redline | bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52

Analysis

max time kernel
151s
max time network
146s
platform
windows10_x64
resource
win10-en-20211104
submitted
01-12-2021 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52.exe
Size

232KB
MD5

d21cd371ebcfb168c7e321c9104f2526
SHA1

3e7379803b0e8e9378e845c2764164bea32b4d77
SHA256

bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52
SHA512

8d2055db7abbb5c0f1bf5065a0ab802cef0f8ad5fcb07ab3aedc3b5d67ac27545e42bfbbeaced1047ff99fdec4834999442e99d563f0750feea9ec27ba59159c

Score

10^/10

redline smokeloader 1 backdoor collection discovery evasion infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Extracted

Family

redline

Botnet

45.9.20.59:46287

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1304-148-0x0000000002270000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/1304-150-0x0000000004A30000-0x0000000004A5C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

163.exeSmartClock.exe1F0E.exe3660.exe3FC7.exe

pid process

4368 163.exe
744 SmartClock.exe
4548 1F0E.exe
520 3660.exe
1304 3FC7.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

2060
Drops startup file 1 IoCs

Processes:

163.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 163.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4368	163.exe
744	SmartClock.exe
4548	1F0E.exe
520	3660.exe
1304	3FC7.exe

pid	process
2060

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	163.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

296 520 WerFault.exe 3660.exe
904 3796 WerFault.exe DllHost.exe

pid	pid_target	process	target process
296	520	WerFault.exe	3660.exe
904	3796	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52.exe1F0E.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1F0E.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1F0E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1F0E.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2152 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXEipconfig.exeipconfig.exe

pid process

3900 NETSTAT.EXE
3668 NETSTAT.EXE
768 ipconfig.exe
2112 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4292 systeminfo.exe

pid	process
2152	tasklist.exe

pid	process
3900	NETSTAT.EXE
3668	NETSTAT.EXE
768	ipconfig.exe
2112	ipconfig.exe

pid	process
4292	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F4DFF89C-5301-11EC-B34F-F23AFFACC4A0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

744 SmartClock.exe

pid	process
744	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52.exe

pid	process
3552	bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52.exe
3552	bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52.exe
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2060

pid	process
2060

Suspicious behavior: MapViewOfSection 58 IoCs

Processes:

bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52.exe1F0E.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3552	bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52.exe
4548	1F0E.exe
2060
2060
2060
2060
2060
2060
4620	explorer.exe
4620	explorer.exe
2060
2060
5004	explorer.exe
5004	explorer.exe
2060
2060
5112	explorer.exe
5112	explorer.exe
2060
2060
1212	explorer.exe
1212	explorer.exe
2060
2060
356	explorer.exe
356	explorer.exe
356	explorer.exe
356	explorer.exe
2060
2060
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exe3FC7.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	296	WerFault.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeDebugPrivilege	1304	3FC7.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeIncreaseQuotaPrivilege	4892	WMIC.exe
Token: SeSecurityPrivilege	4892	WMIC.exe
Token: SeTakeOwnershipPrivilege	4892	WMIC.exe
Token: SeLoadDriverPrivilege	4892	WMIC.exe
Token: SeSystemProfilePrivilege	4892	WMIC.exe
Token: SeSystemtimePrivilege	4892	WMIC.exe
Token: SeProfSingleProcessPrivilege	4892	WMIC.exe
Token: SeIncBasePriorityPrivilege	4892	WMIC.exe
Token: SeCreatePagefilePrivilege	4892	WMIC.exe
Token: SeBackupPrivilege	4892	WMIC.exe
Token: SeRestorePrivilege	4892	WMIC.exe
Token: SeShutdownPrivilege	4892	WMIC.exe
Token: SeDebugPrivilege	4892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4892	WMIC.exe
Token: SeRemoteShutdownPrivilege	4892	WMIC.exe
Token: SeUndockPrivilege	4892	WMIC.exe
Token: SeManageVolumePrivilege	4892	WMIC.exe
Token: 33	4892	WMIC.exe
Token: 34	4892	WMIC.exe
Token: 35	4892	WMIC.exe
Token: 36	4892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4892	WMIC.exe
Token: SeSecurityPrivilege	4892	WMIC.exe
Token: SeTakeOwnershipPrivilege	4892	WMIC.exe
Token: SeLoadDriverPrivilege	4892	WMIC.exe
Token: SeSystemProfilePrivilege	4892	WMIC.exe
Token: SeSystemtimePrivilege	4892	WMIC.exe
Token: SeProfSingleProcessPrivilege	4892	WMIC.exe
Token: SeIncBasePriorityPrivilege	4892	WMIC.exe
Token: SeCreatePagefilePrivilege	4892	WMIC.exe
Token: SeBackupPrivilege	4892	WMIC.exe
Token: SeRestorePrivilege	4892	WMIC.exe
Token: SeShutdownPrivilege	4892	WMIC.exe
Token: SeDebugPrivilege	4892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4892	WMIC.exe
Token: SeRemoteShutdownPrivilege	4892	WMIC.exe
Token: SeUndockPrivilege	4892	WMIC.exe
Token: SeManageVolumePrivilege	4892	WMIC.exe
Token: 33	4892	WMIC.exe
Token: 34	4892	WMIC.exe
Token: 35	4892	WMIC.exe
Token: 36	4892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1268	WMIC.exe
Token: SeSecurityPrivilege	1268	WMIC.exe
Token: SeTakeOwnershipPrivilege	1268	WMIC.exe
Token: SeLoadDriverPrivilege	1268	WMIC.exe
Token: SeSystemProfilePrivilege	1268	WMIC.exe
Token: SeSystemtimePrivilege	1268	WMIC.exe
Token: SeProfSingleProcessPrivilege	1268	WMIC.exe
Token: SeIncBasePriorityPrivilege	1268	WMIC.exe
Token: SeCreatePagefilePrivilege	1268	WMIC.exe
Token: SeBackupPrivilege	1268	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

