redline | d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac

Analysis

max time kernel
150s
max time network
109s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
03-10-2022 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe
Size

133KB
MD5

0d59da753eee30ad352124c93782737e
SHA1

2575a6af11cb0572bb6bd9953206678762b29ac7
SHA256

d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac
SHA512

67dcfc8066f1f0f320e534df0a6b147eb1709cc6dc45cd77688548f986c9a257c2152ee420dfa46eb418cded18bbc175a4d2ef76f8dedc09474cadead237a5ac
SSDEEP

3072:gBvfopOR0GaD09KE1alT/F0OOGEveofqikGLueU:gMWJAlT/y1WTeU

Score

10^/10

redline smokeloader 1200654767 backdoor infostealer spyware trojan

Malware Config

Extracted

Family

redline

Botnet

1200654767

79.137.192.6:8362

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2744-146-0x00000000001E0000-0x00000000001E9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/85416-530-0x000000000041972E-mapping.dmp	family_redline
behavioral1/memory/85416-807-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

255A.exe3104.exe1.exe4A49.exe56DD.exe

pid process

3340 255A.exe
8 3104.exe
4588 1.exe
68 4A49.exe
1968 56DD.exe
Deletes itself 1 IoCs

Processes:

pid process

2108
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

88 checkip.amazonaws.com
90 checkip.amazonaws.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

56DD.exe

description pid process target process

PID 1968 set thread context of 85416 1968 56DD.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3340	255A.exe
8	3104.exe
4588	1.exe
68	4A49.exe
1968	56DD.exe

pid	process
2108

flow	ioc
88	checkip.amazonaws.com
90	checkip.amazonaws.com

description	pid	process	target process
PID 1968 set thread context of 85416	1968	56DD.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe

GoLang User-Agent 5 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	72	Go-http-client/1.1
HTTP User-Agent header	76	Go-http-client/1.1
HTTP User-Agent header	79	Go-http-client/1.1
HTTP User-Agent header	82	Go-http-client/1.1
HTTP User-Agent header	83	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

