5a05eaa9635b5247d5d7e5c846194ba5868532a7ec555df57b8a8f25861d2471

Analysis

max time kernel
139s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25/08/2023, 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5ac15d.msi
Size

77.5MB
MD5

f4423feafa6af8382acdbe99269d662a
SHA1

57fd7d8ce46c964428f21ea5169c85d85e51ac63
SHA256

5a05eaa9635b5247d5d7e5c846194ba5868532a7ec555df57b8a8f25861d2471
SHA512

57ccd1705456cd8894e8d1d8efeb52594d42639918fc09e058231221ea484dd0b3cca6498aa66275e0c2592547abed26e8a257529a79c6aabc2e033c55ba5df5
SSDEEP

1572864:NnndAhSnbfH7y7m1PUp0SD+cafNzcZiku0M4339kUUCw:NnqSDwm1PRbcafkiku0M4dkUp

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	1952	msiexec.exe
5	1952	msiexec.exe
7	1952	msiexec.exe
11	1224	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1292	Redline.exe

Loads dropped DLL 48 IoCs

pid	Process
2972	MsiExec.exe
2972	MsiExec.exe
2380	MsiExec.exe
2380	MsiExec.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe
1292	Redline.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Redline\Configuration\DefaultProcessAcquisitionAudit.xml	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\api-ms-win-crt-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\Linux\lib\libuv.so.1	msiexec.exe
File created	C:\Program Files (x86)\Redline\Xceed.Wpf.DataGrid.v5.3.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\Linux\lib\libmnl.so.0.2.0	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\api-ms-win-core-libraryloader-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\XulRunner\nssutil3.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x86\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\XulRunner\redit.exe	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\mxCore.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\XulRunner\libEGL.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Ookii.Dialogs.Wpf.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\Linux\lib\libblkid.so	msiexec.exe
File created	C:\Program Files (x86)\Redline\Mandiant Installer Logo.bmp	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\libuv.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x86\vcruntime140.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Configuration\Reporting\document.xml	msiexec.exe
File created	C:\Program Files (x86)\Redline\Data\DefaultViewLayoutSettings.xml	msiexec.exe
File created	C:\Program Files (x86)\Redline\XulRunner\softokn3.chk	msiexec.exe
File created	C:\Program Files (x86)\Redline\ActiproSoftware.Navigation.Wpf.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\IKVM.OpenJDK.Charsets.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\Linux\lib\libauparse.so.0.0.0	msiexec.exe
File created	C:\Program Files (x86)\Redline\IKVM.OpenJDK.XML.API.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Configuration\AuditDataSchema.sql	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\api-ms-win-core-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Win32Mapi.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\SlimCharles.UI.ViewModel.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\api-ms-win-core-sysinfo-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\XulRunner\dictionaries\en-US.dic	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x86\api-ms-win-core-sysinfo-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Configuration\Portable\Win\finishAnalysis.js	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\api-ms-win-core-localization-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\XulRunner\plc4.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Mandiant.Common.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\XulRunner\js.exe	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\api-ms-win-crt-process-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\Linux\lib\libssl.so.1.0.0	msiexec.exe
File created	C:\Program Files (x86)\Redline\XulRunner\ssl3.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\api-ms-win-crt-stdio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x86\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x86\api-ms-win-core-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x86\libcrypto-1_1.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Xceed.Wpf.Controls.v5.3.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x86\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\api-ms-win-core-synch-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\End User License Agreement.rtf	msiexec.exe
File created	C:\Program Files (x86)\Redline\ExceptionReporter.WinForms.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x86\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\audits.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\XulRunner\nssdbm3.chk	msiexec.exe
File created	C:\Program Files (x86)\Redline\saxon9he.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x86\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x64\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Configuration\Portable\Linux\Readme.txt	msiexec.exe
File created	C:\Program Files (x86)\Redline\XulRunner\mozsqlite3.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\IKVM.Runtime.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x86\concrt140.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x86\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Redline\XulRunner\omni.jar	msiexec.exe
File created	C:\Program Files (x86)\Redline\Configuration\DefaultWhitelist.txt	msiexec.exe
File created	C:\Program Files (x86)\Redline\Agent\x86\api-ms-win-core-handle-l1-1-0.dll	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{356BAB50-AA8B-4390-BE39-FAC9F9D1E7AE}\_853F67D554F05449430E7E.exe	msiexec.exe
File created	C:\Windows\Installer\{356BAB50-AA8B-4390-BE39-FAC9F9D1E7AE}\_1E77005D970C18DDCA3C84.exe	msiexec.exe
File created	C:\Windows\Installer\{356BAB50-AA8B-4390-BE39-FAC9F9D1E7AE}\_5D7B4D2F7AAA38A32CB644.exe	msiexec.exe
File created	C:\Windows\Installer\f771307.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI1769.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f771304.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A19.tmp	msiexec.exe
File created	C:\Windows\Installer\f771305.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f771305.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\{356BAB50-AA8B-4390-BE39-FAC9F9D1E7AE}\_1E77005D970C18DDCA3C84.exe	msiexec.exe
File created	C:\Windows\Installer\f771304.msi	msiexec.exe
File created	C:\Windows\Installer\{356BAB50-AA8B-4390-BE39-FAC9F9D1E7AE}\_112D608FD02CD87FDC7735.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{356BAB50-AA8B-4390-BE39-FAC9F9D1E7AE}\_112D608FD02CD87FDC7735.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{356BAB50-AA8B-4390-BE39-FAC9F9D1E7AE}\_5D7B4D2F7AAA38A32CB644.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{356BAB50-AA8B-4390-BE39-FAC9F9D1E7AE}\_853F67D554F05449430E7E.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|Ookii.Dialogs.Wpf.dll	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Redline.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|Newtonsoft.Json.dll\Newtonsoft.Json,Version="4.5.0.0",Culture="neutral",PublicKeyToken="30AD4FE6B2A6AEED",ProcessorArchitecture="MSIL" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e005d005d0056006700410070004600300026003d0069005a0076003f003700560057007e005700400000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|log4net.dll\log4net,Version="1.2.10.0",Culture="neutral",PublicKeyToken="1B44E1D426115821",ProcessorArchitecture="MSIL" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e00360074006b00710068005f006b0031005b005800560036005f0051007a005500650067002100700000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|Xceed.Compression.v5.5.dll	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Redline.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Redline.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Redline.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Redline.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Redline.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Redline.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	Redline.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mans	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mans\ = "Mandiant Analysis File"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|Xceed.Wpf.DataGrid.ThemePack.1.v5.3.dll\Xceed.Wpf.DataGrid.ThemePack.1.v5.3,Version="5.3.14251.9290",Culture="neutral",PublicKeyToken="BA83FF368B7563C6",ProcessorArchite = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e00240036003700280073002e004e007b003d003d0028007e007100780043002500740060004400710000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|Xceed.Wpf.Controls.v5.3.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|IKVM.Runtime.dll\IKVM.Runtime,Version="0.46.0.2",Culture="neutral",PublicKeyToken="13235D27FCBFFF58",ProcessorArchitecture="MSIL" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e006c0043005e004400390042004f00320040005700750073005500560034006500650035006d00610000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|MandiantToolkit\|MandiantToolkit.dll	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Redline.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Redline.