redline | bc94b163517e1a81cec89823d0d4bb7045cd09e72a46da38f1b52573cde695a8

Analysis

max time kernel
154s
max time network
156s
platform
windows10_x64
resource
win10-en-20211104
submitted
01-12-2021 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c11df57d6e3f2277ab9a9242b42dc35b.exe
Size

329KB
MD5

c11df57d6e3f2277ab9a9242b42dc35b
SHA1

832d923aaaf7bdf896d6952b8e58ad6e022f3891
SHA256

bc94b163517e1a81cec89823d0d4bb7045cd09e72a46da38f1b52573cde695a8
SHA512

e65dd1134dd42deaf20138c0f63a7324b9820414514559c668243fd2c5a90c7db63f25c76226cafaa0d2ec2325edce0a190a53ee447cad571381911fca1a44a5

Score

10^/10

redline smokeloader 1 backdoor collection discovery evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Extracted

Family

redline

Botnet

45.9.20.59:46287

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2044-171-0x0000000002560000-0x000000000258E000-memory.dmp	family_redline
behavioral2/memory/2044-173-0x0000000002590000-0x00000000025BC000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

59C4.exeSmartClock.exe8AF7.exe1C2C.exe

pid process

592 59C4.exe
1476 SmartClock.exe
1504 8AF7.exe
2044 1C2C.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

3040
Drops startup file 1 IoCs

Processes:

59C4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 59C4.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
592	59C4.exe
1476	SmartClock.exe
1504	8AF7.exe
2044	1C2C.exe

pid	process
3040

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	59C4.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3160 3692 WerFault.exe DllHost.exe

pid	pid_target	process	target process
3160	3692	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c11df57d6e3f2277ab9a9242b42dc35b.exe8AF7.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c11df57d6e3f2277ab9a9242b42dc35b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c11df57d6e3f2277ab9a9242b42dc35b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8AF7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8AF7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8AF7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c11df57d6e3f2277ab9a9242b42dc35b.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2908 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXEipconfig.exeipconfig.exeNETSTAT.EXE

pid process

860 NETSTAT.EXE
2680 ipconfig.exe
1044 ipconfig.exe
1248 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1696 systeminfo.exe

pid	process
2908	tasklist.exe

pid	process
860	NETSTAT.EXE
2680	ipconfig.exe
1044	ipconfig.exe
1248	NETSTAT.EXE

pid	process
1696	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F3051302-5284-11EC-B34F-56E05CEBA64F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1476 SmartClock.exe

pid	process
1476	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c11df57d6e3f2277ab9a9242b42dc35b.exe

pid	process
2628	c11df57d6e3f2277ab9a9242b42dc35b.exe
2628	c11df57d6e3f2277ab9a9242b42dc35b.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3040

pid	process
3040

Suspicious behavior: MapViewOfSection 52 IoCs

Processes:

