 41F4F593062954CBA2342187C6FB0AC7 C
2⤵
- Loads dropped DLL
PID:356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\71eza90awf48\aliens.exe
MD5
5c045daf41e6cb42af1633be1f3252ff

SHA1
05091bff6468460fbe0df98764824756bcb3382a

SHA256
b49e4788d8d6431302fb4f1ba1194716a377d50ba0086716740bb2ec390018f0

SHA512
8610f82dbbc1281746db85417219c4b293496d632b2fa6aadaed4334c76d612c190e0a0551ef97d07b484d5fd1f5f6f46dc1de020f25d77efd5ea7a309eff094

Download Submit
C:\Program Files (x86)\71eza90awf48\aliens.exe
MD5
0aadeeec5a5571dd6835cdff59d3fa23

SHA1
0fe4d56e3f5d930292eeaf0232950e8aa8b0f30e

SHA256
c4828261fd1d1a1d1859cffc428c2c5466ab05d57de5f82c10fb3790897aae9d

SHA512
3c1ca8c551a23bb9825d886d1587e549ce4cb6602f0df2c550d23715813bf3f197243d81c397d5ff9b75cb376d8bfc5092fb67c011a8fca7380c1ef1c0b5c8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe
MD5
ca360841a861b4c3dc45c6e5ae7c07c8

SHA1
38cdf6b34ee08f03c49dfbc1016f455e2986dd4f

SHA256
1aae2f05bbd426b54dc546e80183d9c56d972bd4be24e053d4806340cf172153

SHA512
9d165c1104c1af8e4f0e184b7b30ca8b3228de6a269ae45ba4cf790fb541e1d7356fcdba13f12328a6758ff8a3163a5b81a9474e81ffeef51a3848bcad3fa6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe
MD5
c18965441c45eab515c4988a591ea367

SHA1
fcaa68b2f0605f35e510689567a3365b15fffaaa

SHA256
c634b64ddae68830715689f4e42f412b4c6c942c5197dc0c70b8017ac42a03dc

SHA512
d3854ad738dcf0c08760a1c1e5b76867d3304db16632702bba4d8657ebb48d6219c0efcc33bb4cb3ac9de2eefacc1b963fc03ab6d570db725df5ff4467b61b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe
MD5
bf8a4c3c3f53dde4e420660b53558ae1

SHA1
9e7eec8586a2d71ee08a327830ee5df58fba3214

SHA256
cfa369ea6968af48ae997294131826042f661078ecf9b1c49bb13b3e6bbcfb9d

SHA512
e12901387335d7bdd926cb8a5fce2a66c2e9dbfc803f6c35809e6d8c8bf3273ce0dfc21e8ae47019209d3f9d72b84547ace7eaa3e4b1309b9f65cc26a66cde56

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDFD6.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib8787.tmp\0\setup.exe
MD5
69c9ba53239d6838d05594d96a36dea3

SHA1
3de1717040c9803ff67ef6c0cd218b45fd051ca8

SHA256
cfaade4b15040d0ec25112e808aaada0bbdc378b5e4439d8c7620fedb6359ca1

SHA512
fc86c62a014b11139476cf658b6ef97ab210d2a2e8b4128e58d9a186037764b328e819a345606272d5bdfdfe7729f402631214d9371be0b60ebb7f45fcc90141

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib8787.tmp\0\setup.exe
MD5
69c9ba53239d6838d05594d96a36dea3

SHA1
3de1717040c9803ff67ef6c0cd218b45fd051ca8

SHA256
cfaade4b15040d0ec25112e808aaada0bbdc378b5e4439d8c7620fedb6359ca1

SHA512
fc86c62a014b11139476cf658b6ef97ab210d2a2e8b4128e58d9a186037764b328e819a345606272d5bdfdfe7729f402631214d9371be0b60ebb7f45fcc90141

