redline | 68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4

Analysis

max time kernel
151s
max time network
140s
platform
windows10_x64
resource
win10-en-20211104
submitted
01-12-2021 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4.exe
Size

333KB
MD5

5e8ee7a0ebc540477649d6c3374c2019
SHA1

86c93aaf465736de4cf955e3feef680372e8d2cc
SHA256

68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4
SHA512

9673fb4436edb8f6703bb4777f9743490f02fd2bd9713ac251ec0f10ebfd116d433a2e8111bf132ce6b783098b9ccae5ea0a4412851a7cde9b37d44836f39247

Score

10^/10

redline smokeloader 1 backdoor collection discovery evasion infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Extracted

Family

redline

Botnet

45.9.20.59:46287

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1968-159-0x00000000022F0000-0x000000000231E000-memory.dmp	family_redline
behavioral1/memory/1968-166-0x0000000002700000-0x000000000272C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

4801.exeSmartClock.exe7879.exeC35E.exeE3B8.exe

pid process

3312 4801.exe
3724 SmartClock.exe
604 7879.exe
3168 C35E.exe
1968 E3B8.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

2156
Drops startup file 1 IoCs

Processes:

4801.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4801.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3312	4801.exe
3724	SmartClock.exe
604	7879.exe
3168	C35E.exe
1968	E3B8.exe

pid	process
2156

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4801.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1072 3168 WerFault.exe C35E.exe
3084 3748 WerFault.exe DllHost.exe

pid	pid_target	process	target process
1072	3168	WerFault.exe	C35E.exe
3084	3748	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7879.exe68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7879.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7879.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7879.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3008 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

3824 ipconfig.exe
904 NETSTAT.EXE
1996 NETSTAT.EXE
3824 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2656 systeminfo.exe

pid	process
3008	tasklist.exe

pid	process
3824	ipconfig.exe
904	NETSTAT.EXE
1996	NETSTAT.EXE
3824	ipconfig.exe

pid	process
2656	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4DDEB523-52FB-11EC-B34F-F6D3DA6824A5} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3724 SmartClock.exe

pid	process
3724	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4.exe

pid	process
2656	68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4.exe
2656	68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4.exe
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2156

pid	process
2156

Suspicious behavior: MapViewOfSection 58 IoCs

Processes:

68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4.exe7879.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2656	68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4.exe
604	7879.exe
2156
2156
2156
2156
2156
2156
1340	explorer.exe
1340	explorer.exe
2156
2156
904	explorer.exe
904	explorer.exe
2156
2156
2676	explorer.exe
2676	explorer.exe
2156
2156
3824	explorer.exe
3824	explorer.exe
2156
2156
3376	explorer.exe
3376	explorer.exe
3376	explorer.exe
3376	explorer.exe
2156
2156
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1072	WerFault.exe
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeIncreaseQuotaPrivilege	2928	WMIC.exe
Token: SeSecurityPrivilege	2928	WMIC.exe
Token: SeTakeOwnershipPrivilege	2928	WMIC.exe
Token: SeLoadDriverPrivilege	2928	WMIC.exe
Token: SeSystemProfilePrivilege	2928	WMIC.exe
Token: SeSystemtimePrivilege	2928	WMIC.exe
Token: SeProfSingleProcessPrivilege	2928	WMIC.exe
Token: SeIncBasePriorityPrivilege	2928	WMIC.exe
Token: SeCreatePagefilePrivilege	2928	WMIC.exe
Token: SeBackupPrivilege	2928	WMIC.exe
Token: SeRestorePrivilege	2928	WMIC.exe
Token: SeShutdownPrivilege	2928	WMIC.exe
Token: SeDebugPrivilege	2928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2928	WMIC.exe
Token: SeRemoteShutdownPrivilege	2928	WMIC.exe
Token: SeUndockPrivilege	2928	WMIC.exe
Token: SeManageVolumePrivilege	2928	WMIC.exe
Token: 33	2928	WMIC.exe
Token: 34	2928	WMIC.exe
Token: 35	2928	WMIC.exe
Token: 36	2928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2928	WMIC.exe
Token: SeSecurityPrivilege	2928	WMIC.exe
Token: SeTakeOwnershipPrivilege	2928	WMIC.exe
Token: SeLoadDriverPrivilege	2928	WMIC.exe
Token: SeSystemProfilePrivilege	2928	WMIC.exe
Token: SeSystemtimePrivilege	2928	WMIC.exe
Token: SeProfSingleProcessPrivilege	2928	WMIC.exe
Token: SeIncBasePriorityPrivilege	2928	WMIC.exe
Token: SeCreatePagefilePrivilege	2928	WMIC.exe
Token: SeBackupPrivilege	2928	WMIC.exe
Token: SeRestorePrivilege	2928	WMIC.exe
Token: SeShutdownPrivilege	2928	WMIC.exe
Token: SeDebugPrivilege	2928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2928	WMIC.exe
Token: SeRemoteShutdownPrivilege	2928	WMIC.exe
Token: SeUndockPrivilege	2928	WMIC.exe
Token: SeManageVolumePrivilege	2928	WMIC.exe
Token: 33	2928	WMIC.exe
Token: 34	2928	WMIC.exe
Token: 35	2928	WMIC.exe
Token: 36	2928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3844	WMIC.exe
Token: SeSecurityPrivilege	3844	WMIC.exe
Token: SeTakeOwnershipPrivilege	3844	WMIC.exe
Token: SeLoadDriverPrivilege	3844	WMIC.exe
Token: SeSystemProfilePrivilege	3844	WMIC.exe
Token: SeSystemtimePrivilege	3844	WMIC.exe
Token: SeProfSingleProcessPrivilege	3844	WMIC.exe
Token: SeIncBasePriorityPrivilege	3844	WMIC.exe
Token: SeCreatePagefilePrivilege	3844	WMIC.exe
Token: SeBackupPrivilege	3844	WMIC.exe
Token: SeRestorePrivilege	3844	WMIC.exe
Token: SeShutdownPrivilege	3844	WMIC.exe
Token: SeDebugPrivilege	3844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3844	WMIC.exe
Token: SeRemoteShutdownPrivilege	3844	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