c11df57d6e3f2277ab9a9242b42dc35b.exe8AF7.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2628	c11df57d6e3f2277ab9a9242b42dc35b.exe
1504	8AF7.exe
3040
3040
3040
3040
3040
3040
3852	explorer.exe
3852	explorer.exe
3040
3040
3356	explorer.exe
3356	explorer.exe
3040
3040
648	explorer.exe
648	explorer.exe
3040
3040
2672	explorer.exe
2672	explorer.exe
3040
3040
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
3040
3040
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1400	WMIC.exe
Token: SeSecurityPrivilege	1400	WMIC.exe
Token: SeTakeOwnershipPrivilege	1400	WMIC.exe
Token: SeLoadDriverPrivilege	1400	WMIC.exe
Token: SeSystemProfilePrivilege	1400	WMIC.exe
Token: SeSystemtimePrivilege	1400	WMIC.exe
Token: SeProfSingleProcessPrivilege	1400	WMIC.exe
Token: SeIncBasePriorityPrivilege	1400	WMIC.exe
Token: SeCreatePagefilePrivilege	1400	WMIC.exe
Token: SeBackupPrivilege	1400	WMIC.exe
Token: SeRestorePrivilege	1400	WMIC.exe
Token: SeShutdownPrivilege	1400	WMIC.exe
Token: SeDebugPrivilege	1400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1400	WMIC.exe
Token: SeRemoteShutdownPrivilege	1400	WMIC.exe
Token: SeUndockPrivilege	1400	WMIC.exe
Token: SeManageVolumePrivilege	1400	WMIC.exe
Token: 33	1400	WMIC.exe
Token: 34	1400	WMIC.exe
Token: 35	1400	WMIC.exe
Token: 36	1400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1400	WMIC.exe
Token: SeSecurityPrivilege	1400	WMIC.exe
Token: SeTakeOwnershipPrivilege	1400	WMIC.exe
Token: SeLoadDriverPrivilege	1400	WMIC.exe
Token: SeSystemProfilePrivilege	1400	WMIC.exe
Token: SeSystemtimePrivilege	1400	WMIC.exe
Token: SeProfSingleProcessPrivilege	1400	WMIC.exe
Token: SeIncBasePriorityPrivilege	1400	WMIC.exe
Token: SeCreatePagefilePrivilege	1400	WMIC.exe
Token: SeBackupPrivilege	1400	WMIC.exe
Token: SeRestorePrivilege	1400	WMIC.exe
Token: SeShutdownPrivilege	1400	WMIC.exe
Token: SeDebugPrivilege	1400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1400	WMIC.exe
Token: SeRemoteShutdownPrivilege	1400	WMIC.exe
Token: SeUndockPrivilege	1400	WMIC.exe
Token: SeManageVolumePrivilege	1400	WMIC.exe
Token: 33	1400	WMIC.exe
Token: 34	1400	WMIC.exe
Token: 35	1400	WMIC.exe
Token: 36	1400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3376	WMIC.exe
Token: SeSecurityPrivilege	3376	WMIC.exe
Token: SeTakeOwnershipPrivilege	3376	WMIC.exe
Token: SeLoadDriverPrivilege	3376	WMIC.exe
Token: SeSystemProfilePrivilege	3376	WMIC.exe
Token: SeSystemtimePrivilege	3376	WMIC.exe
Token: SeProfSingleProcessPrivilege	3376	WMIC.exe
Token: SeIncBasePriorityPrivilege	3376	WMIC.exe
Token: SeCreatePagefilePrivilege	3376	WMIC.exe
Token: SeBackupPrivilege	3376	WMIC.exe
Token: SeRestorePrivilege	3376	WMIC.exe
Token: SeShutdownPrivilege	3376	WMIC.exe
Token: SeDebugPrivilege	3376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3376	WMIC.exe
Token: SeRemoteShutdownPrivilege	3376	WMIC.exe
Token: SeUndockPrivilege	3376	WMIC.exe
Token: SeManageVolumePrivilege	3376	WMIC.exe
Token: 33	3376	WMIC.exe
Token: 34	3376	WMIC.exe
Token: 35	3376	WMIC.exe
Token: 36	3376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3376	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1104 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1104 iexplore.exe
1104 iexplore.exe
2612 IEXPLORE.EXE
2612 IEXPLORE.EXE

pid	process
1104	iexplore.exe

pid	process
1104	iexplore.exe
1104	iexplore.exe
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

