redline | 6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896

Analysis

max time kernel
151s
max time network
137s
platform
windows10_x64
resource
win10-en-20211104
submitted
01-12-2021 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896.exe
Size

333KB
MD5

01dd0a615be98a52850cd041b41861a4
SHA1

a72556685eb86063537651caf15c3c48487d87f5
SHA256

6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896
SHA512

17d14ca81d0dc91c975ade02291d5596e5d5df4ae66b9fd12e422577c2234227d9a860931bfbf46584a180deb52dc59bb28f0a3cfed4bf7300e61a622a6fe144

Score

10^/10

redline smokeloader 1 backdoor collection discovery evasion infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Extracted

Family

redline

Botnet

45.9.20.59:46287

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/808-148-0x00000000022B0000-0x00000000022DE000-memory.dmp	family_redline
behavioral1/memory/808-150-0x00000000024B0000-0x00000000024DC000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

2288.exe2DE3.exeSmartClock.exe3E7E.exe463F.exe

pid process

648 2288.exe
996 2DE3.exe
404 SmartClock.exe
2768 3E7E.exe
808 463F.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

3040
Drops startup file 1 IoCs

Processes:

2288.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 2288.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
648	2288.exe
996	2DE3.exe
404	SmartClock.exe
2768	3E7E.exe
808	463F.exe

pid	process
3040

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	2288.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1384 2768 WerFault.exe 3E7E.exe
2236 3656 WerFault.exe DllHost.exe

pid	pid_target	process	target process
1384	2768	WerFault.exe	3E7E.exe
2236	3656	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896.exe2DE3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2DE3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2DE3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2DE3.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2760 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXEipconfig.exeipconfig.exe

pid process

2888 NETSTAT.EXE
688 NETSTAT.EXE
3908 ipconfig.exe
3176 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4092 systeminfo.exe

pid	process
2760	tasklist.exe

pid	process
2888	NETSTAT.EXE
688	NETSTAT.EXE
3908	ipconfig.exe
3176	ipconfig.exe

pid	process
4092	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5F2212DB-52FE-11EC-B34F-52A244D9E269} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

404 SmartClock.exe

pid	process
404	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896.exe

pid	process
2628	6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896.exe
2628	6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3040

pid	process
3040

Suspicious behavior: MapViewOfSection 58 IoCs

Processes:

6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896.exe2DE3.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2628	6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896.exe
996	2DE3.exe
3040
3040
3040
3040
3040
3040
884	explorer.exe
884	explorer.exe
3040
3040
3604	explorer.exe
3604	explorer.exe
3040
3040
3616	explorer.exe
3616	explorer.exe
3040
3040
2064	explorer.exe
2064	explorer.exe
3040
3040
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
3040
3040
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exe463F.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1384	WerFault.exe
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeDebugPrivilege	808	463F.exe
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeIncreaseQuotaPrivilege	3632	WMIC.exe
Token: SeSecurityPrivilege	3632	WMIC.exe
Token: SeTakeOwnershipPrivilege	3632	WMIC.exe
Token: SeLoadDriverPrivilege	3632	WMIC.exe
Token: SeSystemProfilePrivilege	3632	WMIC.exe
Token: SeSystemtimePrivilege	3632	WMIC.exe
Token: SeProfSingleProcessPrivilege	3632	WMIC.exe
Token: SeIncBasePriorityPrivilege	3632	WMIC.exe
Token: SeCreatePagefilePrivilege	3632	WMIC.exe
Token: SeBackupPrivilege	3632	WMIC.exe
Token: SeRestorePrivilege	3632	WMIC.exe
Token: SeShutdownPrivilege	3632	WMIC.exe
Token: SeDebugPrivilege	3632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3632	WMIC.exe
Token: SeRemoteShutdownPrivilege	3632	WMIC.exe
Token: SeUndockPrivilege	3632	WMIC.exe
Token: SeManageVolumePrivilege	3632	WMIC.exe
Token: 33	3632	WMIC.exe
Token: 34	3632	WMIC.exe
Token: 35	3632	WMIC.exe
Token: 36	3632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3632	WMIC.exe
Token: SeSecurityPrivilege	3632	WMIC.exe
Token: SeTakeOwnershipPrivilege	3632	WMIC.exe
Token: SeLoadDriverPrivilege	3632	WMIC.exe
Token: SeSystemProfilePrivilege	3632	WMIC.exe
Token: SeSystemtimePrivilege	3632	WMIC.exe
Token: SeProfSingleProcessPrivilege	3632	WMIC.exe
Token: SeIncBasePriorityPrivilege	3632	WMIC.exe
Token: SeCreatePagefilePrivilege	3632	WMIC.exe
Token: SeBackupPrivilege	3632	WMIC.exe
Token: SeRestorePrivilege	3632	WMIC.exe
Token: SeShutdownPrivilege	3632	WMIC.exe
Token: SeDebugPrivilege	3632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3632	WMIC.exe
Token: SeRemoteShutdownPrivilege	3632	WMIC.exe
Token: SeUndockPrivilege	3632	WMIC.exe
Token: SeManageVolumePrivilege	3632	WMIC.exe
Token: 33	3632	WMIC.exe
Token: 34	3632	WMIC.exe
Token: 35	3632	WMIC.exe
Token: 36	3632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3144	WMIC.exe
Token: SeSecurityPrivilege	3144	WMIC.exe
Token: SeTakeOwnershipPrivilege	3144	WMIC.exe
Token: SeLoadDriverPrivilege	3144	WMIC.exe
Token: SeSystemProfilePrivilege	3144	WMIC.exe
Token: SeSystemtimePrivilege	3144	WMIC.exe
Token: SeProfSingleProcessPrivilege	3144	WMIC.exe
Token: SeIncBasePriorityPrivilege	3144	WMIC.exe
Token: SeCreatePagefilePrivilege	3144	WMIC.exe
Token: SeBackupPrivilege	3144	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3168 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3168 iexplore.exe
3168 iexplore.exe
2760 IEXPLORE.EXE
2760 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3456 RuntimeBroker.exe

pid	process
3168	iexplore.exe

pid	process
3168	iexplore.exe
3168	iexplore.exe
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE

pid	process
3456	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2288.execmd.exenet.exenet.exe

description	pid	process	target process
PID 3040 wrote to memory of 648	3040		2288.exe
PID 3040 wrote to memory of 648	3040		2288.exe
PID 3040 wrote to memory of 648	3040		2288.exe
PID 3040 wrote to memory of 996	3040		2DE3.exe
PID 3040 wrote to memory of 996	3040		2DE3.exe
PID 3040 wrote to memory of 996	3040		2DE3.exe
PID 648 wrote to memory of 404	648	2288.exe	SmartClock.exe
PID 648 wrote to memory of 404	648	2288.exe	SmartClock.exe
PID 648 wrote to memory of 404	648	2288.exe	SmartClock.exe
PID 3040 wrote to memory of 2768	3040		3E7E.exe
PID 3040 wrote to memory of 2768	3040		3E7E.exe
PID 3040 wrote to memory of 808	3040		463F.exe
PID 3040 wrote to memory of 808	3040		463F.exe
PID 3040 wrote to memory of 808	3040		463F.exe
PID 3040 wrote to memory of 2648	3040		cmd.exe
PID 3040 wrote to memory of 2648	3040		cmd.exe
PID 2648 wrote to memory of 3632	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 3632	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 3144	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 3144	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 3168	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 3168	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 2084	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 2084	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 1340	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 1340	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 1968	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 1968	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 1824	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 1824	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 1516	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 1516	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 2020	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 2020	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 2888	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 2888	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 1248	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 1248	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 3052	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 3052	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 3028	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 3028	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 4080	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 4080	2648	cmd.exe	WMIC.exe
PID 2648 wrote to memory of 3176	2648	cmd.exe	ipconfig.exe
PID 2648 wrote to memory of 3176	2648	cmd.exe	ipconfig.exe
PID 2648 wrote to memory of 3652	2648	cmd.exe	ROUTE.EXE
PID 2648 wrote to memory of 3652	2648	cmd.exe	ROUTE.EXE
PID 2648 wrote to memory of 1356	2648	cmd.exe	netsh.exe
PID 2648 wrote to memory of 1356	2648	cmd.exe	netsh.exe
PID 2648 wrote to memory of 4092	2648	cmd.exe	systeminfo.exe
PID 2648 wrote to memory of 4092	2648	cmd.exe	systeminfo.exe
PID 2648 wrote to memory of 2760	2648	cmd.exe	tasklist.exe
PID 2648 wrote to memory of 2760	2648	cmd.exe	tasklist.exe
PID 2648 wrote to memory of 352	2648	cmd.exe	net.exe
PID 2648 wrote to memory of 352	2648	cmd.exe	net.exe
PID 352 wrote to memory of 1036	352	net.exe	net1.exe
PID 352 wrote to memory of 1036	352	net.exe	net1.exe
PID 2648 wrote to memory of 3860	2648	cmd.exe	net.exe
PID 2648 wrote to memory of 3860	2648	cmd.exe	net.exe
PID 3860 wrote to memory of 1512	3860	net.exe	net1.exe
PID 3860 wrote to memory of 1512	3860	net.exe	net1.exe
PID 2648 wrote to memory of 1736	2648	cmd.exe	net.exe
PID 2648 wrote to memory of 1736	2648	cmd.exe	net.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2696