596 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

596 iexplore.exe
596 iexplore.exe
3572 IEXPLORE.EXE
3572 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3460 RuntimeBroker.exe

pid	process
596	iexplore.exe

pid	process
596	iexplore.exe
596	iexplore.exe
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE

pid	process
3460	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

163.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2060 wrote to memory of 4368	2060		163.exe
PID 2060 wrote to memory of 4368	2060		163.exe
PID 2060 wrote to memory of 4368	2060		163.exe
PID 4368 wrote to memory of 744	4368	163.exe	SmartClock.exe
PID 4368 wrote to memory of 744	4368	163.exe	SmartClock.exe
PID 4368 wrote to memory of 744	4368	163.exe	SmartClock.exe
PID 2060 wrote to memory of 4548	2060		1F0E.exe
PID 2060 wrote to memory of 4548	2060		1F0E.exe
PID 2060 wrote to memory of 4548	2060		1F0E.exe
PID 2060 wrote to memory of 520	2060		3660.exe
PID 2060 wrote to memory of 520	2060		3660.exe
PID 2060 wrote to memory of 1304	2060		3FC7.exe
PID 2060 wrote to memory of 1304	2060		3FC7.exe
PID 2060 wrote to memory of 1304	2060		3FC7.exe
PID 2060 wrote to memory of 4112	2060		cmd.exe
PID 2060 wrote to memory of 4112	2060		cmd.exe
PID 4112 wrote to memory of 4892	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 4892	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 1268	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 1268	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 4968	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 4968	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 1976	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 1976	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 4920	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 4920	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 4144	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 4144	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 4676	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 4676	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 5060	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 5060	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 968	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 968	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 4588	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 4588	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 2972	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 2972	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 1724	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 1724	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 1644	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 1644	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 976	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 976	4112	cmd.exe	WMIC.exe
PID 4112 wrote to memory of 2112	4112	cmd.exe	ipconfig.exe
PID 4112 wrote to memory of 2112	4112	cmd.exe	ipconfig.exe
PID 4112 wrote to memory of 2200	4112	cmd.exe	ROUTE.EXE
PID 4112 wrote to memory of 2200	4112	cmd.exe	ROUTE.EXE
PID 4112 wrote to memory of 2072	4112	cmd.exe	netsh.exe
PID 4112 wrote to memory of 2072	4112	cmd.exe	netsh.exe
PID 4112 wrote to memory of 4292	4112	cmd.exe	systeminfo.exe
PID 4112 wrote to memory of 4292	4112	cmd.exe	systeminfo.exe
PID 4112 wrote to memory of 2152	4112	cmd.exe	tasklist.exe
PID 4112 wrote to memory of 2152	4112	cmd.exe	tasklist.exe
PID 4112 wrote to memory of 3560	4112	cmd.exe	net.exe
PID 4112 wrote to memory of 3560	4112	cmd.exe	net.exe
PID 3560 wrote to memory of 3608	3560	net.exe	net1.exe
PID 3560 wrote to memory of 3608	3560	net.exe	net1.exe
PID 4112 wrote to memory of 4500	4112	cmd.exe	net.exe
PID 4112 wrote to memory of 4500	4112	cmd.exe	net.exe
PID 4500 wrote to memory of 2560	4500	net.exe	net1.exe
PID 4500 wrote to memory of 2560	4500	net.exe	net1.exe
PID 4112 wrote to memory of 3604	4112	cmd.exe	net.exe
PID 4112 wrote to memory of 3604	4112	cmd.exe	net.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3236