660 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

660 iexplore.exe
660 iexplore.exe
360 IEXPLORE.EXE
360 IEXPLORE.EXE

pid	process
660	iexplore.exe

pid	process
660	iexplore.exe
660	iexplore.exe
360	IEXPLORE.EXE
360	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4801.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2156 wrote to memory of 3312	2156		4801.exe
PID 2156 wrote to memory of 3312	2156		4801.exe
PID 2156 wrote to memory of 3312	2156		4801.exe
PID 3312 wrote to memory of 3724	3312	4801.exe	SmartClock.exe
PID 3312 wrote to memory of 3724	3312	4801.exe	SmartClock.exe
PID 3312 wrote to memory of 3724	3312	4801.exe	SmartClock.exe
PID 2156 wrote to memory of 604	2156		7879.exe
PID 2156 wrote to memory of 604	2156		7879.exe
PID 2156 wrote to memory of 604	2156		7879.exe
PID 2156 wrote to memory of 3168	2156		C35E.exe
PID 2156 wrote to memory of 3168	2156		C35E.exe
PID 2156 wrote to memory of 1968	2156		E3B8.exe
PID 2156 wrote to memory of 1968	2156		E3B8.exe
PID 2156 wrote to memory of 1968	2156		E3B8.exe
PID 2156 wrote to memory of 2660	2156		cmd.exe
PID 2156 wrote to memory of 2660	2156		cmd.exe
PID 2660 wrote to memory of 2928	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 2928	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 3844	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 3844	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 1752	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 1752	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 972	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 972	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 2136	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 2136	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 3920	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 3920	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 1116	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 1116	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 2680	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 2680	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 1712	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 1712	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 2312	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 2312	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 3020	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 3020	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 3256	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 3256	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 944	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 944	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 1996	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 1996	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 3824	2660	cmd.exe	ipconfig.exe
PID 2660 wrote to memory of 3824	2660	cmd.exe	ipconfig.exe
PID 2660 wrote to memory of 3836	2660	cmd.exe	ROUTE.EXE
PID 2660 wrote to memory of 3836	2660	cmd.exe	ROUTE.EXE
PID 2660 wrote to memory of 3996	2660	cmd.exe	netsh.exe
PID 2660 wrote to memory of 3996	2660	cmd.exe	netsh.exe
PID 2660 wrote to memory of 2656	2660	cmd.exe	systeminfo.exe
PID 2660 wrote to memory of 2656	2660	cmd.exe	systeminfo.exe
PID 2660 wrote to memory of 3008	2660	cmd.exe	tasklist.exe
PID 2660 wrote to memory of 3008	2660	cmd.exe	tasklist.exe
PID 2660 wrote to memory of 436	2660	cmd.exe	net.exe
PID 2660 wrote to memory of 436	2660	cmd.exe	net.exe
PID 436 wrote to memory of 3920	436	net.exe	net1.exe
PID 436 wrote to memory of 3920	436	net.exe	net1.exe
PID 2660 wrote to memory of 3792	2660	cmd.exe	net.exe
PID 2660 wrote to memory of 3792	2660	cmd.exe	net.exe
PID 3792 wrote to memory of 1116	3792	net.exe	net1.exe
PID 3792 wrote to memory of 1116	3792	net.exe	net1.exe
PID 2660 wrote to memory of 2280	2660	cmd.exe	net.exe
PID 2660 wrote to memory of 2280	2660	cmd.exe	net.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3748 -s 888
2⤵
- Program crash
PID:3084