4A49.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F373B387065A28848AF2F34ACE192BDDC78E9CAC	4A49.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F373B387065A28848AF2F34ACE192BDDC78E9CAC\Blob = 0f0000000100000020000000927824e958a132afbcadd9e12357a0f9788ab99c5669e1ec3825e1eb5f6f54540b000000010000003e00000041006300740061006c00690073002000410075007400680065006e007400690063006100740069006f006e00200052006f006f0074002000430041000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000055926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066530000000100000020000000301e301c06062b811f01110130123010060a2b0601040182373c0101030200c014000000010000001400000052d8883ac89f7866ed89f37b387094c9020236d01d000000010000001000000095b4475fef63caf7452d10faa6f6362b030000000100000014000000f373b387065a28848af2f34ace192bddc78e9cac2000000001000000bf050000308205bb308203a3a0030201020208570a119742c4e3cc300d06092a864886f70d01010b0500306b310b3009060355040613024954310e300c06035504070c054d696c616e31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373127302506035504030c1e416374616c69732041757468656e7469636174696f6e20526f6f74204341301e170d3131303932323131323230325a170d3330303932323131323230325a306b310b3009060355040613024954310e300c06035504070c054d696c616e31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373127302506035504030c1e416374616c69732041757468656e7469636174696f6e20526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100a7c6c4a529a42cefe518c5b050a36f513b9f0a5ac9c248380ac21ca0187f91b587b9403fdd1d681f0883d52d1e88a0f88f568f6d9902929016d55f086c89d7e1acbc20c2b1e083518a694d00965a6f2fc0447ea30ee491cd58eedcfbc71e4547dd27b908019fa6211df5412d2f4cfd28ade08aad22b456658e86548f934329de394678a33023bacdf07d1357c05dd2836b484cc4ab9f805a5b3abdc9a7223f8027335b0eb78a0c5d073708cb6cd27a47224435c5cccc2e8edd2aedb77d660d5f615122551be346e3e33dd035629adbaf14c85ba1cc891be13026fca09b1f81a7471f04eba33992069f99d3bfd3ea4f509c19fe96871e3c65f6a31824838610e7543ea83a76244f8121c5e30f02f893944720bbfed40ed368b9ddc47a8482e3535479dddb9cd2f2079b2eb6bc3eed856def2511f2971a4261f74a97e88bb11007fa6581b2a239cff73cff18fbc6f15a8b59e202ac7b92d04e144f5945f60c5e285fb0e83f45cfcfaf9b6ffb84d3775a956fac94849eeebcc04a8f4a93f84421e2314561504e10d8e3357c4c19b4de05bfa3069fc8b5cde41fd717060d7a9574550d681afc101b62649d6de095a0c39407570d14e6bd05fbb89fe6df8be2c6e77e96f653c58034502858f01250711730bae67863bcf4b2ad9b2bb2fee1398c5eba0b2094de7b83b8ffe3568db711e93b8cf2b1c15d9da40b4c2bd9b218f5b59f4b0203010001a3633061301d0603551d0e0416041452d8883ac89f7866ed89f37b387094c9020236d0300f0603551d130101ff040530030101ff301f0603551d2304183016801452d8883ac89f7866ed89f37b387094c9020236d0300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820201000b7b7287c060a6494c8858e61d88f7146448a6d8580a0e4f1335df351dd4ed0631c8813e6ad5dd3b1a32ee903d11d22ef48ec3632e2366b067be6fb6c0133960aaa23425937552dea79dad0e878952716a163c191d83f89a2965bef43f9ad9f0f35a872171804dcbe0389b3fbbfae0304dcf86d365101918d19702b12b724268aca0bd4e5ada18bf6b9881d0fd9abe5e1548cd1115b9c0295cb4e888f73e36aeb762fd1e62de7078101c485bdabca438ba67ed553e5e57dfd403404c81a4d24f63a709420914fc00a9c280734f2ec040d9117b48ea7a02c0d3eb2801265874c1c073226d9395fd397dbb2ae3f682e32c975f4e1f9194fafe2ca3d8761ab84db2384f9bfa1d48607926e2f3fda9d09ae8708f497ad6e5bd0a0edb2df38dbfebe3a47dcbc79571e8daa37cc5c2f87492041b86aca4225340b6acfe4c76cffb9432c0359f763f6ee5906ea0a626a2b82cbed12b85fda768c8ba012bb16c741db87395e7eeb7c725f0004c00b27eb60b8b1cf3c0509e25b9e008de3666ff37a5d1bb54642cc927b54b927e65ffd32de1b94ebc7fa44121904177a6391fea9ee39fd0666f05ecaa767ebf6b16a0ebb5c7fc92542f2b11272537784c516ab0f3cc585d14f16a4815ffc207b6b18d0f8e5c5046b33dbf01984fb25954473e347b786d56932e73ea662878cd1d14bfa08f2f2eb82e8ef2148acce9b57cfb6c9d0ca5e196	4A49.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F373B387065A28848AF2F34ACE192BDDC78E9CAC\Blob = 190000000100000010000000147c50fda90d6498a51e241b0e84d362030000000100000014000000f373b387065a28848af2f34ace192bddc78e9cac1d000000010000001000000095b4475fef63caf7452d10faa6f6362b14000000010000001400000052d8883ac89f7866ed89f37b387094c9020236d0530000000100000020000000301e301c06062b811f01110130123010060a2b0601040182373c0101030200c062000000010000002000000055926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b000000010000003e00000041006300740061006c00690073002000410075007400680065006e007400690063006100740069006f006e00200052006f006f00740020004300410000000f0000000100000020000000927824e958a132afbcadd9e12357a0f9788ab99c5669e1ec3825e1eb5f6f54542000000001000000bf050000308205bb308203a3a0030201020208570a119742c4e3cc300d06092a864886f70d01010b0500306b310b3009060355040613024954310e300c06035504070c054d696c616e31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373127302506035504030c1e416374616c69732041757468656e7469636174696f6e20526f6f74204341301e170d3131303932323131323230325a170d3330303932323131323230325a306b310b3009060355040613024954310e300c06035504070c054d696c616e31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373127302506035504030c1e416374616c69732041757468656e7469636174696f6e20526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100a7c6c4a529a42cefe518c5b050a36f513b9f0a5ac9c248380ac21ca0187f91b587b9403fdd1d681f0883d52d1e88a0f88f568f6d9902929016d55f086c89d7e1acbc20c2b1e083518a694d00965a6f2fc0447ea30ee491cd58eedcfbc71e4547dd27b908019fa6211df5412d2f4cfd28ade08aad22b456658e86548f934329de394678a33023bacdf07d1357c05dd2836b484cc4ab9f805a5b3abdc9a7223f8027335b0eb78a0c5d073708cb6cd27a47224435c5cccc2e8edd2aedb77d660d5f615122551be346e3e33dd035629adbaf14c85ba1cc891be13026fca09b1f81a7471f04eba33992069f99d3bfd3ea4f509c19fe96871e3c65f6a31824838610e7543ea83a76244f8121c5e30f02f893944720bbfed40ed368b9ddc47a8482e3535479dddb9cd2f2079b2eb6bc3eed856def2511f2971a4261f74a97e88bb11007fa6581b2a239cff73cff18fbc6f15a8b59e202ac7b92d04e144f5945f60c5e285fb0e83f45cfcfaf9b6ffb84d3775a956fac94849eeebcc04a8f4a93f84421e2314561504e10d8e3357c4c19b4de05bfa3069fc8b5cde41fd717060d7a9574550d681afc101b62649d6de095a0c39407570d14e6bd05fbb89fe6df8be2c6e77e96f653c58034502858f01250711730bae67863bcf4b2ad9b2bb2fee1398c5eba0b2094de7b83b8ffe3568db711e93b8cf2b1c15d9da40b4c2bd9b218f5b59f4b0203010001a3633061301d0603551d0e0416041452d8883ac89f7866ed89f37b387094c9020236d0300f0603551d130101ff040530030101ff301f0603551d2304183016801452d8883ac89f7866ed89f37b387094c9020236d0300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820201000b7b7287c060a6494c8858e61d88f7146448a6d8580a0e4f1335df351dd4ed0631c8813e6ad5dd3b1a32ee903d11d22ef48ec3632e2366b067be6fb6c0133960aaa23425937552dea79dad0e878952716a163c191d83f89a2965bef43f9ad9f0f35a872171804dcbe0389b3fbbfae0304dcf86d365101918d19702b12b724268aca0bd4e5ada18bf6b9881d0fd9abe5e1548cd1115b9c0295cb4e888f73e36aeb762fd1e62de7078101c485bdabca438ba67ed553e5e57dfd403404c81a4d24f63a709420914fc00a9c280734f2ec040d9117b48ea7a02c0d3eb2801265874c1c073226d9395fd397dbb2ae3f682e32c975f4e1f9194fafe2ca3d8761ab84db2384f9bfa1d48607926e2f3fda9d09ae8708f497ad6e5bd0a0edb2df38dbfebe3a47dcbc79571e8daa37cc5c2f87492041b86aca4225340b6acfe4c76cffb9432c0359f763f6ee5906ea0a626a2b82cbed12b85fda768c8ba012bb16c741db87395e7eeb7c725f0004c00b27eb60b8b1cf3c0509e25b9e008de3666ff37a5d1bb54642cc927b54b927e65ffd32de1b94ebc7fa44121904177a6391fea9ee39fd0666f05ecaa767ebf6b16a0ebb5c7fc92542f2b11272537784c516ab0f3cc585d14f16a4815ffc207b6b18d0f8e5c5046b33dbf01984fb25954473e347b786d56932e73ea662878cd1d14bfa08f2f2eb82e8ef2148acce9b57cfb6c9d0ca5e196	4A49.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe

pid	process
2744	d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe
2744	d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2108

pid	process
2108

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe

pid	process
2744	d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108
2108

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeShutdownPrivilege	2108
Token: SeCreatePagefilePrivilege	2108
Token: SeIncreaseQuotaPrivilege	79824	WMIC.exe
Token: SeSecurityPrivilege	79824	WMIC.exe
Token: SeTakeOwnershipPrivilege	79824	WMIC.exe
Token: SeLoadDriverPrivilege	79824	WMIC.exe
Token: SeSystemProfilePrivilege	79824	WMIC.exe
Token: SeSystemtimePrivilege	79824	WMIC.exe
Token: SeProfSingleProcessPrivilege	79824	WMIC.exe
Token: SeIncBasePriorityPrivilege	79824	WMIC.exe
Token: SeCreatePagefilePrivilege	79824	WMIC.exe
Token: SeBackupPrivilege	79824	WMIC.exe
Token: SeRestorePrivilege	79824	WMIC.exe
Token: SeShutdownPrivilege	79824	WMIC.exe
Token: SeDebugPrivilege	79824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	79824	WMIC.exe
Token: SeRemoteShutdownPrivilege	79824	WMIC.exe
Token: SeUndockPrivilege	79824	WMIC.exe
Token: SeManageVolumePrivilege	79824	WMIC.exe
Token: 33	79824	WMIC.exe
Token: 34	79824	WMIC.exe
Token: 35	79824	WMIC.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