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3252

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3796 -s 904
2⤵
- Program crash
PID:904

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3460

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2704

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2424

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52.exe
"C:\Users\Admin\AppData\Local\Temp\bd0d826c971936384c3cd2cc4d7b52eea80c85a280c5bc4986c37dedbd212d52.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3552

C:\Users\Admin\AppData\Local\Temp\163.exe
C:\Users\Admin\AppData\Local\Temp\163.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4368

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:744

C:\Users\Admin\AppData\Local\Temp\1F0E.exe
C:\Users\Admin\AppData\Local\Temp\1F0E.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4548

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\3660.exe
C:\Users\Admin\AppData\Local\Temp\3660.exe
1⤵
- Executes dropped EXE
PID:520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 520 -s 420
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Users\Admin\AppData\Local\Temp\3FC7.exe
C:\Users\Admin\AppData\Local\Temp\3FC7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:4968

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:1976

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:4920

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:4144

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:4676

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:5060

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:968

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:4588

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:2972

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:1724

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:1644

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:976

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:2112

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:2200

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:2072

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:4292

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:2152

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:3608

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:2560

C:\Windows\system32\net.exe
net user
2⤵
PID:3604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:4456

C:\Windows\system32\net.exe
net user /domain
2⤵
PID:3312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:5068

C:\Windows\system32\net.exe
net use
2⤵
PID:3768

C:\Windows\system32\net.exe
net group
2⤵
PID:3892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:3652

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:3628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:4200

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:3996

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:4036

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:3668

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:4396

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:596

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:596 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4892

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2904

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4620

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5004

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5112

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1212

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:356

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\163.exe
MD5
52a67064977704d6a31ed6596764ff89

SHA1
403f221a4da921a333e7f5553a961b63313558c7

SHA256
2c12191c47a538bc14750470bbba7a71e492ebe162b7da28db5b3a341f991a91

SHA512
c6e3fd8ba7e74f9e2ba5a87cff763aa6ebdb7a63b1f5e6ea606671f9450472fee72d0f644da3ac69292f6f1abdd23c459a26a05b94a19313f544f5486222660e

Download Submit
C:\Users\Admin\AppData\Local\Temp\163.exe
MD5
52a67064977704d6a31ed6596764ff89

SHA1
403f221a4da921a333e7f5553a961b63313558c7

SHA256
2c12191c47a538bc14750470bbba7a71e492ebe162b7da28db5b3a341f991a91

SHA512
c6e3fd8ba7e74f9e2ba5a87cff763aa6ebdb7a63b1f5e6ea606671f9450472fee72d0f644da3ac69292f6f1abdd23c459a26a05b94a19313f544f5486222660e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0E.exe
MD5
2b5fce2437cca15b83498d05bf531191

SHA1
39763ffde09a3e821896656d3f1eea7bb3400cba

SHA256
5c67d078ed1b093faad413b579a897e2ced8be5a60c83961973602b711272e21

SHA512
8e29b1be156ba6d9dc206f31495cf9e716c7dfcc4cf2e580518c4b55cdd0601da2066af2e2c7c6f56f0c634a63d685aea9ac3fb3714aeb6438933cec74beb9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0E.exe
MD5
2b5fce2437cca15b83498d05bf531191

SHA1
39763ffde09a3e821896656d3f1eea7bb3400cba

SHA256
5c67d078ed1b093faad413b579a897e2ced8be5a60c83961973602b711272e21

SHA512
8e29b1be156ba6d9dc206f31495cf9e716c7dfcc4cf2e580518c4b55cdd0601da2066af2e2c7c6f56f0c634a63d685aea9ac3fb3714aeb6438933cec74beb9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\3660.exe
MD5
797969fff63bc27ff47c02212685e027