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3472

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3280

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3260

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2508

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4.exe
"C:\Users\Admin\AppData\Local\Temp\68dcac9ebc7123e670b9a0c6b61bc6ad05f9bb9dbd22236f3ff0c991a383eff4.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2656

C:\Users\Admin\AppData\Local\Temp\4801.exe
C:\Users\Admin\AppData\Local\Temp\4801.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3312

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3724

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\7879.exe
C:\Users\Admin\AppData\Local\Temp\7879.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:604

C:\Users\Admin\AppData\Local\Temp\C35E.exe
C:\Users\Admin\AppData\Local\Temp\C35E.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3168 -s 420
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Users\Admin\AppData\Local\Temp\E3B8.exe
C:\Users\Admin\AppData\Local\Temp\E3B8.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:1752

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:972

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:2136

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:3920

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:1116

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:2680

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:1712

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:2312

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:3020

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:3256

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:944

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:1996

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:3824

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:3836

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:3996

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:2656

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:3008

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:3920

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:1116

C:\Windows\system32\net.exe
net user
2⤵
PID:2280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:2680

C:\Windows\system32\net.exe
net user /domain
2⤵
PID:4032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:1872

C:\Windows\system32\net.exe
net use
2⤵
PID:1348

C:\Windows\system32\net.exe
net group
2⤵
PID:3000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:3508

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:1440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:3256

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:1496

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:2328

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:1996

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:2076

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:3824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:660

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:660 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:360

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1916

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1708

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1340

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:904

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2676

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3824

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3376

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4801.exe
MD5
52a67064977704d6a31ed6596764ff89

SHA1
403f221a4da921a333e7f5553a961b63313558c7

SHA256
2c12191c47a538bc14750470bbba7a71e492ebe162b7da28db5b3a341f991a91

SHA512
c6e3fd8ba7e74f9e2ba5a87cff763aa6ebdb7a63b1f5e6ea606671f9450472fee72d0f644da3ac69292f6f1abdd23c459a26a05b94a19313f544f5486222660e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4801.exe
MD5
52a67064977704d6a31ed6596764ff89

SHA1
403f221a4da921a333e7f5553a961b63313558c7

SHA256
2c12191c47a538bc14750470bbba7a71e492ebe162b7da28db5b3a341f991a91

SHA512
c6e3fd8ba7e74f9e2ba5a87cff763aa6ebdb7a63b1f5e6ea606671f9450472fee72d0f644da3ac69292f6f1abdd23c459a26a05b94a19313f544f5486222660e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7879.exe
MD5
05db051d56a60badfecd383277573408

SHA1
2acb74daebd96c79e8e412468fd8b2c22d20861a

SHA256
41f90072241c6875fbd2cf1125881345e08c95d38de2b01c6815d164c6846f28

SHA512
87572dad23c1058c7414e838d9febf7130b14595d97ecfe7aa91b21cdf895db800023e9d0704d79b4922ff5f3e109279409b5d26e1175959d545eeb9fe69c59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7879.exe
MD5
05db051d56a60badfecd383277573408

SHA1
2acb74daebd96c79e8e412468fd8b2c22d20861a

SHA256
41f90072241c6875fbd2cf1125881345e08c95d38de2b01c6815d164c6846f28

SHA512
87572dad23c1058c7414e838d9febf7130b14595d97ecfe7aa91b21cdf895db800023e9d0704d79b4922ff5f3e109279409b5d26e1175959d545eeb9fe69c59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C35E.exe
MD5
797969fff63bc27ff47c02212685e027