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|ExceptionReporter.WinForms.dll\ExceptionReporter.WinForms,Version="2.1.2.0",Culture="neutral",PublicKeyToken="6F3966959457D91D",ProcessorArchitecture="MSIL" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e00330061006f0073002900670079003700680077007a007200470040004600390050006a004200680000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\05BAB653B8AA0934EB93AF9C9F1D7EEA\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\05BAB653B8AA0934EB93AF9C9F1D7EEA	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Redline.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	Redline.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Mandiant Analysis File\shell\open\ = "&Open"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|ActiproSoftware.Shared.Wpf.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|AmCharts.Windows.Design.dll\AmCharts.Windows.Design,Version="1.0.0.0",Culture="neutral",PublicKeyToken="6A0AF00BD7DE39D1",ProcessorArchitecture="MSIL" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e00420051004b007100760035004400460025006d003d005d00460060006e005400520039005100570000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|Microsoft.Windows.Shell.dll\Microsoft.Windows.Shell,Version="3.5.41019.1",Culture="neutral",PublicKeyToken="31BF3856AD364E35",ProcessorArchitecture="MSIL" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e0067004d0052007e0075004d00280026006e0055005300410058005d002b003f0030006b005700610000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|ApolloData.dll	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 200000001a00eebbfe230000100090e24d373f126545916439c4925e467b00000000	Redline.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	Redline.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|SlimCharles.Data.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|SlimCharles.Data.SQLite.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|ActiproSoftware.Navigation.Wpf.dll	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\05BAB653B8AA0934EB93AF9C9F1D7EEA\Version = "33554532"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	Redline.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	Redline.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	Redline.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mans\Mandiant Analysis File\ShellNew	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|IKVM.OpenJDK.Util.dll\IKVM.OpenJDK.Util,Version="0.46.0.2",Culture="neutral",PublicKeyToken="13235D27FCBFFF58",ProcessorArchitecture="MSIL" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e005500520066006100680073004c006d005f002b0030007d007d005a005800550043007a006700610000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Redline.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	Redline.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	Redline.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|MandiantToolkit.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|IKVM.OpenJDK.Text.dll\IKVM.OpenJDK.Text,Version="0.46.0.2",Culture="neutral",PublicKeyToken="13235D27FCBFFF58",ProcessorArchitecture="MSIL" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e00310069004f0057004500710029002a00510075005f0077006f005b006a006b004d006d006200260000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|Xceed.Zip.v5.5.dll\Xceed.Zip.v5.5,Version="5.5.14256.14130",Culture="neutral",PublicKeyToken="BA83FF368B7563C6",ProcessorArchitecture="MSIL" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e00790068002c003800680058006b002d0071004900710077007a003100240044005b003f004e006f0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|Xceed.FileSystem.v5.5.dll\Xceed.FileSystem.v5.5,Version="5.5.14256.14130",Culture="neutral",PublicKeyToken="BA83FF368B7563C6",ProcessorArchitecture="MSIL" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e00340048006e005e005700420037006d00480031004c00460073007a0079005b00580063006c006f0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	Redline.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Redline.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|Win32Mapi.dll\Win32Mapi,Version="1.0.0.0",Culture="neutral",PublicKeyToken="6F3966959457D91D",ProcessorArchitecture="MSIL" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e003d006c00630058002c004a00330030005d0050006c007e006900440058006a00490069006500530000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|Redline.exe\Redline,Version="2.0.100.0",Culture="neutral",PublicKeyToken="5CBB2DA9B200A8F0",ProcessorArchitecture="x86" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e00270027002a0025003500360060005e0027002c0072004c00730065003200630079005b007900670000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\05BAB653B8AA0934EB93AF9C9F1D7EEA\Language = "1033"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_Classes\Local Settings	Redline.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Redline.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|Newtonsoft.Json.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|ApolloData.dll\ApolloData,Version="3.0.1500.0",Culture="neutral",PublicKeyToken="5CBB2DA9B200A8F0",ProcessorArchitecture="MSIL" = 700039004900320035002d0044006d0065003900360026006d0076006900310037003700360061003e0075005e003600360031003800540021004400620029003400340072002e0074002e004b004800610000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Redline\|IKVM.OpenJDK.Util.dll	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\05BAB653B8AA0934EB93AF9C9F1D7EEA\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Redline.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Redline.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Redline.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Redline.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mans\Mandiant Analysis File	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1224	msiexec.exe
1224	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	Redline.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1224	msiexec.exe
Token: SeTakeOwnershipPrivilege	1224	msiexec.exe
Token: SeSecurityPrivilege	1224	msiexec.exe
Token: SeCreateTokenPrivilege	1952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1952	msiexec.exe
Token: SeLockMemoryPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeMachineAccountPrivilege	1952	msiexec.exe
Token: SeTcbPrivilege	1952	msiexec.exe
Token: SeSecurityPrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeLoadDriverPrivilege	1952	msiexec.exe
Token: SeSystemProfilePrivilege	1952	msiexec.exe
Token: SeSystemtimePrivilege	1952	msiexec.exe
Token: SeProfSingleProcessPrivilege	1952	msiexec.exe
Token: SeIncBasePriorityPrivilege	1952	msiexec.exe
Token: SeCreatePagefilePrivilege	1952	msiexec.exe
Token: SeCreatePermanentPrivilege	1952	msiexec.exe
Token: SeBackupPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeDebugPrivilege	1952	msiexec.exe
Token: SeAuditPrivilege	1952	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1952	msiexec.exe
Token: SeChangeNotifyPrivilege	1952	msiexec.exe
Token: SeRemoteShutdownPrivilege	1952	msiexec.exe
Token: SeUndockPrivilege	1952	msiexec.exe
Token: SeSyncAgentPrivilege	1952	msiexec.exe
Token: SeEnableDelegationPrivilege	1952	msiexec.exe
Token: SeManageVolumePrivilege	1952	msiexec.exe
Token: SeImpersonatePrivilege	1952	msiexec.exe
Token: SeCreateGlobalPrivilege	1952	msiexec.exe
Token: SeCreateTokenPrivilege	1952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1952	msiexec.exe
Token: SeLockMemoryPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeMachineAccountPrivilege	1952	msiexec.exe
Token: SeTcbPrivilege	1952	msiexec.exe
Token: SeSecurityPrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeLoadDriverPrivilege	1952	msiexec.exe
Token: SeSystemProfilePrivilege	1952	msiexec.exe
Token: SeSystemtimePrivilege	1952	msiexec.exe
Token: SeProfSingleProcessPrivilege	1952	msiexec.exe
Token: SeIncBasePriorityPrivilege	1952	msiexec.exe
Token: SeCreatePagefilePrivilege	1952	msiexec.exe
Token: SeCreatePermanentPrivilege	1952	msiexec.exe
Token: SeBackupPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeDebugPrivilege	1952	msiexec.exe
Token: SeAuditPrivilege	1952	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1952	msiexec.exe
Token: SeChangeNotifyPrivilege	1952	msiexec.exe
Token: SeRemoteShutdownPrivilege	1952	msiexec.exe
Token: SeUndockPrivilege	1952	msiexec.exe
Token: SeSyncAgentPrivilege	1952	msiexec.exe
Token: SeEnableDelegationPrivilege	1952	msiexec.exe
Token: SeManageVolumePrivilege	1952	msiexec.exe
Token: SeImpersonatePrivilege	1952	msiexec.exe
Token: SeCreateGlobalPrivilege	1952	msiexec.exe
Token: SeCreateTokenPrivilege	1952	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1952	msiexec.exe
1952	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1292	Redline.exe
1292	Redline.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2972	1224	msiexec.exe	29
PID 1224 wrote to memory of 2972	1224	msiexec.exe	29
PID 1224 wrote to memory of 2972	1224	msiexec.exe	29
PID 1224 wrote to memory of 2972	1224	msiexec.exe	29
PID 1224 wrote to memory of 2972	1224	msiexec.exe	29
PID 1224 wrote to memory of 2972	1224	msiexec.exe	29
PID 1224 wrote to memory of 2972	1224	msiexec.exe	29
PID 1224 wrote to memory of 2380	1224	msiexec.exe	35
PID 1224 wrote to memory of 2380	1224	msiexec.exe	35
PID 1224 wrote to memory of 2380	1224	msiexec.exe	35
PID 1224 wrote to memory of 2380	1224	msiexec.exe	35
PID 1224 wrote to memory of 2380	1224	msiexec.exe	35
PID 1224 wrote to memory of 2380	1224	msiexec.exe	35
PID 1224 wrote to memory of 2380	1224	msiexec.exe	35