SHA1
8dbb347120bdfffbb4eec3929d323cc6ed42698d

SHA256
df16de6120e58e0576c0af236154fb9efbcc3a1bde4dbf6078b3e7d94d17fce4

SHA512
de4051aba6167836a16dbc7e27d9b6af306ca97bc0ae6c9cd1f969a6c334c35c828dbe6537bfc8b45deb91d79c821094d9dcd79493231217f6b93b8255cdc297

Download Submit
C:\Users\Admin\AppData\Local\Temp\3660.exe
MD5
797969fff63bc27ff47c02212685e027

SHA1
8dbb347120bdfffbb4eec3929d323cc6ed42698d

SHA256
df16de6120e58e0576c0af236154fb9efbcc3a1bde4dbf6078b3e7d94d17fce4

SHA512
de4051aba6167836a16dbc7e27d9b6af306ca97bc0ae6c9cd1f969a6c334c35c828dbe6537bfc8b45deb91d79c821094d9dcd79493231217f6b93b8255cdc297

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FC7.exe
MD5
b0c194c979bd54e4bb2b2c2e14fdd8e8

SHA1
6cce39926b7398b8684ea406fcbdbb39eaeea5aa

SHA256
323d4ceb737997b06d9e522630f9d036ad4b1addcb2bb3e2aa76d29e591be72f

SHA512
af835fcfe29bb0ffeb4d15a5bff3f1f98fbad6e48fb6783f7fe23681ea627165a300ab9d4021a93d00b870f4878fcfa0066980ecd0b32efca88377260f0a26a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FC7.exe
MD5
b0c194c979bd54e4bb2b2c2e14fdd8e8

SHA1
6cce39926b7398b8684ea406fcbdbb39eaeea5aa

SHA256
323d4ceb737997b06d9e522630f9d036ad4b1addcb2bb3e2aa76d29e591be72f

SHA512
af835fcfe29bb0ffeb4d15a5bff3f1f98fbad6e48fb6783f7fe23681ea627165a300ab9d4021a93d00b870f4878fcfa0066980ecd0b32efca88377260f0a26a4

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
52a67064977704d6a31ed6596764ff89

SHA1
403f221a4da921a333e7f5553a961b63313558c7

SHA256
2c12191c47a538bc14750470bbba7a71e492ebe162b7da28db5b3a341f991a91

SHA512
c6e3fd8ba7e74f9e2ba5a87cff763aa6ebdb7a63b1f5e6ea606671f9450472fee72d0f644da3ac69292f6f1abdd23c459a26a05b94a19313f544f5486222660e

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
52a67064977704d6a31ed6596764ff89

SHA1
403f221a4da921a333e7f5553a961b63313558c7

SHA256
2c12191c47a538bc14750470bbba7a71e492ebe162b7da28db5b3a341f991a91

SHA512
c6e3fd8ba7e74f9e2ba5a87cff763aa6ebdb7a63b1f5e6ea606671f9450472fee72d0f644da3ac69292f6f1abdd23c459a26a05b94a19313f544f5486222660e

Download Submit
memory/296-302-0x000002CE89B70000-0x000002CE89B71000-memory.dmp

Filesize
4KB

Download
memory/356-291-0x0000000000610000-0x000000000061B000-memory.dmp

Filesize
44KB

Download
memory/356-289-0x0000000000000000-mapping.dmp

Download
memory/356-290-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/520-140-0x0000000000000000-mapping.dmp

Download
memory/520-301-0x0000022AB7660000-0x0000022AB7661000-memory.dmp

Filesize
4KB

Download
memory/596-252-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-225-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-216-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-217-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-218-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-221-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-220-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-304-0x00000210C3060000-0x00000210C3061000-memory.dmp

Filesize
4KB

Download
memory/596-288-0x00000210C4F20000-0x00000210C4F21000-memory.dmp

Filesize
4KB

Download
memory/596-222-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-306-0x00000210C2EE0000-0x00000210C2EE1000-memory.dmp

Filesize
4KB

Download
memory/596-223-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-224-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-226-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-281-0x00000210C2ED0000-0x00000210C2ED1000-memory.dmp

Filesize
4KB

Download
memory/596-228-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-251-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-250-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-248-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-246-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-245-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-243-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-242-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-239-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-238-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-237-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-236-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-234-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-233-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-232-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-229-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/596-230-0x00007FFAD2220000-0x00007FFAD228B000-memory.dmp