255A.exe4A49.execmd.exe56DD.exe

description	pid	process	target process
PID 2108 wrote to memory of 3340	2108		255A.exe
PID 2108 wrote to memory of 3340	2108		255A.exe
PID 2108 wrote to memory of 3340	2108		255A.exe
PID 2108 wrote to memory of 8	2108		3104.exe
PID 2108 wrote to memory of 8	2108		3104.exe
PID 2108 wrote to memory of 8	2108		3104.exe
PID 3340 wrote to memory of 4588	3340	255A.exe	1.exe
PID 3340 wrote to memory of 4588	3340	255A.exe	1.exe
PID 3340 wrote to memory of 4588	3340	255A.exe	1.exe
PID 2108 wrote to memory of 68	2108		4A49.exe
PID 2108 wrote to memory of 68	2108		4A49.exe
PID 2108 wrote to memory of 68	2108		4A49.exe
PID 2108 wrote to memory of 1968	2108		56DD.exe
PID 2108 wrote to memory of 1968	2108		56DD.exe
PID 2108 wrote to memory of 1968	2108		56DD.exe
PID 2108 wrote to memory of 1496	2108		explorer.exe
PID 2108 wrote to memory of 1496	2108		explorer.exe
PID 2108 wrote to memory of 1496	2108		explorer.exe
PID 2108 wrote to memory of 1496	2108		explorer.exe
PID 2108 wrote to memory of 13688	2108		explorer.exe
PID 2108 wrote to memory of 13688	2108		explorer.exe
PID 2108 wrote to memory of 13688	2108		explorer.exe
PID 68 wrote to memory of 22664	68	4A49.exe	cmd.exe
PID 68 wrote to memory of 22664	68	4A49.exe	cmd.exe
PID 68 wrote to memory of 22664	68	4A49.exe	cmd.exe
PID 2108 wrote to memory of 37120	2108		explorer.exe
PID 2108 wrote to memory of 37120	2108		explorer.exe
PID 2108 wrote to memory of 37120	2108		explorer.exe
PID 2108 wrote to memory of 37120	2108		explorer.exe
PID 2108 wrote to memory of 58088	2108		explorer.exe
PID 2108 wrote to memory of 58088	2108		explorer.exe
PID 2108 wrote to memory of 58088	2108		explorer.exe
PID 2108 wrote to memory of 79812	2108		explorer.exe
PID 2108 wrote to memory of 79812	2108		explorer.exe
PID 2108 wrote to memory of 79812	2108		explorer.exe
PID 2108 wrote to memory of 79812	2108		explorer.exe
PID 22664 wrote to memory of 79824	22664	cmd.exe	WMIC.exe
PID 22664 wrote to memory of 79824	22664	cmd.exe	WMIC.exe
PID 22664 wrote to memory of 79824	22664	cmd.exe	WMIC.exe
PID 2108 wrote to memory of 79264	2108		explorer.exe
PID 2108 wrote to memory of 79264	2108		explorer.exe
PID 2108 wrote to memory of 79264	2108		explorer.exe
PID 2108 wrote to memory of 79264	2108		explorer.exe
PID 1968 wrote to memory of 85416	1968	56DD.exe	AppLaunch.exe
PID 1968 wrote to memory of 85416	1968	56DD.exe	AppLaunch.exe
PID 1968 wrote to memory of 85416	1968	56DD.exe	AppLaunch.exe
PID 2108 wrote to memory of 85432	2108		explorer.exe
PID 2108 wrote to memory of 85432	2108		explorer.exe
PID 2108 wrote to memory of 85432	2108		explorer.exe
PID 2108 wrote to memory of 85432	2108		explorer.exe
PID 1968 wrote to memory of 85416	1968	56DD.exe	AppLaunch.exe
PID 1968 wrote to memory of 85416	1968	56DD.exe	AppLaunch.exe
PID 2108 wrote to memory of 85616	2108		explorer.exe
PID 2108 wrote to memory of 85616	2108		explorer.exe
PID 2108 wrote to memory of 85616	2108		explorer.exe
PID 2108 wrote to memory of 85840	2108		explorer.exe
PID 2108 wrote to memory of 85840	2108		explorer.exe
PID 2108 wrote to memory of 85840	2108		explorer.exe
PID 2108 wrote to memory of 85840	2108		explorer.exe

