smokeloader | 2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe
Size

288KB
MD5

870454d6dc60474e5c98db3a6551aa52
SHA1

5f4cab81e841059908b4a252740dbfec429f1d8c
SHA256

2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c
SHA512

e3a6397090b3bb82de407b1b43d21c47161097bf4deee407e862f7baf65b319db83aabd5a92be12ffff373d907966f060b5ad2aad5a6c6d2b967e7fef23d0c83
SSDEEP

3072:3aqUIlWrtEgY1HVxRwDRwXalOJTpr7f2rz7mImr4Z:Kq5W2l1HVxRwDqKI4/Bmr

Score

10^/10

smokeloader 0024 backdoor collection evasion trojan

Malware Config

Extracted

Family

smokeloader

Botnet

0024

Extracted

Family

smokeloader

Version

2022

https://utah-saints.com/search.php

https://atlanta-newspaper.com/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2856	netsh.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3008	tasklist.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4432	ipconfig.exe
1616	NETSTAT.EXE
4128	NETSTAT.EXE
4208	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2576	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31062371"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3442254324"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f00000000020000000000106600000001000020000000fdb2ab35a8c988cf9cfeac17b3afc59127ff0fbb673566085d5b25f0b9620c4b000000000e80000000020000200000009fa8adb29676135a720974ab9845c8e67c9237e923bfc679ad915cfa0d28a88c1000000079567b6821ad4a7bb37ea93b5635640540000000d3ba1fb0ebcc87748e4448e19d312850c39b3d127629b07795db675c478e23acbf1b32e943044fb9888fe0fe41079625ece518fb0357da0d3254a7f66e7c3666	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31062371"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5086b7cf63f9d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3449600497"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f00000000020000000000106600000001000020000000dcfd7ff88c094103cdf41283cb3d59406889399f8612ebc2a842ceaf5d482298000000000e8000000002000020000000174932c7bd6f4b612c7588a2f2842e14e7f516660fe81817ccb38b773976e617500000000b9026ae2fb1d5123a27bdaafc3b7d49fc8f58ba7f03fd00f2f52d8c27bc0f8e5731774f56247958e18c0ed6405afd988e3264a1ba9bb10fecddf3b7268cb33c3c0ad7402cfc0160d37ff9b4af0b51b640000000a04bbb2898b8e51337b47f1c5c576e0ed1ed67effb78c5bdf0d7b3c3c5d4663eb74914c14ced2d0391c3982e4ec5ceb6675d7a04de581f7e86b757e6a9187f26	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f00000000020000000000106600000001000020000000fd0d0532c205348cdb28ddf853527d9561b821edf0908b1a968c8fa042ac6fea000000000e8000000002000020000000cbe5d8279ad25734579e1f0982790356b87aec91653749387b4ccf3fac5966d6200000006d1066f0f4fbbc46894cb88a9a957dd7ce6c929f7215f8d777526946d089747140000000fdbec1c4164233a9bdb6bfca07500bfa853afab0c3cc7626da149199ca8ec081a70859783cbe36c9354665284e8c309bfc6b1c8b4a95d4b57aa8d145e3b84528	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F8B4CB60-6556-11EE-83FE-DA5D5E1D8AF4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31062371"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f000000000200000000001066000000010000200000004ae85b54e4871bafbdab88c0505d94c9a2fd275a84f2677bbf6545d7827c1c3f000000000e80000000020000200000004c574be6d9a0ff2fcd6acc36b5c2a968bf87b21d8db5c9afa02e023cc25483c020000000b0bbfb4a823d27279646eafbe75620a0914844261557e724373c8cc136816aec40000000161e8a13fdd157f26b204d4108066335e2bb1495c90dfeed4538d204f7752c54d5cabe7955c69095cf5c5ab6ab8fd7fbc3aaecf5759e69b8ebd76891b407a828	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403478446"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3442254324"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 042d5e82d5e7d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b7c5cf63f9d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe
2952	2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
748	Process not Found