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3224

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3656
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3656 -s 900
  2⤵
  - Program crash
  PID:2236

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3456

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2412

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896.exe
"C:\Users\Admin\AppData\Local\Temp\6e31b422ffcd882a3b8f73a6fb88c1fe750d10e867c74b70a76427ae683e6896.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2628

C:\Users\Admin\AppData\Local\Temp\2288.exe
C:\Users\Admin\AppData\Local\Temp\2288.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
  "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:404

C:\Users\Admin\AppData\Local\Temp\2DE3.exe
C:\Users\Admin\AppData\Local\Temp\2DE3.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:996

C:\Users\Admin\AppData\Local\Temp\3E7E.exe
C:\Users\Admin\AppData\Local\Temp\3E7E.exe
1⤵
- Executes dropped EXE
PID:2768
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2768 -s 416
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1384

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\463F.exe
C:\Users\Admin\AppData\Local\Temp\463F.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
  2⤵
  PID:3168
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
  2⤵
  PID:2084
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
  2⤵
  PID:1340
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
  2⤵
  PID:1968
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
  2⤵
  PID:1824
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
  2⤵
  PID:1516
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
  2⤵
  PID:2020
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
  2⤵
  PID:2888
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
  2⤵
  PID:1248
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
  2⤵
  PID:3052
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
  2⤵
  PID:3028
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
  2⤵
  PID:4080
- C:\Windows\system32\ipconfig.exe
  ipconfig /displaydns
  2⤵
  - Gathers network information
  PID:3176
- C:\Windows\system32\ROUTE.EXE
  route print
  2⤵
  PID:3652
- C:\Windows\system32\netsh.exe
  netsh firewall show state
  2⤵
  PID:1356
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:4092
- C:\Windows\system32\tasklist.exe
  tasklist /v
  2⤵
  - Enumerates processes with tasklist
  PID:2760
- C:\Windows\system32\net.exe
  net accounts /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 accounts /domain
    3⤵
    PID:1036
- C:\Windows\system32\net.exe
  net share
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share
    3⤵
    PID:1512
- C:\Windows\system32\net.exe
  net user
  2⤵
  PID:1736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:1968
- C:\Windows\system32\net.exe
  net user /domain
  2⤵
  PID:3024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /domain
    3⤵
    PID:1824
- C:\Windows\system32\net.exe
  net use
  2⤵
  PID:2168
- C:\Windows\system32\net.exe
  net group
  2⤵
  PID:3520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group
    3⤵
    PID:1504
- C:\Windows\system32\net.exe
  net localgroup
  2⤵
  PID:2268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup
    3⤵
    PID:3752
- C:\Windows\system32\NETSTAT.EXE
  netstat -r
  2⤵
  - Gathers network information
  PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
    3⤵
    PID:1768
  - - C:\Windows\system32\ROUTE.EXE
      C:\Windows\system32\route.exe print
      4⤵
      PID:1248
- C:\Windows\system32\NETSTAT.EXE
  netstat -nao
  2⤵
  - Gathers network information
  PID:688
- C:\Windows\system32\schtasks.exe
  schtasks /query
  2⤵
  PID:3172
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:3908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3168
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3168 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2760