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e5ac15d.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1952

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 71A8F15E315FD024A4B854A381CC3CA0 C
  2⤵
  - Loads dropped DLL
  PID:2972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1CDB472E20CFFCDDDE67DC294EDD2742
  2⤵
  - Loads dropped DLL
  PID:2380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1020

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C4" "00000000000003C0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:828

C:\Program Files (x86)\Redline\Redline.exe
"C:\Program Files (x86)\Redline\Redline.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f771306.rbs

Filesize
76KB

MD5
d181de68bec94183c23ea894e568a571

SHA1
7c9ee3ad89702eec6d603f8ff7c1d68f0ae645b7

SHA256
21af00c5f12d5fe18023062e041ddbc069b7d222458e35418a529ce2f5e0cc17

SHA512
25aed08ea77e2995c7ad8576e96cb78c5712454302dd30c9086a3c623d5b7584b26d2094861ebfab34d02f73303fd83338cabe14fccfb1830387ea7558293f86

Download Submit
C:\Program Files (x86)\Redline\ActiproSoftware.Navigation.Wpf.dll

Filesize
297KB

MD5
6cb09b421ea60d18068429f34566bfd5

SHA1
2d9f5c2c26c90f57edcff7f16e15c4ad26f711e3

SHA256
3033e387227239a5b22542a1544b42a5d62f8f8bba2ef5f574ee5869d25954f8

SHA512
a9b26d8aea5cb2e355d5aff598b9211c1b299dfc901cc16ac611474d9f9d77484ffb45bb513f8a0853f4b46c94ecf24488049ae4f1661e2325ccb99aa0acf2ad

Download Submit
C:\Program Files (x86)\Redline\ActiproSoftware.Shared.Wpf.dll

Filesize
2.0MB

MD5
8de98ca0e4116e484c3f070b21e20d0a

SHA1
176e6a156e3f2d9d1c2b924fa8af7a1049c8a336

SHA256
069b5c4cda0ac7b85a439d2a68187d77f21907464e8cd123af9370b9cf7c4c91

SHA512
4abc27e5ab6b1c80b9522c39c3c4bc847879cf4f0ddf7b801a625597e9c589b2768569a1108bee33e3ad8959594af2c9e0bb1064234b33d2c04d684d91224b80

Download Submit
C:\Program Files (x86)\Redline\MandiantToolkit.dll

Filesize
340KB

MD5
ec70cda54756579f9812a95f38edcb1d

SHA1
fd4cda8597930e2d163b4e969dcf0b65ab059ac5

SHA256
19a570a2f9f4efa401f6d51343558af6d0b0f259b16907e97344f62c1f2b0243

SHA512
9ccd5d0bd7b2d47a5c8b780f1bdf8e7e2b29f4792ff89d0235300148e1218e89c87f30ed0e4238c1e38491e296a5e9af08f3f093997b2dc9d9ce75459c3562ff

Download Submit
C:\Program Files (x86)\Redline\Redline.exe

Filesize
201KB

MD5
b9483102cc45fe7dd8758efeadd85030

SHA1
b6b00fb0acf6ecffb8ed4ce73f9a78ac74a367d1

SHA256
9a223619ef2206e609a55599d7c0041d1a32b970998717c0e6471f1a9aa2ff0f

SHA512
3ec30cf98ce8ebecdf328ac602458a9427767ce2ffaf5ca67cc4886fad380e42ce49731765c15c60c76521b5a931a5fa7cf945f36bb59f967b85333e1fa34a40

Download Submit
C:\Program Files (x86)\Redline\Redline.exe

Filesize
201KB

MD5
b9483102cc45fe7dd8758efeadd85030

SHA1
b6b00fb0acf6ecffb8ed4ce73f9a78ac74a367d1

SHA256
9a223619ef2206e609a55599d7c0041d1a32b970998717c0e6471f1a9aa2ff0f

SHA512
3ec30cf98ce8ebecdf328ac602458a9427767ce2ffaf5ca67cc4886fad380e42ce49731765c15c60c76521b5a931a5fa7cf945f36bb59f967b85333e1fa34a40

Download Submit
C:\Program Files (x86)\Redline\Redline.exe.config

Filesize
4KB

MD5
879e22f45c9d6131dc0ada1c2259868d

SHA1
e6951d0bd8b3b9f8d69284d13d9971acfd1b58af

SHA256
599605d903256d529994da65dd4bb8e1cd58edf3e067546f7c1a3b986469a5a6

SHA512
a45b675ba43bbbfa20376152cf5f7f1c6e5f285de38bef7773ba9ed2a870d46a7a181ac5cec1364ac674da7f908af0fc31c0b750e57afc92c87f10c162462bdc

Download Submit
C:\Program Files (x86)\Redline\SlimCharles.Core.dll

Filesize
344KB

MD5
2198208cc248553d9c200a609f40f6ee

SHA1
fcb040927da522ee75d7a9fcf5d265610738ee53

SHA256
588825f2d1d44f7ca82a25d98b40c0b17c7d9980ee2a8fd59363278b8a0f4c69

SHA512
f9d645d55607dc3d3077689dfd8d3824f03392f3842634593b29acdae1e2a8af306aea4e97794c5076cebb21ee7914c71b130dc50a6976a3b5bc9aa697ca2e46

Download Submit
C:\Program Files (x86)\Redline\SlimCharles.Data.SQLite.dll

Filesize
673KB

MD5
463eca56c0a24c166794ddd43308b907

SHA1
e483939dc5bcac33fd1a0f4b15fa1ea4ed52996d

SHA256
c582511ebcbc6c70de95fe10dcb6bce42a77bb9c95faa7a3504f513ffbba73ca

SHA512
61cc28d367367185dd58415d1b751d1bf61aa6c618181689a68d7251ec77e0f49db8f06b95d9d12278a3db143bfc6ff57ca6487438b1797f5b6d37a834e06fdd

Download Submit
C:\Program Files (x86)\Redline\SlimCharles.Data.dll

Filesize
181KB

MD5
07b7aa11b30dd766a607707b3cf87101

SHA1
731941db29bd046b2ee7bb9a95835856ffc2de5f

SHA256
89f948924d27b8e55cf54bf6f95672145e287af64701d1b2dfc2f8c387cfcff7

SHA512
7a00011f3fc3ce4bc9ab278d903fff6fb5ef4a43129b30449ec06a5596c83faa2eb4e18c35367347fe68cf31bfb85ad594a4f329b1d27ce858a242ff07a468e7