Filesize
428KB

Download
memory/744-134-0x00000000006D1000-0x0000000000751000-memory.dmp

Filesize
512KB

Download
memory/744-135-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/744-136-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/744-126-0x0000000000000000-mapping.dmp

Download
memory/744-293-0x00000000001E0000-0x00000000001EB000-memory.dmp

Filesize
44KB

Download
memory/744-292-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/768-211-0x0000000000000000-mapping.dmp

Download
memory/904-305-0x00000231CE270000-0x00000231CE271000-memory.dmp

Filesize
4KB

Download
memory/968-182-0x0000000000000000-mapping.dmp

Download
memory/976-187-0x0000000000000000-mapping.dmp

Download
memory/1212-287-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

Filesize
48KB

Download
memory/1212-286-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

Filesize
24KB

Download
memory/1212-285-0x0000000000000000-mapping.dmp

Download
memory/1268-173-0x0000000000000000-mapping.dmp

Download
memory/1304-159-0x0000000004BF3000-0x0000000004BF4000-memory.dmp

Filesize
4KB

Download
memory/1304-162-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/1304-152-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/1304-153-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/1304-147-0x0000000000891000-0x00000000008BD000-memory.dmp

Filesize
176KB

Download
memory/1304-151-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/1304-154-0x00000000001C0000-0x00000000001F9000-memory.dmp

Filesize
228KB

Download
memory/1304-155-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1304-156-0x0000000004BF4000-0x0000000004BF6000-memory.dmp

Filesize
8KB

Download
memory/1304-157-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/1304-158-0x0000000004BF2000-0x0000000004BF3000-memory.dmp

Filesize
4KB

Download
memory/1304-160-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1304-161-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/1304-143-0x0000000000000000-mapping.dmp

Download
memory/1304-163-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/1304-164-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/1304-165-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1304-166-0x0000000006630000-0x0000000006631000-memory.dmp

Filesize
4KB

Download
memory/1304-167-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/1304-150-0x0000000004A30000-0x0000000004A5C000-memory.dmp

Filesize
176KB

Download
memory/1304-148-0x0000000002270000-0x000000000229E000-memory.dmp

Filesize
184KB

Download
memory/1304-149-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/1644-186-0x0000000000000000-mapping.dmp

Download
memory/1724-185-0x0000000000000000-mapping.dmp

Download
memory/1976-175-0x0000000000000000-mapping.dmp

Download
memory/2060-212-0x0000000004D40000-0x0000000004D42000-memory.dmp

Filesize
8KB

Download
memory/2060-121-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/2060-170-0x0000000004D30000-0x0000000004D3F000-memory.dmp

Filesize
60KB

Download
memory/2060-168-0x0000000004D40000-0x0000000004D42000-memory.dmp

Filesize
8KB

Download
memory/2060-146-0x0000000004120000-0x0000000004136000-memory.dmp

Filesize
88KB

Download
memory/2060-169-0x0000000004D40000-0x0000000004D42000-memory.dmp

Filesize
8KB

Download
memory/2060-214-0x0000000004D40000-0x0000000004D42000-memory.dmp

Filesize
8KB

Download
memory/2060-215-0x0000000004D40000-0x0000000004D42000-memory.dmp

Filesize
8KB

Download
memory/2072-190-0x0000000000000000-mapping.dmp

Download
memory/2112-188-0x0000000000000000-mapping.dmp

Download
memory/2152-192-0x0000000000000000-mapping.dmp

Download
memory/2200-189-0x0000000000000000-mapping.dmp

Download
memory/2408-297-0x0000016FD2F80000-0x0000016FD2F81000-memory.dmp

Filesize
4KB

Download
memory/2424-298-0x000002623AD40000-0x000002623AD41000-memory.dmp

Filesize
4KB

Download
memory/2560-196-0x0000000000000000-mapping.dmp

Download
memory/2704-303-0x000001C860280000-0x000001C860281000-memory.dmp

Filesize
4KB

Download
memory/2704-299-0x000001C85FF40000-0x000001C85FF41000-memory.dmp

Filesize
4KB

Download
memory/2904-273-0x0000000000ED0000-0x0000000000ED7000-memory.dmp

Filesize
28KB

Download
memory/2904-272-0x0000000000000000-mapping.dmp

Download
memory/2904-274-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/2972-184-0x0000000000000000-mapping.dmp