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1928

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1172

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:884

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3604

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3616

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2064

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1904

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2288.exe

MD5
52a67064977704d6a31ed6596764ff89

SHA1
403f221a4da921a333e7f5553a961b63313558c7

SHA256
2c12191c47a538bc14750470bbba7a71e492ebe162b7da28db5b3a341f991a91

SHA512
c6e3fd8ba7e74f9e2ba5a87cff763aa6ebdb7a63b1f5e6ea606671f9450472fee72d0f644da3ac69292f6f1abdd23c459a26a05b94a19313f544f5486222660e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2288.exe

MD5
52a67064977704d6a31ed6596764ff89

SHA1
403f221a4da921a333e7f5553a961b63313558c7

SHA256
2c12191c47a538bc14750470bbba7a71e492ebe162b7da28db5b3a341f991a91

SHA512
c6e3fd8ba7e74f9e2ba5a87cff763aa6ebdb7a63b1f5e6ea606671f9450472fee72d0f644da3ac69292f6f1abdd23c459a26a05b94a19313f544f5486222660e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DE3.exe

MD5
2b5fce2437cca15b83498d05bf531191

SHA1
39763ffde09a3e821896656d3f1eea7bb3400cba

SHA256
5c67d078ed1b093faad413b579a897e2ced8be5a60c83961973602b711272e21

SHA512
8e29b1be156ba6d9dc206f31495cf9e716c7dfcc4cf2e580518c4b55cdd0601da2066af2e2c7c6f56f0c634a63d685aea9ac3fb3714aeb6438933cec74beb9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DE3.exe

MD5
2b5fce2437cca15b83498d05bf531191

SHA1
39763ffde09a3e821896656d3f1eea7bb3400cba

SHA256
5c67d078ed1b093faad413b579a897e2ced8be5a60c83961973602b711272e21

SHA512
8e29b1be156ba6d9dc206f31495cf9e716c7dfcc4cf2e580518c4b55cdd0601da2066af2e2c7c6f56f0c634a63d685aea9ac3fb3714aeb6438933cec74beb9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E7E.exe

MD5
797969fff63bc27ff47c02212685e027

SHA1
8dbb347120bdfffbb4eec3929d323cc6ed42698d

SHA256
df16de6120e58e0576c0af236154fb9efbcc3a1bde4dbf6078b3e7d94d17fce4

SHA512
de4051aba6167836a16dbc7e27d9b6af306ca97bc0ae6c9cd1f969a6c334c35c828dbe6537bfc8b45deb91d79c821094d9dcd79493231217f6b93b8255cdc297

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E7E.exe

MD5
797969fff63bc27ff47c02212685e027

SHA1
8dbb347120bdfffbb4eec3929d323cc6ed42698d

SHA256
df16de6120e58e0576c0af236154fb9efbcc3a1bde4dbf6078b3e7d94d17fce4

SHA512
de4051aba6167836a16dbc7e27d9b6af306ca97bc0ae6c9cd1f969a6c334c35c828dbe6537bfc8b45deb91d79c821094d9dcd79493231217f6b93b8255cdc297