59C4.execmd.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3040 wrote to memory of 592	3040		59C4.exe
PID 3040 wrote to memory of 592	3040		59C4.exe
PID 3040 wrote to memory of 592	3040		59C4.exe
PID 592 wrote to memory of 1476	592	59C4.exe	SmartClock.exe
PID 592 wrote to memory of 1476	592	59C4.exe	SmartClock.exe
PID 592 wrote to memory of 1476	592	59C4.exe	SmartClock.exe
PID 3040 wrote to memory of 1504	3040		8AF7.exe
PID 3040 wrote to memory of 1504	3040		8AF7.exe
PID 3040 wrote to memory of 1504	3040		8AF7.exe
PID 3040 wrote to memory of 1092	3040		cmd.exe
PID 3040 wrote to memory of 1092	3040		cmd.exe
PID 1092 wrote to memory of 1400	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1400	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 3376	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 3376	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 3988	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 3988	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 2016	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 2016	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 2124	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 2124	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 2068	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 2068	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1288	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1288	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 2660	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 2660	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 3128	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 3128	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 3608	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 3608	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 2408	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 2408	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 860	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 860	1092	cmd.exe	WMIC.exe
PID 3040 wrote to memory of 2044	3040		1C2C.exe
PID 3040 wrote to memory of 2044	3040		1C2C.exe
PID 3040 wrote to memory of 2044	3040		1C2C.exe
PID 1092 wrote to memory of 1424	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1424	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1352	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1352	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1044	1092	cmd.exe	ipconfig.exe
PID 1092 wrote to memory of 1044	1092	cmd.exe	ipconfig.exe
PID 1092 wrote to memory of 3564	1092	cmd.exe	ROUTE.EXE
PID 1092 wrote to memory of 3564	1092	cmd.exe	ROUTE.EXE
PID 1092 wrote to memory of 1168	1092	cmd.exe	netsh.exe
PID 1092 wrote to memory of 1168	1092	cmd.exe	netsh.exe
PID 1092 wrote to memory of 1696	1092	cmd.exe	systeminfo.exe
PID 1092 wrote to memory of 1696	1092	cmd.exe	systeminfo.exe
PID 1092 wrote to memory of 2908	1092	cmd.exe	tasklist.exe
PID 1092 wrote to memory of 2908	1092	cmd.exe	tasklist.exe
PID 1092 wrote to memory of 1408	1092	cmd.exe	net.exe
PID 1092 wrote to memory of 1408	1092	cmd.exe	net.exe
PID 1408 wrote to memory of 1332	1408	net.exe	net1.exe
PID 1408 wrote to memory of 1332	1408	net.exe	net1.exe
PID 1092 wrote to memory of 3624	1092	cmd.exe	net.exe
PID 1092 wrote to memory of 3624	1092	cmd.exe	net.exe
PID 3624 wrote to memory of 3216	3624	net.exe	net1.exe
PID 3624 wrote to memory of 3216	3624	net.exe	net1.exe
PID 1092 wrote to memory of 3180	1092	cmd.exe	net.exe
PID 1092 wrote to memory of 3180	1092	cmd.exe	net.exe
PID 3180 wrote to memory of 3200	3180	net.exe	net1.exe
PID 3180 wrote to memory of 3200	3180	net.exe	net1.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2368

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2424

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2692

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3252

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3692 -s 928
2⤵
- Program crash
PID:3160

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3468

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\c11df57d6e3f2277ab9a9242b42dc35b.exe
"C:\Users\Admin\AppData\Local\Temp\c11df57d6e3f2277ab9a9242b42dc35b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2628

C:\Users\Admin\AppData\Local\Temp\59C4.exe
C:\Users\Admin\AppData\Local\Temp\59C4.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1476

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\8AF7.exe
C:\Users\Admin\AppData\Local\Temp\8AF7.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1504

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:3988

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:2016

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:2124

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:2068

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:1288

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:2660

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:3128

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:3608

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:2408

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:860

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:1424

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:1352

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:1044

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:3564

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:1168

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:1696

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:2908

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:1332

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:3216

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:3200

C:\Windows\system32\net.exe
net user /domain
2⤵
PID:3012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:2528

C:\Windows\system32\net.exe
net use
2⤵
PID:1572

C:\Windows\system32\net.exe
net group
2⤵
PID:1760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:1172

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:3772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:3700

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:908

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:648

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:860

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:1516

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:2680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\1C2C.exe
C:\Users\Admin\AppData\Local\Temp\1C2C.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2612

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2192

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2160

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3852

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3356

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:648

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2672

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2680

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1C2C.exe

MD5
39fde0ab2002da0bb653adef68275b45

SHA1
51944ab931e748770f872bd509a1484640ac5635

SHA256
2a3d1390d66f186ee234901094ec279db501b8ad49c3e626c4bc035189cf32a4

SHA512
b8272191f047de556c643dbe39e076a26e4f92d1797d644fddd63b665921d77b8506f7db84128e7a9ae93dcc167e3e77f43cd70694c8254805506d219934149c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C2C.exe

MD5
39fde0ab2002da0bb653adef68275b45

SHA1
51944ab931e748770f872bd509a1484640ac5635

SHA256
2a3d1390d66f186ee234901094ec279db501b8ad49c3e626c4bc035189cf32a4

SHA512
b8272191f047de556c643dbe39e076a26e4f92d1797d644fddd63b665921d77b8506f7db84128e7a9ae93dcc167e3e77f43cd70694c8254805506d219934149c