C:\Users\Admin\AppData\Local\Temp\d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe
"C:\Users\Admin\AppData\Local\Temp\d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2744

C:\Users\Admin\AppData\Local\Temp\255A.exe
C:\Users\Admin\AppData\Local\Temp\255A.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
2⤵
- Executes dropped EXE
PID:4588

C:\Users\Admin\AppData\Local\Temp\3104.exe
C:\Users\Admin\AppData\Local\Temp\3104.exe
1⤵
- Executes dropped EXE
PID:8

C:\Users\Admin\AppData\Local\Temp\4A49.exe
C:\Users\Admin\AppData\Local\Temp\4A49.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:68

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:22664

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:79824

C:\Users\Admin\AppData\Local\Temp\56DD.exe
C:\Users\Admin\AppData\Local\Temp\56DD.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:85416

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1496

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:13688

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:37120

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:58088

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:79812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:79264

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:85432

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:85616

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:85840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\255A.exe
Filesize
466KB

MD5
2955a7fdcda8c0768d106b135a352173

SHA1
1de1f74183421d4f811af2dc469840c8d266eec9

SHA256
3238f627cf753b195a814ad7a01bd16fa13616802e39f48a981c5c8703a2ff6f

SHA512
c87bf10bc4eaaa912a74da441c3a3894535e54764e60a76c505c628e70e35822fcbe147aaabd117ddacbc88294ad16243c7f721400ac64178681633db8898bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\255A.exe
Filesize
466KB

MD5
2955a7fdcda8c0768d106b135a352173

SHA1
1de1f74183421d4f811af2dc469840c8d266eec9

SHA256
3238f627cf753b195a814ad7a01bd16fa13616802e39f48a981c5c8703a2ff6f

SHA512
c87bf10bc4eaaa912a74da441c3a3894535e54764e60a76c505c628e70e35822fcbe147aaabd117ddacbc88294ad16243c7f721400ac64178681633db8898bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3104.exe
Filesize
315KB

MD5
6b6cf541f7e8d8a4973afb7f212c9ddc

SHA1
a7f1a3671295ce9016edf7f660c23f3ecf890e79

SHA256
6398a682b929077fa895ca80e77f5ada30103387b76cb0021712e33ab8122dde

SHA512
e3faa66f1feb93129e56937a0e232728ece6a1f17e36b8dd8baef94e4279e6f3cce00304711a64b2f8b74314699c2943de3ccd49a709f45d0934749b78485791

Download Submit
C:\Users\Admin\AppData\Local\Temp\3104.exe
Filesize
315KB

MD5
6b6cf541f7e8d8a4973afb7f212c9ddc

SHA1
a7f1a3671295ce9016edf7f660c23f3ecf890e79

SHA256
6398a682b929077fa895ca80e77f5ada30103387b76cb0021712e33ab8122dde

SHA512
e3faa66f1feb93129e56937a0e232728ece6a1f17e36b8dd8baef94e4279e6f3cce00304711a64b2f8b74314699c2943de3ccd49a709f45d0934749b78485791

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A49.exe
Filesize
4.3MB

MD5
06a1dc7aae769814998f99c0bca5ea41

SHA1
81ea40089386bffadd0e0a6bb780b7ddd4dc71a9

SHA256
ed14ed57c0a785e01024deffe5a05a79ed9d61a21c58ea8be136c79d31e2daa6

SHA512
aa4a4f8cfe7d7e68c6751e518763cbc509a7ba31699dc7541104170af1a19b439e9ae687d92c8b09450088317e58b5fc78b921646ddba0a28b1f080b7190f65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A49.exe
Filesize
4.3MB

MD5
06a1dc7aae769814998f99c0bca5ea41

SHA1
81ea40089386bffadd0e0a6bb780b7ddd4dc71a9

SHA256
ed14ed57c0a785e01024deffe5a05a79ed9d61a21c58ea8be136c79d31e2daa6

SHA512
aa4a4f8cfe7d7e68c6751e518763cbc509a7ba31699dc7541104170af1a19b439e9ae687d92c8b09450088317e58b5fc78b921646ddba0a28b1f080b7190f65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\56DD.exe
Filesize
2.6MB