Download Submit
C:\Program Files (x86)\Redline\SlimCharles.UI.ViewModel.dll

Filesize
769KB

MD5
11ea3cc0ecd5eecf8a7d03dc9ea41e93

SHA1
229087cdb61f2f99ef4df94a30894b08f7f8fc36

SHA256
7310e336eb0a2e8474a83f7b123bc650810fb9d9e306ea23a4d26b8ff3598ab4

SHA512
bbe5cdce73c9622b0438b232a03aa4b7468a28c2ff205c7279ce1147bb4699c87bb59cbb96fc058f5bdef8eac2495806038df85029fe23d87c4c843925bb5cac

Download Submit
C:\Program Files (x86)\Redline\SlimCharles.UI.dll

Filesize
1.9MB

MD5
3afb8ac5765e6f1a00ae742bb343d413

SHA1
21efbe7fdad27b1bec2ab59155fddfc75e9e8632

SHA256
54eea22a635fe84d9a4720c31cd1397443541bf1a19987dce4c0347c9d968f68

SHA512
134e87d7f600f26748f8590a4dc0807d6d3c012dfc14d49d9e30f2112f26010867d415a7cb76ad81563b361d4bdd9967119562763ffd8e1a25a32617f185e280

Download Submit
C:\Program Files (x86)\Redline\Xceed.Compression.v5.5.dll

Filesize
269KB

MD5
ee9fa27dace006aa4622b6b6f59044b3

SHA1
0f162d4ede2a561406f465a41afface65df274c4

SHA256
2c8b746b69554335b3eecfb54ff2a155aa89fd695d636df3386b85ba1cc1917e

SHA512
b1a97f62726543056dd2f5130a3d5ad62f1ec06ebcc7360ff8982851098816273cc0b71e06fe1622ce6255c5bbb33d8146fee9c45b99ac75f93711857e8850e7

Download Submit
C:\Program Files (x86)\Redline\Xceed.FileSystem.v5.5.dll

Filesize
141KB

MD5
ba1a885df023cadc30dd818893e60fe5

SHA1
087febdf9bf1b369f31f3fa2600db9c804b9defe

SHA256
3b44f9d3879841b5c328697f688f1fd2a8465aa8e5f079908c04a481af38ba6b

SHA512
4b3f5c216c0a6488c927a2fe93a91cfd0ad625649e5a3d5b29e1e336acf0be4bba539a906a4d5c8a9ffd10b697b1e8a55da27d662804ca35acf2010d70982b7a

Download Submit
C:\Program Files (x86)\Redline\Xceed.Wpf.Controls.v5.3.dll

Filesize
165KB

MD5
309b1452592f2f5817ba5a136483d55a

SHA1
155ef676b24dc15f1f65985a9d7f5aa8698d32c2

SHA256
5f78ce0d641bf7dfb302f1cb2c6a022001e7ea68177a6944349cf887147b25cc

SHA512
9933ce2d583e162054e027fd1626b6c655d5e152ce02a67d982d6a8a3a74212a362d086e8d1b56e446f11d6483d7b70a494c428e0fa58e4f6276597f7be1ea1e

Download Submit
C:\Program Files (x86)\Redline\Xceed.Wpf.DataGrid.v5.3.dll

Filesize
3.9MB

MD5
2a855b8f2a952b47d9fcceb153d5f847

SHA1
f13df656e307bb977b39081734e417e28dbfc400

SHA256
e25447ca8a883b33b6b1d64da3fe7640aebe146136588125d14505011a13d28a

SHA512
9a6ab5bc6c6fd30df5668ed0678761ae4cfe014eaed1ef2b1dd441945f3e4ca5163f51e374ac33124e63e59853f70affb813d421186e3cd307d8baa081496f54

Download Submit
C:\Program Files (x86)\Redline\Xceed.Zip.v5.5.dll

Filesize
317KB

MD5
51701c5295dcd40dfbcf828a6c69d049

SHA1
59660e281f46f179bc2117916a0d78c690bc2063

SHA256
0b396cd9dada05b15d84562fa1761f1e4c65005d049248e0f5bd210e96c72472

SHA512
16750eb042c9c69fb9c66336e73351d4115a36123f24d74e9480f7a49eb6716df82f21a397a04a1d1ab528d986eb395fe881dc590af7d04ab83753e77edc23cf

Download Submit
C:\Program Files (x86)\Redline\log4net.config

Filesize
923B

MD5
23e7e94bba8a3b25c1f4d32ddcc8964e

SHA1
81caf9b138730b895681fc20d0f488f6fd2dad7d

SHA256
c74436239e6d8bb4247ffaeaec2199917dca7199f35ad23393290f3cdd546b9d

SHA512
f4b70b10ceb8ab1d67668f2a3dc0a552a02d605da1911255b114328c6239df1a79dcd3053fd1c4e73f1853d4391ea276cb9b65947969b88ec9e8ac5578d6d4c6

Download Submit
C:\Program Files (x86)\Redline\log4net.dll

Filesize
264KB

MD5
b89cb7f3f1a1e2807e708f5435deb13d

SHA1
82cde65a7514c0e465ee0d505be56c56639ff0b1

SHA256
27d26aab42f7cab35bf51d0536c67ed553fc97b670226b868805e7c6927e5c87

SHA512
0bd0da0cc01eb62ba1dea21666bccf76db6c7dcb2ddfa608bea61da0ffa230a60a66e91449b2664de006066eb63d26daafb3bf7b932c8a22ccd347dbd707e68b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_B95A585585762F8B2D72E152F328449A

Filesize
471B

MD5
e3277f7d7ca04d33492eaa88a06f6624

SHA1
93729a61662240513cdd8c1111e0ccb4263acc2a

SHA256
c142cb4f9091d18155513c242552b419954c45153218ad1c98d7e148995766b4

SHA512
2651c85151927cfdddc4ce68685779a05a1c29b0fdb356ede4fbde3384f77666ebfd753c99eaf389af6cae004b43d6597e57d07452cb73e0de3fb7e8306d094a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DE0101390D8E4B74E3DD39ACA5B00000_C1FB554D0B9B418BB77616B84AD6DC50

Filesize
471B

MD5
88c878ebf9e4afb85e1e8e9a1c90c310

SHA1
d4e62ba741825796458117bdae5a91048006bc9b

SHA256
9f4704528cc2b7c82273fb82020c494fbc638933ee04aa0dc4c12d60bcefdbb6

SHA512
1ad982e455aad69270f2c169f602578e26f91afab257a71f572705491ce170ec5ef00130f87f17fe25d6957d0dd041347773f35f86d750853924ff90ee03c0f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_B95A585585762F8B2D72E152F328449A

Filesize
400B

MD5
6e2a142bb5e753077e9281a08c5add06

SHA1
6dcf86b6cf306a1dff1b994e6434b97fc4db9d35

SHA256
7b772f3a14214cb46e8a201cc6a8fa934219d1a28f4c9f17536cd43dcc1098ce

SHA512
b5b0e95886734945e174e9d20414778d59d11da59f1b0df190e0c395238e722f63538a0831b49c4250c3cd7f3a98a7d69eee679b0889744e61ae74d9e117ba2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ccfb8e0dd02bfe9b29297ccc9f3ac116

SHA1
162ae2a3166f38a950cede130b4ad6b0c7a839c6

SHA256
4a84ac9af91a0d1bf9d1641bc9557393f86d8307e9feecbaa15f111f81dacc90

SHA512
1a4e8f9aa17126032d5b37f0cb5de25c5591f8bdef009b2c61d6912df4f4b3b9a3f96c5fda52fe5b10a8d4dd37fb9729b5a6c4cd1809812926837fd8a72e9e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DE0101390D8E4B74E3DD39ACA5B00000_C1FB554D0B9B418BB77616B84AD6DC50