Download Submit
C:\Users\Admin\AppData\Local\Temp\59C4.exe

MD5
4ce8cbe172ddc3fe677409b51aa23862

SHA1
2b17af2b82adfde797ced33251ab5b38344e2303

SHA256
3e09298969d95adc65364deea9b78d394aac97474053dbe600a316584a25b76d

SHA512
6b2186e7a9700eb15b81ddcbfd2837989ec572a6e61bcd9aef9332d51d9f769f62ef04adeca26c056bc112da704c2c289eaebe9e26394c12c2fda8d03563ceb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\59C4.exe

MD5
4ce8cbe172ddc3fe677409b51aa23862

SHA1
2b17af2b82adfde797ced33251ab5b38344e2303

SHA256
3e09298969d95adc65364deea9b78d394aac97474053dbe600a316584a25b76d

SHA512
6b2186e7a9700eb15b81ddcbfd2837989ec572a6e61bcd9aef9332d51d9f769f62ef04adeca26c056bc112da704c2c289eaebe9e26394c12c2fda8d03563ceb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8AF7.exe

MD5
1338d8f1a38a100d67ba32974fb3e5b4

SHA1
3ba67dedc2b57366158947b379a6c96cac00bfa8

SHA256
27ff500ad4459d1c7998f41798120b711cf243ec7ad1934f8fe39c1768236c83

SHA512
c6d73a5ac749803e6ae4185f178632cb0db2311f32e3eb750f3fbb7d6d0fea107ff3363ffea6815c37083b60ee7b336bcc48e555ca7b515b73d8c0a417dcfd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\8AF7.exe

MD5
1338d8f1a38a100d67ba32974fb3e5b4

SHA1
3ba67dedc2b57366158947b379a6c96cac00bfa8

SHA256
27ff500ad4459d1c7998f41798120b711cf243ec7ad1934f8fe39c1768236c83

SHA512
c6d73a5ac749803e6ae4185f178632cb0db2311f32e3eb750f3fbb7d6d0fea107ff3363ffea6815c37083b60ee7b336bcc48e555ca7b515b73d8c0a417dcfd04

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
4ce8cbe172ddc3fe677409b51aa23862

SHA1
2b17af2b82adfde797ced33251ab5b38344e2303

SHA256
3e09298969d95adc65364deea9b78d394aac97474053dbe600a316584a25b76d

SHA512
6b2186e7a9700eb15b81ddcbfd2837989ec572a6e61bcd9aef9332d51d9f769f62ef04adeca26c056bc112da704c2c289eaebe9e26394c12c2fda8d03563ceb4

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
4ce8cbe172ddc3fe677409b51aa23862

SHA1
2b17af2b82adfde797ced33251ab5b38344e2303

SHA256
3e09298969d95adc65364deea9b78d394aac97474053dbe600a316584a25b76d

SHA512
6b2186e7a9700eb15b81ddcbfd2837989ec572a6e61bcd9aef9332d51d9f769f62ef04adeca26c056bc112da704c2c289eaebe9e26394c12c2fda8d03563ceb4

Download Submit
memory/592-125-0x00000000008E1000-0x0000000000961000-memory.dmp

Filesize
512KB

Download
memory/592-122-0x0000000000000000-mapping.dmp

Download
memory/592-130-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/592-129-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/648-205-0x0000000000000000-mapping.dmp

Download
memory/648-279-0x0000000000000000-mapping.dmp

Download
memory/648-280-0x00000000003C0000-0x00000000003C5000-memory.dmp

Filesize
20KB

Download
memory/648-281-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/860-206-0x0000000000000000-mapping.dmp

Download
memory/860-158-0x0000000000000000-mapping.dmp

Download
memory/908-204-0x0000000000000000-mapping.dmp

Download
memory/1044-164-0x0000000000000000-mapping.dmp

Download
memory/1092-144-0x0000000000000000-mapping.dmp

Download
memory/1104-247-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-213-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-301-0x00000225741A0000-0x00000225741A1000-memory.dmp