Suspicious behavior: MapViewOfSection 25 IoCs

pid	Process
2952	2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found
4692	explorer.exe
4692	explorer.exe
748	Process not Found
748	Process not Found
4380	explorer.exe
4380	explorer.exe
748	Process not Found
748	Process not Found
1220	explorer.exe
1220	explorer.exe
748	Process not Found
748	Process not Found
3268	explorer.exe
3268	explorer.exe
748	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: 36	1508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: 36	1508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe
Token: SeManageVolumePrivilege	3904	WMIC.exe
Token: 33	3904	WMIC.exe
Token: 34	3904	WMIC.exe
Token: 35	3904	WMIC.exe
Token: 36	3904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
384	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
384	iexplore.exe
384	iexplore.exe
1804	IEXPLORE.EXE
1804	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
748	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1916	748	Process not Found	96
PID 748 wrote to memory of 1916	748	Process not Found	96
PID 1916 wrote to memory of 1508	1916	cmd.exe	98
PID 1916 wrote to memory of 1508	1916	cmd.exe	98
PID 1916 wrote to memory of 3904	1916	cmd.exe	99
PID 1916 wrote to memory of 3904	1916	cmd.exe	99
PID 1916 wrote to memory of 3120	1916	cmd.exe	100
PID 1916 wrote to memory of 3120	1916	cmd.exe	100
PID 1916 wrote to memory of 4448	1916	cmd.exe	101
PID 1916 wrote to memory of 4448	1916	cmd.exe	101
PID 1916 wrote to memory of 384	1916	cmd.exe	102
PID 1916 wrote to memory of 384	1916	cmd.exe	102
PID 1916 wrote to memory of 2000	1916	cmd.exe	106
PID 1916 wrote to memory of 2000	1916	cmd.exe	106
PID 1916 wrote to memory of 4580	1916	cmd.exe	107
PID 1916 wrote to memory of 4580	1916	cmd.exe	107
PID 1916 wrote to memory of 3740	1916	cmd.exe	108
PID 1916 wrote to memory of 3740	1916	cmd.exe	108
PID 1916 wrote to memory of 3940	1916	cmd.exe	109
PID 1916 wrote to memory of 3940	1916	cmd.exe	109
PID 1916 wrote to memory of 1652	1916	cmd.exe	110
PID 1916 wrote to memory of 1652	1916	cmd.exe	110
PID 1916 wrote to memory of 4912	1916	cmd.exe	111
PID 1916 wrote to memory of 4912	1916	cmd.exe	111
PID 1916 wrote to memory of 900	1916	cmd.exe	112
PID 1916 wrote to memory of 900	1916	cmd.exe	112
PID 1916 wrote to memory of 4856	1916	cmd.exe	114
PID 1916 wrote to memory of 4856	1916	cmd.exe	114
PID 1916 wrote to memory of 1328	1916	cmd.exe	115
PID 1916 wrote to memory of 1328	1916	cmd.exe	115
PID 1916 wrote to memory of 4432	1916	cmd.exe	116
PID 1916 wrote to memory of 4432	1916	cmd.exe	116
PID 1916 wrote to memory of 1320	1916	cmd.exe	117
PID 1916 wrote to memory of 1320	1916	cmd.exe	117
PID 1916 wrote to memory of 2856	1916	cmd.exe	118
PID 1916 wrote to memory of 2856	1916	cmd.exe	118
PID 1916 wrote to memory of 2576	1916	cmd.exe	119
PID 1916 wrote to memory of 2576	1916	cmd.exe	119
PID 1916 wrote to memory of 3008	1916	cmd.exe	122
PID 1916 wrote to memory of 3008	1916	cmd.exe	122
PID 1916 wrote to memory of 3252	1916	cmd.exe	123
PID 1916 wrote to memory of 3252	1916	cmd.exe	123
PID 3252 wrote to memory of 2252	3252	net.exe	124
PID 3252 wrote to memory of 2252	3252	net.exe	124
PID 1916 wrote to memory of 856	1916	cmd.exe	125
PID 1916 wrote to memory of 856	1916	cmd.exe	125
PID 856 wrote to memory of 3784	856	net.exe	126
PID 856 wrote to memory of 3784	856	net.exe	126
PID 1916 wrote to memory of 1716	1916	cmd.exe	127
PID 1916 wrote to memory of 1716	1916	cmd.exe	127
PID 1716 wrote to memory of 4476	1716	net.exe	128
PID 1716 wrote to memory of 4476	1716	net.exe	128
PID 1916 wrote to memory of 3380	1916	cmd.exe	129
PID 1916 wrote to memory of 3380	1916	cmd.exe	129
PID 3380 wrote to memory of 2400	3380	net.exe	130
PID 3380 wrote to memory of 2400	3380	net.exe	130
PID 1916 wrote to memory of 5040	1916	cmd.exe	131
PID 1916 wrote to memory of 5040	1916	cmd.exe	131
PID 1916 wrote to memory of 3040	1916	cmd.exe	132
PID 1916 wrote to memory of 3040	1916	cmd.exe	132
PID 3040 wrote to memory of 2028	3040	net.exe	133
PID 3040 wrote to memory of 2028	3040	net.exe	133
PID 1916 wrote to memory of 2504	1916	cmd.exe	134
PID 1916 wrote to memory of 2504	1916	cmd.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe
"C:\Users\Admin\AppData\Local\Temp\2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2952