Filesize
396B

MD5
916b30ee01ce37c312e07879ba2004ef

SHA1
2d200710ac7621ce461bfeac850b59a6c7f9b7af

SHA256
7f66c4402b3f06527511a7eed5bbb67cd4d26239dbd67f9138e804d77fdce413

SHA512
0b93b3620352f560e7b72c42c65cc8983bc841adcc37406a7dc6b29f61ad6cf10a6e0d274e23b225e265e481419e46becdc04134e838f9271c8a6c58cdf5f1b5

Download Submit
C:\Users\Admin\AppData\Local\FireEye\Redline.exe_StrongName_wcmjpq3zrfsvzccyy5jadpc2wdj0xvwb\2.0.100.0\1orx0zbi.newcfg

Filesize
2KB

MD5
62510dc7cb966939efdc35c547da1ae4

SHA1
7d59799ef5a18b51c826cdaf019414c5de894d3b

SHA256
d6e8819688814ce341b4986a570c6cb138554a117d6f444933f6b462999bea20

SHA512
52fb9b156ee9dd6fe59bddaf773e0f0fc16e7dc53c826db1607fc56c527e7937495bfc02ea4459af70c5a9ad16d6b57ffe4cacf2396909cb7a1485ef0f52ef75

Download Submit
C:\Users\Admin\AppData\Local\FireEye\Redline.exe_StrongName_wcmjpq3zrfsvzccyy5jadpc2wdj0xvwb\2.0.100.0\e4b1mhu0.newcfg

Filesize
5KB

MD5
f4eabf1da27d848d025465068d60381e

SHA1
0b260ca4a08b8417e4d35c0ba377242799e795be

SHA256
8cbe2bd9016ebd729ca2c7308c7aa7e121b87fbd7941280406012028c1af17ff

SHA512
e3d102aa1e286b6421c2df5199c0c93d273de437c3862f9b227358a38eb6096310e8adab664dc9bf1e157dca88d879206b8af128a637815fc4682a0591286aec

Download Submit
C:\Users\Admin\AppData\Local\FireEye\Redline.exe_StrongName_wcmjpq3zrfsvzccyy5jadpc2wdj0xvwb\2.0.100.0\jp255qtg.newcfg

Filesize
1KB

MD5
9c609ed056a3d2015d1e630cb2e0eee7

SHA1
cce4ea2798b7b5777bfea3dd0639f40d1d78dd43

SHA256
5ee8fdf1a5ce21c4846805597e55e2e999075c337c23f2beb4e26942a75d4708

SHA512
95d96289d27cefb9154adcc105b50643771d9368fd3535f3087b3ce657c11806d084d08c70e512391c8faa0f14b1a16a21f86d9f7deeb65e0efd0841beb7b780

Download Submit
C:\Users\Admin\AppData\Local\FireEye\Redline.exe_StrongName_wcmjpq3zrfsvzccyy5jadpc2wdj0xvwb\2.0.100.0\tmmipt21.newcfg

Filesize
4KB

MD5
b475bf0e3080f13e005413397b874e5d

SHA1
640fd8a80ad08478bdab722d466413b87c0f3626

SHA256
05c3d8865e5df712f633b86b5feea46b5fac68b73f067f2c24890291ea51bcac

SHA512
01156470af78670ccf9ae86cf6de8cbdf0ca9b10f61b30e9840bcad4c4035f467dfd0869b778bb55a9b01f5933311370486b63191b617e4912ef1cbc49dfcc86

Download Submit
C:\Users\Admin\AppData\Local\FireEye\Redline.exe_StrongName_wcmjpq3zrfsvzccyy5jadpc2wdj0xvwb\2.0.100.0\us3qklrw.newcfg

Filesize
5KB

MD5
22eac7ab20d43ba14dcd9f2b00904c39

SHA1
a634d69db792179d22fbd3b49027f69d9671a57d

SHA256
cdbd57527d27dcc419b9680d6fbccf632fefae9df41e5a40e8dbde8e077e7930

SHA512
7797900197990a8e6328071f7274ebb506eacd265f0d3a887b3b897e3138c7e50f73fca0859fb9edc4b64744e61db426575306c5d76ce637c6d6103dba61f587

Download Submit
C:\Users\Admin\AppData\Local\FireEye\Redline.exe_StrongName_wcmjpq3zrfsvzccyy5jadpc2wdj0xvwb\2.0.100.0\user.config

Filesize
743B

MD5
3114f96bf94e6fbb25a271424ac6af54

SHA1
cc8b07ce66844a012e3095b07b31ae6b44fc339f

SHA256
475b70b9a6a4dbb73bdb6ce8637cb4519c2f02705f05b9868d4b9f5ed0886c67

SHA512
4222fcca5146da510c285dc29b75200f66e13c15a41ff11b2cca965974a796677b6b0d68624fe15e8c617940cdb026584b55ba544eb3446ad15ee0875e3d1c8e

Download Submit
C:\Users\Admin\AppData\Local\FireEye\Redline.exe_StrongName_wcmjpq3zrfsvzccyy5jadpc2wdj0xvwb\2.0.100.0\user.config

Filesize
929B

MD5
f138902f90ec52c46e7928c36f89c8fd

SHA1
8c7d940215816e2143c2ebf8f177064635e01909

SHA256
041e1da0eb0ae6b9144b22d0f89b12e249d490e983b3477019f1d88dc28cd0e3

SHA512
508be5e1380df133dcd0a215e076b6d4a19416fe3b188f056c465c7d4ba1393af1fd577ece047b67bab95294b91c46662780a31c7be22eb6376c223d425ea181

Download Submit
C:\Users\Admin\AppData\Local\FireEye\Redline.exe_StrongName_wcmjpq3zrfsvzccyy5jadpc2wdj0xvwb\2.0.100.0\user.config

Filesize
4KB

MD5
9648b1cdc46ec9a2e3932d2d89c626d9

SHA1
3f483dec61935aceb4d374a882e26bd1fac26dc0

SHA256
7f137f6307d76de520fd7e5e439beb4186d7ea6d71c9d7f3956fe64ec0328b2b

SHA512
48cd4b2f3931386494fc96f8a23deaa838f2c8a05e515d8628c995e5d24100bc3ffdb4398f6df16545e79efb2f268beaaa4d0d3cba980368aaa52b2d18d58c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8C81.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8DAA.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar88E6.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\Installer\MSI1769.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Windows\Installer\MSI1769.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Windows\Installer\MSI1A19.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Windows\Installer\f771304.msi

Filesize
77.5MB

MD5
f4423feafa6af8382acdbe99269d662a

SHA1
57fd7d8ce46c964428f21ea5169c85d85e51ac63

SHA256
5a05eaa9635b5247d5d7e5c846194ba5868532a7ec555df57b8a8f25861d2471

SHA512
57ccd1705456cd8894e8d1d8efeb52594d42639918fc09e058231221ea484dd0b3cca6498aa66275e0c2592547abed26e8a257529a79c6aabc2e033c55ba5df5

Download Submit
C:\Windows\Installer\{356BAB50-AA8B-4390-BE39-FAC9F9D1E7AE}\_1E77005D970C18DDCA3C84.exe

Filesize
14KB

MD5
21264bbcf4376c788f5711488250a78a

SHA1
ba14f4cd5a18ad6e1ad0c08a8a5437978186050c

SHA256
dcd26e1bfe048f5234888ac453363c416edf292ec19bcb75d41a56d1672852bb

SHA512
7dc4318aa01b7b0d4c0d4381996ab57d56cada6431f357678a6a40eca2af83d63f02021e9054df567e510d094d458d51671915a3570dfb95995468608d702170