Download
memory/3312-199-0x0000000000000000-mapping.dmp

Download
memory/3460-300-0x00000201F7140000-0x00000201F7141000-memory.dmp

Filesize
4KB

Download
memory/3552-120-0x0000000000400000-0x0000000002B72000-memory.dmp

Filesize
39.4MB

Download
memory/3552-119-0x0000000002B80000-0x0000000002C2E000-memory.dmp

Filesize
696KB

Download
memory/3552-118-0x0000000002B80000-0x0000000002C2E000-memory.dmp

Filesize
696KB

Download
memory/3560-193-0x0000000000000000-mapping.dmp

Download
memory/3572-241-0x0000000000000000-mapping.dmp

Download
memory/3604-197-0x0000000000000000-mapping.dmp

Download
memory/3608-194-0x0000000000000000-mapping.dmp

Download
memory/3628-204-0x0000000000000000-mapping.dmp

Download
memory/3652-203-0x0000000000000000-mapping.dmp

Download
memory/3668-209-0x0000000000000000-mapping.dmp

Download
memory/3768-201-0x0000000000000000-mapping.dmp

Download
memory/3892-202-0x0000000000000000-mapping.dmp

Download
memory/3900-206-0x0000000000000000-mapping.dmp

Download
memory/3996-207-0x0000000000000000-mapping.dmp

Download
memory/4036-208-0x0000000000000000-mapping.dmp

Download
memory/4112-171-0x0000000000000000-mapping.dmp

Download
memory/4144-179-0x0000000000000000-mapping.dmp

Download
memory/4200-205-0x0000000000000000-mapping.dmp

Download
memory/4292-191-0x0000000000000000-mapping.dmp

Download
memory/4368-129-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/4368-125-0x0000000000821000-0x00000000008A1000-memory.dmp

Filesize
512KB

Download
memory/4368-122-0x0000000000000000-mapping.dmp

Download
memory/4368-130-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/4396-210-0x0000000000000000-mapping.dmp

Download
memory/4456-198-0x0000000000000000-mapping.dmp

Download
memory/4500-195-0x0000000000000000-mapping.dmp

Download
memory/4548-131-0x0000000000000000-mapping.dmp

Download
memory/4548-138-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4548-139-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4588-183-0x0000000000000000-mapping.dmp

Download
memory/4620-276-0x0000000000360000-0x0000000000367000-memory.dmp

Filesize
28KB

Download
memory/4620-277-0x0000000000350000-0x000000000035B000-memory.dmp

Filesize
44KB

Download
memory/4620-275-0x0000000000000000-mapping.dmp

Download
memory/4644-178-0x000001AC9A0A0000-0x000001AC9A0A2000-memory.dmp

Filesize
8KB

Download
memory/4644-177-0x000001AC9A0A0000-0x000001AC9A0A2000-memory.dmp

Filesize
8KB

Download
memory/4676-180-0x0000000000000000-mapping.dmp

Download
memory/4892-266-0x0000000000000000-mapping.dmp

Download
memory/4892-270-0x0000000002F80000-0x0000000002FF5000-memory.dmp

Filesize
468KB

Download
memory/4892-271-0x0000000002F10000-0x0000000002F7B000-memory.dmp

Filesize
428KB

Download
memory/4892-172-0x0000000000000000-mapping.dmp

Download
memory/4920-176-0x0000000000000000-mapping.dmp

Download
memory/4952-296-0x0000000000890000-0x000000000089D000-memory.dmp

Filesize
52KB

Download
memory/4952-295-0x00000000008A0000-0x00000000008A7000-memory.dmp

Filesize
28KB

Download
memory/4952-294-0x0000000000000000-mapping.dmp

Download
memory/4968-174-0x0000000000000000-mapping.dmp

Download
memory/5004-278-0x0000000000000000-mapping.dmp

Download
memory/5004-279-0x0000000000AE0000-0x0000000000AE9000-memory.dmp

Filesize
36KB

Download
memory/5004-280-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/5060-181-0x0000000000000000-mapping.dmp

Download
memory/5068-200-0x0000000000000000-mapping.dmp

Download
memory/5112-282-0x0000000000000000-mapping.dmp

Download
memory/5112-283-0x0000000000810000-0x0000000000815000-memory.dmp

Filesize
20KB

Download
memory/5112-284-0x0000000000800000-0x0000000000809000-memory.dmp

Filesize
36KB

Download