Download Submit
C:\Users\Admin\AppData\Local\Temp\463F.exe

MD5
c7881d8ae52d7b084649261336b10c09

SHA1
627509bce9ee95db909af6c30613651afbd94236

SHA256
5cb604ad9ad374e471d3aac68e616b891e68140657d601ce81a16617657e9cdb

SHA512
0bdee0dda63a9a43d768d59c131484b5775eac756b5ee4eb85430e8daa8f2715d3f56049d98fd362b3d1ad8e47a5ead3f94ada4c671c5051870545729e5ab5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\463F.exe

MD5
c7881d8ae52d7b084649261336b10c09

SHA1
627509bce9ee95db909af6c30613651afbd94236

SHA256
5cb604ad9ad374e471d3aac68e616b891e68140657d601ce81a16617657e9cdb

SHA512
0bdee0dda63a9a43d768d59c131484b5775eac756b5ee4eb85430e8daa8f2715d3f56049d98fd362b3d1ad8e47a5ead3f94ada4c671c5051870545729e5ab5f5

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
52a67064977704d6a31ed6596764ff89

SHA1
403f221a4da921a333e7f5553a961b63313558c7

SHA256
2c12191c47a538bc14750470bbba7a71e492ebe162b7da28db5b3a341f991a91

SHA512
c6e3fd8ba7e74f9e2ba5a87cff763aa6ebdb7a63b1f5e6ea606671f9450472fee72d0f644da3ac69292f6f1abdd23c459a26a05b94a19313f544f5486222660e

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
52a67064977704d6a31ed6596764ff89

SHA1
403f221a4da921a333e7f5553a961b63313558c7

SHA256
2c12191c47a538bc14750470bbba7a71e492ebe162b7da28db5b3a341f991a91

SHA512
c6e3fd8ba7e74f9e2ba5a87cff763aa6ebdb7a63b1f5e6ea606671f9450472fee72d0f644da3ac69292f6f1abdd23c459a26a05b94a19313f544f5486222660e

Download Submit
memory/352-193-0x0000000000000000-mapping.dmp

Download
memory/404-143-0x0000000000761000-0x00000000007E1000-memory.dmp

Filesize
512KB

Download
memory/404-131-0x0000000000000000-mapping.dmp

Download
memory/404-144-0x0000000000690000-0x00000000007DA000-memory.dmp

Filesize
1.3MB

Download
memory/404-293-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/404-292-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/404-145-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/648-130-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/648-129-0x0000000000550000-0x00000000005FE000-memory.dmp

Filesize
696KB

Download
memory/648-122-0x0000000000000000-mapping.dmp

Download
memory/688-209-0x0000000000000000-mapping.dmp

Download
memory/808-158-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/808-153-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/808-164-0x0000000006210000-0x0000000006211000-memory.dmp

Filesize
4KB

Download
memory/808-167-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/808-163-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/808-162-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/808-166-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/808-147-0x0000000000591000-0x00000000005BD000-memory.dmp

Filesize
176KB

Download
memory/808-148-0x00000000022B0000-0x00000000022DE000-memory.dmp

Filesize
184KB

Download
memory/808-149-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/808-150-0x00000000024B0000-0x00000000024DC000-memory.dmp

Filesize
176KB

Download
memory/808-151-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/808-152-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/808-140-0x0000000000000000-mapping.dmp

Download
memory/808-154-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/808-155-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/808-156-0x00000000001C0000-0x00000000001F9000-memory.dmp

Filesize
228KB

Download
memory/808-157-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/808-165-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/808-159-0x0000000004CF2000-0x0000000004CF3000-memory.dmp

Filesize
4KB

Download
memory/808-160-0x0000000004CF3000-0x0000000004CF4000-memory.dmp

Filesize
4KB

Download
memory/808-161-0x0000000004CF4000-0x0000000004CF6000-memory.dmp

Filesize
8KB

Download
memory/884-277-0x00000000006F0000-0x00000000006FB000-memory.dmp

Filesize
44KB

Download
memory/884-275-0x0000000000000000-mapping.dmp

Download
memory/884-276-0x0000000000700000-0x0000000000707000-memory.dmp

Filesize
28KB

Download
memory/996-137-0x0000000000761000-0x0000000000772000-memory.dmp

Filesize
68KB

Download
memory/996-138-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/996-139-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/996-125-0x0000000000000000-mapping.dmp