Download Submit
\Program Files (x86)\Redline\ActiproSoftware.Navigation.Wpf.dll

Filesize
297KB

MD5
6cb09b421ea60d18068429f34566bfd5

SHA1
2d9f5c2c26c90f57edcff7f16e15c4ad26f711e3

SHA256
3033e387227239a5b22542a1544b42a5d62f8f8bba2ef5f574ee5869d25954f8

SHA512
a9b26d8aea5cb2e355d5aff598b9211c1b299dfc901cc16ac611474d9f9d77484ffb45bb513f8a0853f4b46c94ecf24488049ae4f1661e2325ccb99aa0acf2ad

Download Submit
\Program Files (x86)\Redline\ActiproSoftware.Navigation.Wpf.dll

Filesize
297KB

MD5
6cb09b421ea60d18068429f34566bfd5

SHA1
2d9f5c2c26c90f57edcff7f16e15c4ad26f711e3

SHA256
3033e387227239a5b22542a1544b42a5d62f8f8bba2ef5f574ee5869d25954f8

SHA512
a9b26d8aea5cb2e355d5aff598b9211c1b299dfc901cc16ac611474d9f9d77484ffb45bb513f8a0853f4b46c94ecf24488049ae4f1661e2325ccb99aa0acf2ad

Download Submit
\Program Files (x86)\Redline\ActiproSoftware.Shared.Wpf.dll

Filesize
2.0MB

MD5
8de98ca0e4116e484c3f070b21e20d0a

SHA1
176e6a156e3f2d9d1c2b924fa8af7a1049c8a336

SHA256
069b5c4cda0ac7b85a439d2a68187d77f21907464e8cd123af9370b9cf7c4c91

SHA512
4abc27e5ab6b1c80b9522c39c3c4bc847879cf4f0ddf7b801a625597e9c589b2768569a1108bee33e3ad8959594af2c9e0bb1064234b33d2c04d684d91224b80

Download Submit
\Program Files (x86)\Redline\ActiproSoftware.Shared.Wpf.dll

Filesize
2.0MB

MD5
8de98ca0e4116e484c3f070b21e20d0a

SHA1
176e6a156e3f2d9d1c2b924fa8af7a1049c8a336

SHA256
069b5c4cda0ac7b85a439d2a68187d77f21907464e8cd123af9370b9cf7c4c91

SHA512
4abc27e5ab6b1c80b9522c39c3c4bc847879cf4f0ddf7b801a625597e9c589b2768569a1108bee33e3ad8959594af2c9e0bb1064234b33d2c04d684d91224b80

Download Submit
\Program Files (x86)\Redline\MandiantToolkit.dll

Filesize
340KB

MD5
ec70cda54756579f9812a95f38edcb1d

SHA1
fd4cda8597930e2d163b4e969dcf0b65ab059ac5

SHA256
19a570a2f9f4efa401f6d51343558af6d0b0f259b16907e97344f62c1f2b0243

SHA512
9ccd5d0bd7b2d47a5c8b780f1bdf8e7e2b29f4792ff89d0235300148e1218e89c87f30ed0e4238c1e38491e296a5e9af08f3f093997b2dc9d9ce75459c3562ff

Download Submit
\Program Files (x86)\Redline\MandiantToolkit.dll

Filesize
340KB

MD5
ec70cda54756579f9812a95f38edcb1d

SHA1
fd4cda8597930e2d163b4e969dcf0b65ab059ac5

SHA256
19a570a2f9f4efa401f6d51343558af6d0b0f259b16907e97344f62c1f2b0243

SHA512
9ccd5d0bd7b2d47a5c8b780f1bdf8e7e2b29f4792ff89d0235300148e1218e89c87f30ed0e4238c1e38491e296a5e9af08f3f093997b2dc9d9ce75459c3562ff

Download Submit
\Program Files (x86)\Redline\SlimCharles.Core.dll

Filesize
344KB

MD5
2198208cc248553d9c200a609f40f6ee

SHA1
fcb040927da522ee75d7a9fcf5d265610738ee53

SHA256
588825f2d1d44f7ca82a25d98b40c0b17c7d9980ee2a8fd59363278b8a0f4c69

SHA512
f9d645d55607dc3d3077689dfd8d3824f03392f3842634593b29acdae1e2a8af306aea4e97794c5076cebb21ee7914c71b130dc50a6976a3b5bc9aa697ca2e46

Download Submit
\Program Files (x86)\Redline\SlimCharles.Core.dll

Filesize
344KB

MD5
2198208cc248553d9c200a609f40f6ee

SHA1
fcb040927da522ee75d7a9fcf5d265610738ee53

SHA256
588825f2d1d44f7ca82a25d98b40c0b17c7d9980ee2a8fd59363278b8a0f4c69

SHA512
f9d645d55607dc3d3077689dfd8d3824f03392f3842634593b29acdae1e2a8af306aea4e97794c5076cebb21ee7914c71b130dc50a6976a3b5bc9aa697ca2e46

Download Submit
\Program Files (x86)\Redline\SlimCharles.Data.dll

Filesize
181KB

MD5
07b7aa11b30dd766a607707b3cf87101

SHA1
731941db29bd046b2ee7bb9a95835856ffc2de5f

SHA256
89f948924d27b8e55cf54bf6f95672145e287af64701d1b2dfc2f8c387cfcff7

SHA512
7a00011f3fc3ce4bc9ab278d903fff6fb5ef4a43129b30449ec06a5596c83faa2eb4e18c35367347fe68cf31bfb85ad594a4f329b1d27ce858a242ff07a468e7

Download Submit
\Program Files (x86)\Redline\SlimCharles.Data.dll

Filesize
181KB

MD5
07b7aa11b30dd766a607707b3cf87101

SHA1
731941db29bd046b2ee7bb9a95835856ffc2de5f

SHA256
89f948924d27b8e55cf54bf6f95672145e287af64701d1b2dfc2f8c387cfcff7

SHA512
7a00011f3fc3ce4bc9ab278d903fff6fb5ef4a43129b30449ec06a5596c83faa2eb4e18c35367347fe68cf31bfb85ad594a4f329b1d27ce858a242ff07a468e7

Download Submit
\Program Files (x86)\Redline\SlimCharles.UI.ViewModel.dll

Filesize
769KB

MD5
11ea3cc0ecd5eecf8a7d03dc9ea41e93

SHA1
229087cdb61f2f99ef4df94a30894b08f7f8fc36

SHA256
7310e336eb0a2e8474a83f7b123bc650810fb9d9e306ea23a4d26b8ff3598ab4

SHA512
bbe5cdce73c9622b0438b232a03aa4b7468a28c2ff205c7279ce1147bb4699c87bb59cbb96fc058f5bdef8eac2495806038df85029fe23d87c4c843925bb5cac

Download Submit
\Program Files (x86)\Redline\SlimCharles.UI.ViewModel.dll

Filesize
769KB

MD5
11ea3cc0ecd5eecf8a7d03dc9ea41e93

SHA1
229087cdb61f2f99ef4df94a30894b08f7f8fc36

SHA256
7310e336eb0a2e8474a83f7b123bc650810fb9d9e306ea23a4d26b8ff3598ab4

SHA512
bbe5cdce73c9622b0438b232a03aa4b7468a28c2ff205c7279ce1147bb4699c87bb59cbb96fc058f5bdef8eac2495806038df85029fe23d87c4c843925bb5cac