Download Submit
C:\Users\Admin\AppData\Roaming\1607156958849.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1607156958849.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1607156958849.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1607156973458.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1607156973458.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1607156973458.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1607157005020.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1607157005020.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1607157005020.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1607157019208.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1607157019208.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1607157019208.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDFD6.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\nsf863E.tmp\Sibuia.dll
MD5
eb948284236e2d61eae0741280265983

SHA1
d5180db7f54de24c27489b221095871a52dc9156

SHA256
dbe5a7daf5bcff97f7c48f9b5476db3072cc85fbffd660adaff2e0455132d026

SHA512
6d8087022ee62acd823cfa871b8b3e3251e44f316769dc04e2ad169e9df6a836dba95c3b268716f2397d6c6a3624a9e50dbe0bc847f3c4f3ef8e09bff30f2d75

Download Submit
\Users\Admin\AppData\Local\Temp\sib8787.tmp\SibClr.dll
MD5
928e680dea22c19febe9fc8e05d96472

SHA1
0a4a749ddfd220e2b646b878881575ff9352cf73

SHA256
8b6b56f670d59ff93a1c7e601468127fc21f02dde567b5c21a5d53594cdaef94

SHA512
5fbc72c3fa98dc2b5ad2ed556d2c6dc9279d4be3eb90ffd7fa2ada39cb976eba7cb34033e5786d1cb6137c64c869027002be2f2cad408acefd5c22006a1fef34

Download Submit
\Users\Admin\AppData\Local\Temp\sib8787.tmp\SibClr.dll
MD5
928e680dea22c19febe9fc8e05d96472

SHA1
0a4a749ddfd220e2b646b878881575ff9352cf73

SHA256
8b6b56f670d59ff93a1c7e601468127fc21f02dde567b5c21a5d53594cdaef94

SHA512
5fbc72c3fa98dc2b5ad2ed556d2c6dc9279d4be3eb90ffd7fa2ada39cb976eba7cb34033e5786d1cb6137c64c869027002be2f2cad408acefd5c22006a1fef34

Download Submit
memory/204-41-0x0000000000000000-mapping.dmp

Download
memory/356-24-0x0000000000000000-mapping.dmp

Download
memory/644-8-0x0000000010C90000-0x0000000010C91000-memory.dmp

Filesize
4KB

Download
memory/644-6-0x0000000010C70000-0x0000000010C71000-memory.dmp

Filesize
4KB

Download
memory/644-3-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/864-55-0x00007FF64D2E8270-mapping.dmp

Download
memory/1032-36-0x0000000000000000-mapping.dmp

Download
memory/2132-38-0x0000000000000000-mapping.dmp

Download
memory/2160-49-0x00007FF64D2E8270-mapping.dmp

Download
memory/2204-17-0x0000000000000000-mapping.dmp

Download
memory/2280-35-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2280-34-0x00007FF64D2E8270-mapping.dmp

Download
memory/2452-43-0x00007FF64D2E8270-mapping.dmp

Download
memory/2616-33-0x0000000000000000-mapping.dmp

Download
memory/2932-25-0x0000000000000000-mapping.dmp

Download
memory/3468-44-0x0000000000000000-mapping.dmp

Download
memory/3700-50-0x0000000000000000-mapping.dmp

Download
memory/3704-19-0x0000000000000000-mapping.dmp

Download
memory/3704-31-0x00000000055F0000-0x0000000005AA1000-memory.dmp

Filesize
4.7MB

Download
memory/3824-16-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/3824-13-0x0000000000000000-mapping.dmp

Download
memory/3840-37-0x0000000000000000-mapping.dmp

Download
memory/3920-9-0x0000000000000000-mapping.dmp

Download
memory/3940-32-0x0000000005590000-0x0000000005A41000-memory.dmp

Filesize
4.7MB

Download
memory/3940-20-0x0000000000000000-mapping.dmp

Download
memory/3972-56-0x0000000000000000-mapping.dmp

Download
memory/4064-30-0x0000000000000000-mapping.dmp

Download