SHA1
8dbb347120bdfffbb4eec3929d323cc6ed42698d

SHA256
df16de6120e58e0576c0af236154fb9efbcc3a1bde4dbf6078b3e7d94d17fce4

SHA512
de4051aba6167836a16dbc7e27d9b6af306ca97bc0ae6c9cd1f969a6c334c35c828dbe6537bfc8b45deb91d79c821094d9dcd79493231217f6b93b8255cdc297

Download Submit
C:\Users\Admin\AppData\Local\Temp\C35E.exe
MD5
797969fff63bc27ff47c02212685e027

SHA1
8dbb347120bdfffbb4eec3929d323cc6ed42698d

SHA256
df16de6120e58e0576c0af236154fb9efbcc3a1bde4dbf6078b3e7d94d17fce4

SHA512
de4051aba6167836a16dbc7e27d9b6af306ca97bc0ae6c9cd1f969a6c334c35c828dbe6537bfc8b45deb91d79c821094d9dcd79493231217f6b93b8255cdc297

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3B8.exe
MD5
e44e52c3b3716982c6aa95c497596db0

SHA1
1dbc602aa967c9868ab654ed4f4052647ca0a0e8

SHA256
40902bd8f06b012f24d88d319c1816c4e47a2b3b2dd24e5fa8c0715ea5549110

SHA512
809995e09fd0b9defa5354be98e57fc0773b975e91def48d4d267981a880482b7104a0f60f17396dde73d4599abb94a83ba6b61c9d50d2f9b18eeee15a60a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3B8.exe
MD5
e44e52c3b3716982c6aa95c497596db0

SHA1
1dbc602aa967c9868ab654ed4f4052647ca0a0e8

SHA256
40902bd8f06b012f24d88d319c1816c4e47a2b3b2dd24e5fa8c0715ea5549110

SHA512
809995e09fd0b9defa5354be98e57fc0773b975e91def48d4d267981a880482b7104a0f60f17396dde73d4599abb94a83ba6b61c9d50d2f9b18eeee15a60a55c

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
52a67064977704d6a31ed6596764ff89

SHA1
403f221a4da921a333e7f5553a961b63313558c7

SHA256
2c12191c47a538bc14750470bbba7a71e492ebe162b7da28db5b3a341f991a91

SHA512
c6e3fd8ba7e74f9e2ba5a87cff763aa6ebdb7a63b1f5e6ea606671f9450472fee72d0f644da3ac69292f6f1abdd23c459a26a05b94a19313f544f5486222660e

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
52a67064977704d6a31ed6596764ff89

SHA1
403f221a4da921a333e7f5553a961b63313558c7

SHA256
2c12191c47a538bc14750470bbba7a71e492ebe162b7da28db5b3a341f991a91

SHA512
c6e3fd8ba7e74f9e2ba5a87cff763aa6ebdb7a63b1f5e6ea606671f9450472fee72d0f644da3ac69292f6f1abdd23c459a26a05b94a19313f544f5486222660e

Download Submit
memory/360-241-0x0000000000000000-mapping.dmp

Download
memory/436-193-0x0000000000000000-mapping.dmp

Download
memory/604-138-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/604-139-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/604-137-0x0000000000651000-0x0000000000662000-memory.dmp

Filesize
68KB

Download
memory/604-134-0x0000000000000000-mapping.dmp

Download
memory/660-225-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-238-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-216-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-217-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-218-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-220-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-221-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-281-0x000001DDB84C0000-0x000001DDB84C1000-memory.dmp

Filesize
4KB

Download
memory/660-222-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-288-0x000001DDBA510000-0x000001DDBA511000-memory.dmp

Filesize
4KB

Download
memory/660-223-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-224-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-306-0x000001DDB84D0000-0x000001DDB84D1000-memory.dmp

Filesize
4KB

Download
memory/660-252-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-251-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-250-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-248-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-226-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-228-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-246-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-245-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-243-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-242-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-304-0x000001DDB8650000-0x000001DDB8651000-memory.dmp

Filesize
4KB

Download
memory/660-239-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-229-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-236-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-237-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-234-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-233-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-232-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/660-230-0x00007FFD535E0000-0x00007FFD5364B000-memory.dmp