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
  2⤵
  PID:3120
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
  2⤵
  PID:4448
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
  2⤵
  PID:384
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
  2⤵
  PID:2000
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
  2⤵
  PID:4580
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
  2⤵
  PID:3740
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
  2⤵
  PID:3940
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
  2⤵
  PID:1652
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
  2⤵
  PID:4912
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
  2⤵
  PID:900
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
  2⤵
  PID:4856
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
  2⤵
  PID:1328
- C:\Windows\system32\ipconfig.exe
  ipconfig /displaydns
  2⤵
  - Gathers network information
  PID:4432
- C:\Windows\system32\ROUTE.EXE
  route print
  2⤵
  PID:1320
- C:\Windows\system32\netsh.exe
  netsh firewall show state
  2⤵
  - Modifies Windows Firewall
  PID:2856
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2576
- C:\Windows\system32\tasklist.exe
  tasklist /v
  2⤵
  - Enumerates processes with tasklist
  PID:3008
- C:\Windows\system32\net.exe
  net accounts /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 accounts /domain
    3⤵
    PID:2252
- C:\Windows\system32\net.exe
  net share
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share
    3⤵
    PID:3784
- C:\Windows\system32\net.exe
  net user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:4476
- C:\Windows\system32\net.exe
  net user /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /domain
    3⤵
    PID:2400
- C:\Windows\system32\net.exe
  net use
  2⤵
  PID:5040
- C:\Windows\system32\net.exe
  net group
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group
    3⤵
    PID:2028
- C:\Windows\system32\net.exe
  net localgroup
  2⤵
  PID:2504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup
    3⤵
    PID:1820
- C:\Windows\system32\NETSTAT.EXE
  netstat -r
  2⤵
  - Gathers network information
  PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
    3⤵
    PID:2136
  - - C:\Windows\system32\ROUTE.EXE
      C:\Windows\system32\route.exe print
      4⤵
      PID:1628
- C:\Windows\system32\NETSTAT.EXE
  netstat -nao
  2⤵
  - Gathers network information
  PID:4128
- C:\Windows\system32\schtasks.exe
  schtasks /query
  2⤵
  PID:3888
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:4208

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1144

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:384
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:384 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4504

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4692

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4380

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1220

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3268

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1688

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H3JZN74\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/748-4-0x00000000025B0000-0x00000000025C6000-memory.dmp

Filesize
88KB

Download
memory/748-14-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download
memory/1220-77-0x00000000005D0000-0x00000000005D5000-memory.dmp

Filesize
20KB

Download
memory/1220-78-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/1220-88-0x00000000005D0000-0x00000000005D5000-memory.dmp

Filesize
20KB

Download
memory/1220-89-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/1688-91-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/1688-82-0x00000000005C0000-0x00000000005CB000-memory.dmp

Filesize
44KB

Download
memory/1688-92-0x00000000005C0000-0x00000000005CB000-memory.dmp

Filesize
44KB

Download
memory/1688-81-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/2952-2-0x0000000000400000-0x0000000002285000-memory.dmp

Filesize
30.5MB

Download
memory/2952-5-0x0000000000400000-0x0000000002285000-memory.dmp

Filesize
30.5MB

Download
memory/2952-1-0x00000000022C0000-0x00000000023C0000-memory.dmp

Filesize
1024KB

Download
memory/2952-3-0x0000000003FD0000-0x0000000003FD9000-memory.dmp

Filesize
36KB

Download
memory/3040-84-0x00000000006A0000-0x00000000006AD000-memory.dmp

Filesize
52KB

Download
memory/3040-85-0x00000000006B0000-0x00000000006B7000-memory.dmp

Filesize
28KB

Download
memory/3040-86-0x00000000006A0000-0x00000000006AD000-memory.dmp

Filesize
52KB

Download
memory/3268-79-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/3268-90-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/3268-80-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/4332-49-0x0000000000B10000-0x0000000000B17000-memory.dmp

Filesize
28KB

Download
memory/4332-50-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/4332-48-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/4380-87-0x0000000000570000-0x0000000000579000-memory.dmp

Filesize
36KB

Download
memory/4380-76-0x0000000000560000-0x000000000056F000-memory.dmp

Filesize
60KB

Download
memory/4380-74-0x0000000000560000-0x000000000056F000-memory.dmp

Filesize
60KB

Download
memory/4380-75-0x0000000000570000-0x0000000000579000-memory.dmp

Filesize
36KB

Download
memory/4504-25-0x0000000000800000-0x000000000086B000-memory.dmp

Filesize
428KB

Download
memory/4504-54-0x0000000000800000-0x000000000086B000-memory.dmp

Filesize
428KB

Download
memory/4504-26-0x0000000000800000-0x000000000086B000-memory.dmp

Filesize
428KB

Download
memory/4504-24-0x0000000000870000-0x00000000008E5000-memory.dmp

Filesize
468KB

Download
memory/4692-83-0x0000000000D90000-0x0000000000D9B000-memory.dmp

Filesize
44KB

Download
memory/4692-67-0x0000000000D90000-0x0000000000D9B000-memory.dmp

Filesize
44KB

Download
memory/4692-68-0x0000000000DA0000-0x0000000000DA7000-memory.dmp

Filesize
28KB

Download