Download Submit
\Program Files (x86)\Redline\SlimCharles.UI.dll

Filesize
1.9MB

MD5
3afb8ac5765e6f1a00ae742bb343d413

SHA1
21efbe7fdad27b1bec2ab59155fddfc75e9e8632

SHA256
54eea22a635fe84d9a4720c31cd1397443541bf1a19987dce4c0347c9d968f68

SHA512
134e87d7f600f26748f8590a4dc0807d6d3c012dfc14d49d9e30f2112f26010867d415a7cb76ad81563b361d4bdd9967119562763ffd8e1a25a32617f185e280

Download Submit
\Program Files (x86)\Redline\SlimCharles.UI.dll

Filesize
1.9MB

MD5
3afb8ac5765e6f1a00ae742bb343d413

SHA1
21efbe7fdad27b1bec2ab59155fddfc75e9e8632

SHA256
54eea22a635fe84d9a4720c31cd1397443541bf1a19987dce4c0347c9d968f68

SHA512
134e87d7f600f26748f8590a4dc0807d6d3c012dfc14d49d9e30f2112f26010867d415a7cb76ad81563b361d4bdd9967119562763ffd8e1a25a32617f185e280

Download Submit
\Program Files (x86)\Redline\Xceed.Compression.v5.5.dll

Filesize
269KB

MD5
ee9fa27dace006aa4622b6b6f59044b3

SHA1
0f162d4ede2a561406f465a41afface65df274c4

SHA256
2c8b746b69554335b3eecfb54ff2a155aa89fd695d636df3386b85ba1cc1917e

SHA512
b1a97f62726543056dd2f5130a3d5ad62f1ec06ebcc7360ff8982851098816273cc0b71e06fe1622ce6255c5bbb33d8146fee9c45b99ac75f93711857e8850e7

Download Submit
\Program Files (x86)\Redline\Xceed.Compression.v5.5.dll

Filesize
269KB

MD5
ee9fa27dace006aa4622b6b6f59044b3

SHA1
0f162d4ede2a561406f465a41afface65df274c4

SHA256
2c8b746b69554335b3eecfb54ff2a155aa89fd695d636df3386b85ba1cc1917e

SHA512
b1a97f62726543056dd2f5130a3d5ad62f1ec06ebcc7360ff8982851098816273cc0b71e06fe1622ce6255c5bbb33d8146fee9c45b99ac75f93711857e8850e7

Download Submit
\Program Files (x86)\Redline\Xceed.FileSystem.v5.5.dll

Filesize
141KB

MD5
ba1a885df023cadc30dd818893e60fe5

SHA1
087febdf9bf1b369f31f3fa2600db9c804b9defe

SHA256
3b44f9d3879841b5c328697f688f1fd2a8465aa8e5f079908c04a481af38ba6b

SHA512
4b3f5c216c0a6488c927a2fe93a91cfd0ad625649e5a3d5b29e1e336acf0be4bba539a906a4d5c8a9ffd10b697b1e8a55da27d662804ca35acf2010d70982b7a

Download Submit
\Program Files (x86)\Redline\Xceed.FileSystem.v5.5.dll

Filesize
141KB

MD5
ba1a885df023cadc30dd818893e60fe5

SHA1
087febdf9bf1b369f31f3fa2600db9c804b9defe

SHA256
3b44f9d3879841b5c328697f688f1fd2a8465aa8e5f079908c04a481af38ba6b

SHA512
4b3f5c216c0a6488c927a2fe93a91cfd0ad625649e5a3d5b29e1e336acf0be4bba539a906a4d5c8a9ffd10b697b1e8a55da27d662804ca35acf2010d70982b7a

Download Submit
\Program Files (x86)\Redline\Xceed.Wpf.Controls.v5.3.dll

Filesize
165KB

MD5
309b1452592f2f5817ba5a136483d55a

SHA1
155ef676b24dc15f1f65985a9d7f5aa8698d32c2

SHA256
5f78ce0d641bf7dfb302f1cb2c6a022001e7ea68177a6944349cf887147b25cc

SHA512
9933ce2d583e162054e027fd1626b6c655d5e152ce02a67d982d6a8a3a74212a362d086e8d1b56e446f11d6483d7b70a494c428e0fa58e4f6276597f7be1ea1e

Download Submit
\Program Files (x86)\Redline\Xceed.Wpf.Controls.v5.3.dll

Filesize
165KB

MD5
309b1452592f2f5817ba5a136483d55a

SHA1
155ef676b24dc15f1f65985a9d7f5aa8698d32c2

SHA256
5f78ce0d641bf7dfb302f1cb2c6a022001e7ea68177a6944349cf887147b25cc

SHA512
9933ce2d583e162054e027fd1626b6c655d5e152ce02a67d982d6a8a3a74212a362d086e8d1b56e446f11d6483d7b70a494c428e0fa58e4f6276597f7be1ea1e

Download Submit
\Program Files (x86)\Redline\Xceed.Wpf.Controls.v5.3.dll

Filesize
165KB

MD5
309b1452592f2f5817ba5a136483d55a

SHA1
155ef676b24dc15f1f65985a9d7f5aa8698d32c2

SHA256
5f78ce0d641bf7dfb302f1cb2c6a022001e7ea68177a6944349cf887147b25cc

SHA512
9933ce2d583e162054e027fd1626b6c655d5e152ce02a67d982d6a8a3a74212a362d086e8d1b56e446f11d6483d7b70a494c428e0fa58e4f6276597f7be1ea1e

Download Submit
\Program Files (x86)\Redline\Xceed.Wpf.Controls.v5.3.dll

Filesize
165KB

MD5
309b1452592f2f5817ba5a136483d55a

SHA1
155ef676b24dc15f1f65985a9d7f5aa8698d32c2

SHA256
5f78ce0d641bf7dfb302f1cb2c6a022001e7ea68177a6944349cf887147b25cc

SHA512
9933ce2d583e162054e027fd1626b6c655d5e152ce02a67d982d6a8a3a74212a362d086e8d1b56e446f11d6483d7b70a494c428e0fa58e4f6276597f7be1ea1e

Download Submit
\Program Files (x86)\Redline\Xceed.Wpf.DataGrid.v5.3.dll

Filesize
3.9MB

MD5
2a855b8f2a952b47d9fcceb153d5f847

SHA1
f13df656e307bb977b39081734e417e28dbfc400

SHA256
e25447ca8a883b33b6b1d64da3fe7640aebe146136588125d14505011a13d28a

SHA512
9a6ab5bc6c6fd30df5668ed0678761ae4cfe014eaed1ef2b1dd441945f3e4ca5163f51e374ac33124e63e59853f70affb813d421186e3cd307d8baa081496f54

Download Submit
\Program Files (x86)\Redline\Xceed.Wpf.DataGrid.v5.3.dll

Filesize
3.9MB

MD5
2a855b8f2a952b47d9fcceb153d5f847

SHA1
f13df656e307bb977b39081734e417e28dbfc400

SHA256
e25447ca8a883b33b6b1d64da3fe7640aebe146136588125d14505011a13d28a

SHA512
9a6ab5bc6c6fd30df5668ed0678761ae4cfe014eaed1ef2b1dd441945f3e4ca5163f51e374ac33124e63e59853f70affb813d421186e3cd307d8baa081496f54