Download
memory/1036-194-0x0000000000000000-mapping.dmp

Download
memory/1172-273-0x00000000004E0000-0x00000000004E7000-memory.dmp

Filesize
28KB

Download
memory/1172-272-0x0000000000000000-mapping.dmp

Download
memory/1172-274-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1248-184-0x0000000000000000-mapping.dmp

Download
memory/1248-208-0x0000000000000000-mapping.dmp

Download
memory/1340-176-0x0000000000000000-mapping.dmp

Download
memory/1356-190-0x0000000000000000-mapping.dmp

Download
memory/1384-303-0x0000016CC5F50000-0x0000016CC5F51000-memory.dmp

Filesize
4KB

Download
memory/1504-203-0x0000000000000000-mapping.dmp

Download
memory/1512-196-0x0000000000000000-mapping.dmp

Download
memory/1516-181-0x0000000000000000-mapping.dmp

Download
memory/1736-197-0x0000000000000000-mapping.dmp

Download
memory/1768-207-0x0000000000000000-mapping.dmp

Download
memory/1824-200-0x0000000000000000-mapping.dmp

Download
memory/1824-180-0x0000000000000000-mapping.dmp

Download
memory/1904-291-0x0000000000560000-0x000000000056B000-memory.dmp

Filesize
44KB

Download
memory/1904-290-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/1904-289-0x0000000000000000-mapping.dmp

Download
memory/1928-267-0x0000000000000000-mapping.dmp

Download
memory/1928-271-0x0000000000110000-0x000000000017B000-memory.dmp

Filesize
428KB

Download
memory/1928-270-0x0000000000180000-0x00000000001F5000-memory.dmp

Filesize
468KB

Download
memory/1968-198-0x0000000000000000-mapping.dmp

Download
memory/1968-179-0x0000000000000000-mapping.dmp

Download
memory/2020-182-0x0000000000000000-mapping.dmp

Download
memory/2064-286-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

Filesize
24KB

Download
memory/2064-285-0x0000000000000000-mapping.dmp

Download
memory/2064-287-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/2084-175-0x0000000000000000-mapping.dmp

Download
memory/2168-201-0x0000000000000000-mapping.dmp

Download
memory/2236-305-0x000001C604420000-0x000001C604421000-memory.dmp

Filesize
4KB

Download
memory/2268-204-0x0000000000000000-mapping.dmp

Download
memory/2372-297-0x000002A4A56C0000-0x000002A4A56C1000-memory.dmp

Filesize
4KB

Download
memory/2412-298-0x000001D7B2380000-0x000001D7B2381000-memory.dmp

Filesize
4KB

Download
memory/2628-118-0x00000000007C1000-0x00000000007D2000-memory.dmp

Filesize
68KB

Download
memory/2628-120-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2628-119-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2648-171-0x0000000000000000-mapping.dmp