Filesize
4KB

Download
memory/1104-299-0x0000022576290000-0x0000022576291000-memory.dmp

Filesize
4KB

Download
memory/1104-229-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-298-0x0000022576290000-0x0000022576291000-memory.dmp

Filesize
4KB

Download
memory/1104-226-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-227-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-225-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-223-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-285-0x00000225761E0000-0x00000225761E1000-memory.dmp

Filesize
4KB

Download
memory/1104-222-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-248-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-221-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-278-0x0000022574190000-0x0000022574191000-memory.dmp

Filesize
4KB

Download
memory/1104-220-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-219-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-218-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-217-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-215-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-214-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-249-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-245-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-230-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-253-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-243-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-232-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-233-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-234-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-242-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-235-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-236-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-240-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1104-239-0x00007FFEF8F00000-0x00007FFEF8F6B000-memory.dmp

Filesize
428KB

Download
memory/1168-166-0x0000000000000000-mapping.dmp

Download
memory/1172-197-0x0000000000000000-mapping.dmp

Download
memory/1248-203-0x0000000000000000-mapping.dmp

Download
memory/1288-153-0x0000000000000000-mapping.dmp

Download
memory/1332-185-0x0000000000000000-mapping.dmp

Download
memory/1352-163-0x0000000000000000-mapping.dmp

Download
memory/1400-145-0x0000000000000000-mapping.dmp

Download
memory/1408-184-0x0000000000000000-mapping.dmp

Download
memory/1424-162-0x0000000000000000-mapping.dmp

Download
memory/1476-290-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/1476-133-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/1476-289-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1476-126-0x0000000000000000-mapping.dmp

Download
memory/1476-131-0x00000000005B1000-0x0000000000631000-memory.dmp

Filesize
512KB

Download
memory/1476-132-0x0000000000800000-0x0000000000891000-memory.dmp

Filesize
580KB

Download
memory/1504-138-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1504-134-0x0000000000000000-mapping.dmp

Download
memory/1504-139-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1516-207-0x0000000000000000-mapping.dmp

Download
memory/1572-193-0x0000000000000000-mapping.dmp

Download
memory/1696-170-0x0000000000000000-mapping.dmp

Download
memory/1760-196-0x0000000000000000-mapping.dmp

Download
memory/2016-148-0x0000000000000000-mapping.dmp

Download
memory/2044-194-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/2044-174-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/2044-201-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download
memory/2044-172-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/2044-171-0x0000000002560000-0x000000000258E000-memory.dmp

Filesize
184KB

Download
memory/2044-199-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/2044-198-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/2044-175-0x0000000004AC2000-0x0000000004AC3000-memory.dmp

Filesize
4KB

Download
memory/2044-195-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/2044-182-0x0000000004AC4000-0x0000000004AC6000-memory.dmp

Filesize
8KB

Download
memory/2044-169-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2044-168-0x00000000004F0000-0x000000000059E000-memory.dmp

Filesize
696KB

Download
memory/2044-192-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/2044-173-0x0000000002590000-0x00000000025BC000-memory.dmp

Filesize
176KB

Download
memory/2044-176-0x0000000004AC3000-0x0000000004AC4000-memory.dmp

Filesize
4KB

Download
memory/2044-159-0x0000000000000000-mapping.dmp

Download
memory/2044-177-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/2044-181-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/2044-180-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/2044-179-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/2044-178-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/2068-152-0x0000000000000000-mapping.dmp

Download
memory/2124-149-0x0000000000000000-mapping.dmp

Download
memory/2160-271-0x0000000000F30000-0x0000000000F3C000-memory.dmp

Filesize
48KB

Download
memory/2160-270-0x0000000000F40000-0x0000000000F47000-memory.dmp

Filesize
28KB

Download
memory/2160-269-0x0000000000000000-mapping.dmp

Download
memory/2192-266-0x0000000000000000-mapping.dmp

Download
memory/2192-268-0x0000000003470000-0x00000000034DB000-memory.dmp

Filesize
428KB

Download
memory/2192-267-0x00000000034E0000-0x0000000003555000-memory.dmp

Filesize
468KB

Download
memory/2368-294-0x000001DE89EA0000-0x000001DE89EA1000-memory.dmp

Filesize
4KB

Download
memory/2408-157-0x0000000000000000-mapping.dmp

Download
memory/2424-295-0x000001802DF40000-0x000001802DF41000-memory.dmp

Filesize
4KB

Download
memory/2528-191-0x0000000000000000-mapping.dmp

Download
memory/2612-238-0x0000000000000000-mapping.dmp

Download
memory/2628-119-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2628-120-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2660-154-0x0000000000000000-mapping.dmp