Download Submit
\Program Files (x86)\Redline\Xceed.Wpf.DataGrid.v5.3.dll

Filesize
3.9MB

MD5
2a855b8f2a952b47d9fcceb153d5f847

SHA1
f13df656e307bb977b39081734e417e28dbfc400

SHA256
e25447ca8a883b33b6b1d64da3fe7640aebe146136588125d14505011a13d28a

SHA512
9a6ab5bc6c6fd30df5668ed0678761ae4cfe014eaed1ef2b1dd441945f3e4ca5163f51e374ac33124e63e59853f70affb813d421186e3cd307d8baa081496f54

Download Submit
\Program Files (x86)\Redline\Xceed.Wpf.DataGrid.v5.3.dll

Filesize
3.9MB

MD5
2a855b8f2a952b47d9fcceb153d5f847

SHA1
f13df656e307bb977b39081734e417e28dbfc400

SHA256
e25447ca8a883b33b6b1d64da3fe7640aebe146136588125d14505011a13d28a

SHA512
9a6ab5bc6c6fd30df5668ed0678761ae4cfe014eaed1ef2b1dd441945f3e4ca5163f51e374ac33124e63e59853f70affb813d421186e3cd307d8baa081496f54

Download Submit
\Program Files (x86)\Redline\Xceed.Zip.v5.5.dll

Filesize
317KB

MD5
51701c5295dcd40dfbcf828a6c69d049

SHA1
59660e281f46f179bc2117916a0d78c690bc2063

SHA256
0b396cd9dada05b15d84562fa1761f1e4c65005d049248e0f5bd210e96c72472

SHA512
16750eb042c9c69fb9c66336e73351d4115a36123f24d74e9480f7a49eb6716df82f21a397a04a1d1ab528d986eb395fe881dc590af7d04ab83753e77edc23cf

Download Submit
\Program Files (x86)\Redline\Xceed.Zip.v5.5.dll

Filesize
317KB

MD5
51701c5295dcd40dfbcf828a6c69d049

SHA1
59660e281f46f179bc2117916a0d78c690bc2063

SHA256
0b396cd9dada05b15d84562fa1761f1e4c65005d049248e0f5bd210e96c72472

SHA512
16750eb042c9c69fb9c66336e73351d4115a36123f24d74e9480f7a49eb6716df82f21a397a04a1d1ab528d986eb395fe881dc590af7d04ab83753e77edc23cf

Download Submit
\Program Files (x86)\Redline\log4net.dll

Filesize
264KB

MD5
b89cb7f3f1a1e2807e708f5435deb13d

SHA1
82cde65a7514c0e465ee0d505be56c56639ff0b1

SHA256
27d26aab42f7cab35bf51d0536c67ed553fc97b670226b868805e7c6927e5c87

SHA512
0bd0da0cc01eb62ba1dea21666bccf76db6c7dcb2ddfa608bea61da0ffa230a60a66e91449b2664de006066eb63d26daafb3bf7b932c8a22ccd347dbd707e68b

Download Submit
\Program Files (x86)\Redline\log4net.dll

Filesize
264KB

MD5
b89cb7f3f1a1e2807e708f5435deb13d

SHA1
82cde65a7514c0e465ee0d505be56c56639ff0b1

SHA256
27d26aab42f7cab35bf51d0536c67ed553fc97b670226b868805e7c6927e5c87

SHA512
0bd0da0cc01eb62ba1dea21666bccf76db6c7dcb2ddfa608bea61da0ffa230a60a66e91449b2664de006066eb63d26daafb3bf7b932c8a22ccd347dbd707e68b

Download Submit
\Program Files (x86)\Redline\log4net.dll

Filesize
264KB

MD5
b89cb7f3f1a1e2807e708f5435deb13d

SHA1
82cde65a7514c0e465ee0d505be56c56639ff0b1

SHA256
27d26aab42f7cab35bf51d0536c67ed553fc97b670226b868805e7c6927e5c87

SHA512
0bd0da0cc01eb62ba1dea21666bccf76db6c7dcb2ddfa608bea61da0ffa230a60a66e91449b2664de006066eb63d26daafb3bf7b932c8a22ccd347dbd707e68b

Download Submit
\Program Files (x86)\Redline\log4net.dll

Filesize
264KB

MD5
b89cb7f3f1a1e2807e708f5435deb13d

SHA1
82cde65a7514c0e465ee0d505be56c56639ff0b1

SHA256
27d26aab42f7cab35bf51d0536c67ed553fc97b670226b868805e7c6927e5c87

SHA512
0bd0da0cc01eb62ba1dea21666bccf76db6c7dcb2ddfa608bea61da0ffa230a60a66e91449b2664de006066eb63d26daafb3bf7b932c8a22ccd347dbd707e68b

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8C81.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8DAA.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
\Windows\Installer\MSI1769.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
\Windows\Installer\MSI1A19.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
memory/1292-452-0x0000000005D30000-0x0000000005D88000-memory.dmp

Filesize
352KB

Download
memory/1292-432-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/1292-444-0x0000000005140000-0x0000000005204000-memory.dmp

Filesize
784KB

Download
memory/1292-448-0x0000000004B20000-0x0000000004B50000-memory.dmp

Filesize
192KB

Download
memory/1292-400-0x0000000004670000-0x00000000046C8000-memory.dmp

Filesize
352KB

Download
memory/1292-395-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/1292-422-0x0000000000D40000-0x0000000000D88000-memory.dmp

Filesize
288KB

Download
memory/1292-394-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/1292-404-0x0000000004870000-0x00000000048C2000-memory.dmp

Filesize
328KB

Download
memory/1292-440-0x0000000005DC0000-0x0000000005FC4000-memory.dmp

Filesize
2.0MB

Download
memory/1292-455-0x00000000060E0000-0x0000000006118000-memory.dmp

Filesize
224KB

Download
memory/1292-454-0x0000000005FD0000-0x000000000607C000-memory.dmp

Filesize
688KB

Download
memory/1292-391-0x0000000000420000-0x0000000000466000-memory.dmp

Filesize
280KB

Download
memory/1292-458-0x0000000005A30000-0x0000000005A5A000-memory.dmp

Filesize
168KB

Download
memory/1292-459-0x0000000006210000-0x000000000625E000-memory.dmp

Filesize
312KB

Download
memory/1292-460-0x0000000005AA0000-0x0000000005AC8000-memory.dmp

Filesize
160KB

Download
memory/1292-431-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/1292-408-0x0000000005330000-0x0000000005720000-memory.dmp

Filesize
3.9MB

Download
memory/1292-387-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1292-386-0x0000000000D90000-0x0000000000DC6000-memory.dmp

Filesize
216KB

Download
memory/1292-414-0x0000000000AD0000-0x0000000000AFE000-memory.dmp

Filesize
184KB

Download
memory/1292-530-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1292-534-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/1292-436-0x0000000004AD0000-0x0000000004B20000-memory.dmp

Filesize
320KB

Download
memory/1292-545-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/1292-546-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/1292-560-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/1292-563-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/1292-564-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/1292-565-0x000000000A3C0000-0x000000000A3C1000-memory.dmp

Filesize
4KB

Download
memory/1292-566-0x000000000A450000-0x000000000A452000-memory.dmp

Filesize
8KB

Download
memory/1292-430-0x0000000005720000-0x0000000005910000-memory.dmp

Filesize
1.9MB

Download
memory/1292-580-0x000000000A3C0000-0x000000000A3C1000-memory.dmp

Filesize
4KB

Download
memory/1292-426-0x0000000004AA0000-0x0000000004AC6000-memory.dmp

Filesize
152KB

Download