Filesize
428KB

Download
memory/904-279-0x00000000012C0000-0x00000000012C9000-memory.dmp

Filesize
36KB

Download
memory/904-206-0x0000000000000000-mapping.dmp

Download
memory/904-278-0x0000000000000000-mapping.dmp

Download
memory/904-280-0x00000000012B0000-0x00000000012BE000-memory.dmp

Filesize
56KB

Download
memory/944-180-0x0000000000000000-mapping.dmp

Download
memory/972-154-0x0000000000000000-mapping.dmp

Download
memory/1072-303-0x000002BD83060000-0x000002BD83061000-memory.dmp

Filesize
4KB

Download
memory/1116-196-0x0000000000000000-mapping.dmp

Download
memory/1116-174-0x0000000000000000-mapping.dmp

Download
memory/1340-275-0x0000000000000000-mapping.dmp

Download
memory/1340-277-0x0000000003210000-0x000000000321B000-memory.dmp

Filesize
44KB

Download
memory/1340-276-0x0000000003220000-0x0000000003227000-memory.dmp

Filesize
28KB

Download
memory/1348-201-0x0000000000000000-mapping.dmp

Download
memory/1440-204-0x0000000000000000-mapping.dmp

Download
memory/1496-207-0x0000000000000000-mapping.dmp

Download
memory/1708-274-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/1708-273-0x0000000000BE0000-0x0000000000BE7000-memory.dmp

Filesize
28KB

Download
memory/1708-270-0x0000000000000000-mapping.dmp

Download
memory/1712-176-0x0000000000000000-mapping.dmp

Download
memory/1752-153-0x0000000000000000-mapping.dmp

Download
memory/1872-200-0x0000000000000000-mapping.dmp

Download
memory/1916-272-0x0000000002A10000-0x0000000002A7B000-memory.dmp

Filesize
428KB

Download
memory/1916-266-0x0000000000000000-mapping.dmp

Download
memory/1916-271-0x0000000002A80000-0x0000000002AF5000-memory.dmp

Filesize
468KB

Download
memory/1968-169-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1968-164-0x0000000002772000-0x0000000002773000-memory.dmp

Filesize
4KB

Download
memory/1968-191-0x00000000068D0000-0x00000000068D1000-memory.dmp

Filesize
4KB

Download
memory/1968-190-0x00000000066F0000-0x00000000066F1000-memory.dmp

Filesize
4KB

Download
memory/1968-171-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/1968-158-0x0000000000711000-0x000000000073D000-memory.dmp

Filesize
176KB

Download
memory/1968-159-0x00000000022F0000-0x000000000231E000-memory.dmp

Filesize
184KB

Download
memory/1968-160-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/1968-182-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/1968-161-0x0000000002773000-0x0000000002774000-memory.dmp

Filesize
4KB

Download
memory/1968-184-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/1968-144-0x0000000000000000-mapping.dmp

Download
memory/1968-185-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/1968-165-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1968-163-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1968-183-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/1968-166-0x0000000002700000-0x000000000272C000-memory.dmp

Filesize
176KB

Download
memory/1968-170-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/1968-173-0x0000000002774000-0x0000000002776000-memory.dmp

Filesize
8KB

Download
memory/1968-167-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/1968-168-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1968-162-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1996-209-0x0000000000000000-mapping.dmp

Download
memory/1996-181-0x0000000000000000-mapping.dmp

Download
memory/2076-210-0x0000000000000000-mapping.dmp

Download
memory/2136-155-0x0000000000000000-mapping.dmp

Download
memory/2156-215-0x0000000004E20000-0x0000000004E22000-memory.dmp

Filesize
8KB

Download
memory/2156-147-0x0000000004E20000-0x0000000004E22000-memory.dmp

Filesize
8KB

Download
memory/2156-149-0x0000000004E30000-0x0000000004E3F000-memory.dmp

Filesize
60KB

Download
memory/2156-148-0x0000000004E20000-0x0000000004E22000-memory.dmp

Filesize
8KB

Download
memory/2156-121-0x0000000001120000-0x0000000001136000-memory.dmp

Filesize
88KB

Download
memory/2156-140-0x00000000032B0000-0x00000000032C6000-memory.dmp

Filesize
88KB

Download
memory/2156-214-0x0000000004E20000-0x0000000004E22000-memory.dmp

Filesize
8KB

Download
memory/2156-212-0x0000000004E20000-0x0000000004E22000-memory.dmp

Filesize
8KB

Download
memory/2280-197-0x0000000000000000-mapping.dmp

Download
memory/2312-177-0x0000000000000000-mapping.dmp

Download
memory/2328-208-0x0000000000000000-mapping.dmp

Download
memory/2444-297-0x0000020757030000-0x0000020757031000-memory.dmp

Filesize
4KB

Download
memory/2508-298-0x000001F5604F0000-0x000001F5604F1000-memory.dmp

Filesize
4KB

Download
memory/2656-189-0x0000000000000000-mapping.dmp

Download
memory/2656-119-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2656-120-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2660-150-0x0000000000000000-mapping.dmp