MD5
fcc31bb8dd044f6b46db858f1bdc590f

SHA1
0be774425e100c7549de22def94f29691df429fe

SHA256
cba7efe86366a06afcaf30ffc25d0652bfeb1a179c5aaa90621537560e24a392

SHA512
b1ffb960489adea858e29954ebc34dba3d7a06f652a49f144bd3fdf3eb299e45ca0c4c33e22d8b8bd7fd31d915b0bdde679ff5cd7eba40c41212fb5381326f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\56DD.exe
Filesize
2.6MB

MD5
fcc31bb8dd044f6b46db858f1bdc590f

SHA1
0be774425e100c7549de22def94f29691df429fe

SHA256
cba7efe86366a06afcaf30ffc25d0652bfeb1a179c5aaa90621537560e24a392

SHA512
b1ffb960489adea858e29954ebc34dba3d7a06f652a49f144bd3fdf3eb299e45ca0c4c33e22d8b8bd7fd31d915b0bdde679ff5cd7eba40c41212fb5381326f81

Download Submit
C:\Windows\Temp\1.exe
Filesize
369KB

MD5
4a32a16c5a3c79ade487c098ee71a2be

SHA1
414b203eeb20ac7e74316fd2877ca4ebf52193df

SHA256
61059bd8f3bdb2b07ca01c87efe6284b8b3b77ca63e9a063e0e9010774a482a4

SHA512
6470c0269052bbccea48bfb5da80cdcf96fec71e0e45ae79a42acacd7c4d92139ccc6f122ab97e5b104fc93bee84891850a80aa9c835c0b31418f151517b1ee5

Download Submit
C:\Windows\Temp\1.exe
Filesize
369KB

MD5
4a32a16c5a3c79ade487c098ee71a2be

SHA1
414b203eeb20ac7e74316fd2877ca4ebf52193df

SHA256
61059bd8f3bdb2b07ca01c87efe6284b8b3b77ca63e9a063e0e9010774a482a4

SHA512
6470c0269052bbccea48bfb5da80cdcf96fec71e0e45ae79a42acacd7c4d92139ccc6f122ab97e5b104fc93bee84891850a80aa9c835c0b31418f151517b1ee5

Download Submit
memory/8-192-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/8-189-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/8-187-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/8-184-0x0000000000000000-mapping.dmp

Download
memory/68-308-0x0000000000000000-mapping.dmp

Download
memory/1496-519-0x0000000002A20000-0x0000000002A2B000-memory.dmp

Filesize
44KB

Download
memory/1496-482-0x0000000002A30000-0x0000000002A37000-memory.dmp

Filesize
28KB

Download
memory/1496-352-0x0000000000000000-mapping.dmp

Download
memory/1968-343-0x0000000000000000-mapping.dmp

Download
memory/2108-1210-0x0000000003480000-0x0000000003490000-memory.dmp

Filesize
64KB

Download
memory/2108-377-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/2108-421-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/2108-1211-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/2108-263-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/2108-267-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/2108-259-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/2108-255-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/2108-252-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/2108-1212-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/2108-1213-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/2108-211-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/2108-208-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/2108-206-0x0000000003480000-0x0000000003490000-memory.dmp

Filesize
64KB

Download
memory/2108-1214-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/2108-1215-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/2108-1216-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/2108-1217-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/2108-1218-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/2744-158-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2744-136-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-120-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-130-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-131-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-129-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-132-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-128-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-127-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-125-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-124-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-126-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-123-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-122-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-121-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-133-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-135-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-134-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-137-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-138-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-139-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-140-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-141-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-142-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-143-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-145-0x000000000070A000-0x000000000071A000-memory.dmp

Filesize
64KB

Download
memory/2744-157-0x000000000070A000-0x000000000071A000-memory.dmp

Filesize
64KB

Download
memory/2744-144-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-146-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/2744-155-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-156-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-147-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-148-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2744-153-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-154-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-152-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-151-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-150-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-149-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-173-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-181-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-185-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-191-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-183-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-182-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-161-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-162-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-180-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-179-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-178-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-177-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-176-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-159-0x0000000000000000-mapping.dmp