Download
memory/2696-299-0x00000237F43C0000-0x00000237F43C1000-memory.dmp

Filesize
4KB

Download
memory/2696-302-0x00000237F4700000-0x00000237F4701000-memory.dmp

Filesize
4KB

Download
memory/2760-192-0x0000000000000000-mapping.dmp

Download
memory/2760-241-0x0000000000000000-mapping.dmp

Download
memory/2768-301-0x0000024D96EB0000-0x0000024D96EB1000-memory.dmp

Filesize
4KB

Download
memory/2768-134-0x0000000000000000-mapping.dmp

Download
memory/2888-206-0x0000000000000000-mapping.dmp

Download
memory/2888-183-0x0000000000000000-mapping.dmp

Download
memory/3024-199-0x0000000000000000-mapping.dmp

Download
memory/3028-186-0x0000000000000000-mapping.dmp

Download
memory/3040-168-0x0000000004A80000-0x0000000004A82000-memory.dmp

Filesize
8KB

Download
memory/3040-146-0x0000000002F70000-0x0000000002F86000-memory.dmp

Filesize
88KB

Download
memory/3040-215-0x0000000004A80000-0x0000000004A82000-memory.dmp

Filesize
8KB

Download
memory/3040-214-0x0000000004A80000-0x0000000004A82000-memory.dmp

Filesize
8KB

Download
memory/3040-169-0x0000000004A80000-0x0000000004A82000-memory.dmp

Filesize
8KB

Download
memory/3040-170-0x0000000004A70000-0x0000000004A7F000-memory.dmp

Filesize
60KB

Download
memory/3040-212-0x0000000004A80000-0x0000000004A82000-memory.dmp

Filesize
8KB

Download
memory/3040-121-0x0000000000D20000-0x0000000000D36000-memory.dmp

Filesize
88KB

Download
memory/3052-185-0x0000000000000000-mapping.dmp

Download
memory/3144-173-0x0000000000000000-mapping.dmp

Download
memory/3168-242-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-306-0x0000022C892B0000-0x0000022C892B1000-memory.dmp

Filesize
4KB

Download
memory/3168-233-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-234-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-236-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-237-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-238-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-239-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-230-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-229-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-243-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-245-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-246-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-248-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-250-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-251-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-252-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-222-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-304-0x0000022C89430000-0x0000022C89431000-memory.dmp

Filesize
4KB

Download
memory/3168-228-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-174-0x0000000000000000-mapping.dmp

Download
memory/3168-226-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-232-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-225-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-224-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-223-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-216-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-217-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-218-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-281-0x0000022C892A0000-0x0000022C892A1000-memory.dmp

Filesize
4KB

Download
memory/3168-288-0x0000022C8B2F0000-0x0000022C8B2F1000-memory.dmp

Filesize
4KB

Download
memory/3168-220-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3168-221-0x00007FFBDCE30000-0x00007FFBDCE9B000-memory.dmp

Filesize
428KB

Download
memory/3172-210-0x0000000000000000-mapping.dmp

Download
memory/3176-188-0x0000000000000000-mapping.dmp

Download
memory/3456-300-0x0000018AC3BC0000-0x0000018AC3BC1000-memory.dmp

Filesize
4KB

Download
memory/3520-202-0x0000000000000000-mapping.dmp

Download
memory/3604-278-0x0000000000000000-mapping.dmp

Download
memory/3604-280-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

Filesize
56KB

Download
memory/3604-279-0x0000000000BF0000-0x0000000000BF9000-memory.dmp

Filesize
36KB

Download
memory/3616-282-0x0000000000000000-mapping.dmp

Download
memory/3616-284-0x0000000001020000-0x0000000001029000-memory.dmp

Filesize
36KB

Download
memory/3616-283-0x0000000001030000-0x0000000001035000-memory.dmp

Filesize
20KB

Download
memory/3632-172-0x0000000000000000-mapping.dmp

Download
memory/3652-189-0x0000000000000000-mapping.dmp

Download
memory/3676-178-0x0000014E24BC0000-0x0000014E24BC2000-memory.dmp

Filesize
8KB

Download
memory/3676-177-0x0000014E24BC0000-0x0000014E24BC2000-memory.dmp

Filesize
8KB

Download
memory/3752-205-0x0000000000000000-mapping.dmp

Download
memory/3860-195-0x0000000000000000-mapping.dmp

Download
memory/3908-211-0x0000000000000000-mapping.dmp

Download
memory/4080-187-0x0000000000000000-mapping.dmp

Download
memory/4092-295-0x0000000001290000-0x0000000001297000-memory.dmp

Filesize
28KB

Download
memory/4092-296-0x0000000001280000-0x000000000128D000-memory.dmp

Filesize
52KB

Download
memory/4092-294-0x0000000000000000-mapping.dmp

Download
memory/4092-191-0x0000000000000000-mapping.dmp

Download