Download
memory/2672-284-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2672-282-0x0000000000000000-mapping.dmp

Download
memory/2672-283-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/2680-208-0x0000000000000000-mapping.dmp

Download
memory/2680-287-0x0000000000C40000-0x0000000000C46000-memory.dmp

Filesize
24KB

Download
memory/2680-288-0x0000000000C30000-0x0000000000C3B000-memory.dmp

Filesize
44KB

Download
memory/2680-286-0x0000000000000000-mapping.dmp

Download
memory/2692-296-0x0000026B0F110000-0x0000026B0F111000-memory.dmp

Filesize
4KB

Download
memory/2884-292-0x0000000001280000-0x0000000001287000-memory.dmp

Filesize
28KB

Download
memory/2884-293-0x0000000000FF0000-0x0000000000FFD000-memory.dmp

Filesize
52KB

Download
memory/2884-291-0x0000000000000000-mapping.dmp

Download
memory/2908-183-0x0000000000000000-mapping.dmp

Download
memory/3012-190-0x0000000000000000-mapping.dmp

Download
memory/3040-140-0x0000000002D20000-0x0000000002D36000-memory.dmp

Filesize
88KB

Download
memory/3040-143-0x0000000004CB0000-0x0000000004CBF000-memory.dmp

Filesize
60KB

Download
memory/3040-209-0x0000000004CA0000-0x0000000004CA2000-memory.dmp

Filesize
8KB

Download
memory/3040-211-0x0000000004CA0000-0x0000000004CA2000-memory.dmp

Filesize
8KB

Download
memory/3040-141-0x0000000004CA0000-0x0000000004CA2000-memory.dmp

Filesize
8KB

Download
memory/3040-212-0x0000000004CA0000-0x0000000004CA2000-memory.dmp

Filesize
8KB

Download
memory/3040-142-0x0000000004CA0000-0x0000000004CA2000-memory.dmp

Filesize
8KB

Download
memory/3040-121-0x0000000000CE0000-0x0000000000CF6000-memory.dmp

Filesize
88KB

Download
memory/3128-155-0x0000000000000000-mapping.dmp

Download
memory/3160-300-0x0000018736CF0000-0x0000018736CF1000-memory.dmp

Filesize
4KB

Download
memory/3180-188-0x0000000000000000-mapping.dmp

Download
memory/3200-189-0x0000000000000000-mapping.dmp

Download
memory/3216-187-0x0000000000000000-mapping.dmp

Download
memory/3356-275-0x0000000000000000-mapping.dmp

Download
memory/3356-276-0x0000000000380000-0x0000000000389000-memory.dmp

Filesize
36KB

Download
memory/3356-277-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download
memory/3376-146-0x0000000000000000-mapping.dmp

Download
memory/3468-297-0x0000019EA80A0000-0x0000019EA80A1000-memory.dmp

Filesize
4KB

Download
memory/3564-165-0x0000000000000000-mapping.dmp

Download
memory/3608-156-0x0000000000000000-mapping.dmp

Download
memory/3616-150-0x0000017DD1850000-0x0000017DD1852000-memory.dmp

Filesize
8KB

Download
memory/3616-151-0x0000017DD1850000-0x0000017DD1852000-memory.dmp

Filesize
8KB

Download
memory/3624-186-0x0000000000000000-mapping.dmp

Download
memory/3700-202-0x0000000000000000-mapping.dmp

Download
memory/3772-200-0x0000000000000000-mapping.dmp

Download
memory/3852-274-0x0000000000890000-0x000000000089B000-memory.dmp

Filesize
44KB

Download
memory/3852-272-0x0000000000000000-mapping.dmp

Download
memory/3852-273-0x00000000008A0000-0x00000000008A7000-memory.dmp

Filesize
28KB

Download
memory/3988-147-0x0000000000000000-mapping.dmp

Download