Download
memory/2676-282-0x0000000000000000-mapping.dmp

Download
memory/2676-283-0x0000000000270000-0x0000000000275000-memory.dmp

Filesize
20KB

Download
memory/2676-284-0x0000000000260000-0x0000000000269000-memory.dmp

Filesize
36KB

Download
memory/2680-198-0x0000000000000000-mapping.dmp

Download
memory/2680-175-0x0000000000000000-mapping.dmp

Download
memory/2732-299-0x00000279DEBC0000-0x00000279DEBC1000-memory.dmp

Filesize
4KB

Download
memory/2732-302-0x00000279DEF00000-0x00000279DEF01000-memory.dmp

Filesize
4KB

Download
memory/2928-151-0x0000000000000000-mapping.dmp

Download
memory/3000-202-0x0000000000000000-mapping.dmp

Download
memory/3008-192-0x0000000000000000-mapping.dmp

Download
memory/3020-178-0x0000000000000000-mapping.dmp

Download
memory/3084-305-0x000002A526A10000-0x000002A526A11000-memory.dmp

Filesize
4KB

Download
memory/3168-301-0x0000026E3D500000-0x0000026E3D501000-memory.dmp

Filesize
4KB

Download
memory/3168-141-0x0000000000000000-mapping.dmp

Download
memory/3256-205-0x0000000000000000-mapping.dmp

Download
memory/3256-179-0x0000000000000000-mapping.dmp

Download
memory/3312-122-0x0000000000000000-mapping.dmp

Download
memory/3312-125-0x00000000005A1000-0x0000000000621000-memory.dmp

Filesize
512KB

Download
memory/3312-126-0x0000000000800000-0x0000000000891000-memory.dmp

Filesize
580KB

Download
memory/3312-127-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/3376-292-0x0000000002970000-0x000000000297B000-memory.dmp

Filesize
44KB

Download
memory/3376-291-0x0000000002980000-0x0000000002986000-memory.dmp

Filesize
24KB

Download
memory/3376-289-0x0000000000000000-mapping.dmp

Download
memory/3472-300-0x000001483E530000-0x000001483E531000-memory.dmp

Filesize
4KB

Download
memory/3508-203-0x0000000000000000-mapping.dmp

Download
memory/3616-157-0x0000028E3A740000-0x0000028E3A742000-memory.dmp

Filesize
8KB

Download
memory/3616-156-0x0000028E3A740000-0x0000028E3A742000-memory.dmp

Filesize
8KB

Download
memory/3724-132-0x0000000000550000-0x00000000005FE000-memory.dmp

Filesize
696KB

Download
memory/3724-293-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3724-133-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/3724-294-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/3724-128-0x0000000000000000-mapping.dmp

Download
memory/3792-195-0x0000000000000000-mapping.dmp

Download
memory/3816-296-0x0000000000D60000-0x0000000000D6D000-memory.dmp

Filesize
52KB

Download
memory/3816-290-0x0000000000000000-mapping.dmp

Download
memory/3816-295-0x0000000000D70000-0x0000000000D77000-memory.dmp

Filesize
28KB

Download
memory/3824-285-0x0000000000000000-mapping.dmp

Download
memory/3824-186-0x0000000000000000-mapping.dmp

Download
memory/3824-211-0x0000000000000000-mapping.dmp

Download
memory/3824-287-0x0000000000800000-0x000000000080C000-memory.dmp

Filesize
48KB

Download
memory/3824-286-0x0000000000810000-0x0000000000816000-memory.dmp

Filesize
24KB

Download
memory/3836-187-0x0000000000000000-mapping.dmp

Download
memory/3844-152-0x0000000000000000-mapping.dmp

Download
memory/3920-172-0x0000000000000000-mapping.dmp

Download
memory/3920-194-0x0000000000000000-mapping.dmp

Download
memory/3996-188-0x0000000000000000-mapping.dmp

Download
memory/4032-199-0x0000000000000000-mapping.dmp

Download