Download
memory/3340-175-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-174-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-188-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-190-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-163-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-172-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-164-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-165-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-171-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-170-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-169-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-168-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-167-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3340-166-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-283-0x0000000000000000-mapping.dmp

Download
memory/13688-399-0x0000000000F80000-0x0000000000F8F000-memory.dmp

Filesize
60KB

Download
memory/13688-397-0x0000000000F90000-0x0000000000F99000-memory.dmp

Filesize
36KB

Download
memory/13688-794-0x0000000000F90000-0x0000000000F99000-memory.dmp

Filesize
36KB

Download
memory/13688-378-0x0000000000000000-mapping.dmp

Download
memory/22664-384-0x0000000000000000-mapping.dmp

Download
memory/37120-396-0x0000000000000000-mapping.dmp

Download
memory/37120-654-0x0000000003110000-0x0000000003115000-memory.dmp

Filesize
20KB

Download
memory/37120-704-0x0000000003100000-0x0000000003109000-memory.dmp

Filesize
36KB

Download
memory/37120-897-0x0000000003110000-0x0000000003115000-memory.dmp

Filesize
20KB

Download
memory/58088-871-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/58088-417-0x0000000000000000-mapping.dmp

Download
memory/58088-424-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/58088-447-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/79264-805-0x0000000002AB0000-0x0000000002AB5000-memory.dmp

Filesize
20KB

Download
memory/79264-465-0x0000000000000000-mapping.dmp

Download
memory/79264-840-0x0000000002AA0000-0x0000000002AA9000-memory.dmp

Filesize
36KB

Download
memory/79264-917-0x0000000002AB0000-0x0000000002AB5000-memory.dmp

Filesize
20KB

Download
memory/79812-437-0x0000000000000000-mapping.dmp

Download
memory/79812-801-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download
memory/79812-754-0x0000000000190000-0x00000000001B2000-memory.dmp

Filesize
136KB

Download
memory/79824-438-0x0000000000000000-mapping.dmp

Download
memory/85416-875-0x0000000009490000-0x000000000959A000-memory.dmp

Filesize
1.0MB

Download
memory/85416-1024-0x000000000A900000-0x000000000A976000-memory.dmp

Filesize
472KB

Download
memory/85416-807-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/85416-825-0x0000000009790000-0x0000000009D96000-memory.dmp

Filesize
6.0MB

Download
memory/85416-830-0x00000000091A0000-0x00000000091B2000-memory.dmp

Filesize
72KB

Download
memory/85416-530-0x000000000041972E-mapping.dmp

Download
memory/85416-845-0x0000000009200000-0x000000000923E000-memory.dmp

Filesize
248KB

Download
memory/85416-912-0x000000000A4B0000-0x000000000A672000-memory.dmp

Filesize
1.8MB

Download
memory/85416-913-0x000000000ABB0000-0x000000000B0DC000-memory.dmp

Filesize
5.2MB

Download
memory/85416-1029-0x000000000AB80000-0x000000000AB9E000-memory.dmp

Filesize
120KB

Download
memory/85416-918-0x000000000A420000-0x000000000A486000-memory.dmp

Filesize
408KB

Download
memory/85416-1025-0x000000000B5E0000-0x000000000BADE000-memory.dmp

Filesize
5.0MB

Download
memory/85416-1023-0x000000000A860000-0x000000000A8F2000-memory.dmp

Filesize
584KB

Download
memory/85416-868-0x0000000009240000-0x000000000928B000-memory.dmp

Filesize
300KB

Download
memory/85432-842-0x0000000002980000-0x000000000298B000-memory.dmp

Filesize
44KB

Download
memory/85432-498-0x0000000000000000-mapping.dmp

Download
memory/85432-809-0x0000000002990000-0x0000000002996000-memory.dmp

Filesize
24KB

Download
memory/85616-896-0x0000000001090000-0x0000000001097000-memory.dmp

Filesize
28KB

Download
memory/85616-558-0x0000000001090000-0x0000000001097000-memory.dmp

Filesize
28KB

Download
memory/85616-539-0x0000000000000000-mapping.dmp

Download
memory/85616-565-0x0000000001080000-0x000000000108D000-memory.dmp

Filesize
52KB

Download
memory/85840-944-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/85840-844-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/85840-873-0x0000000000210000-0x000000000021B000-memory.dmp

Filesize
44KB

Download
memory/85840-582-0x0000000000000000-mapping.dmp

Download