redline | e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172

Analysis

max time kernel
151s
max time network
140s
platform
windows10_x64
resource
win10-en-20211104
submitted
01-12-2021 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172.exe
Size

320KB
MD5

8f8b2a03a443b9920ea59df6ae66630e
SHA1

fefe0ac65b4273d5f7a3768b778878dc74596270
SHA256

e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172
SHA512

9913fb0084e6cb7ac2ee5bdcf99e1f84ade6c52052b67868884e2bc1caa3fd416973eaaf364de2f6f5c1449e75d36d677564abd7315c164a91f14ae0d94eb669

Score

10^/10

redline smokeloader 1 backdoor collection discovery evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Extracted

Family

redline

Botnet

45.9.20.59:46287

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3624-147-0x0000000002250000-0x000000000227E000-memory.dmp	family_redline
behavioral1/memory/3624-149-0x0000000002600000-0x000000000262C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

309.exe1097.exeSmartClock.exe3B13.exe

pid process

4004 309.exe
3808 1097.exe
2868 SmartClock.exe
3624 3B13.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

3040
Drops startup file 1 IoCs

Processes:

309.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 309.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4004	309.exe
3808	1097.exe
2868	SmartClock.exe
3624	3B13.exe

pid	process
3040

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	309.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3640 3696 WerFault.exe DllHost.exe

pid	pid_target	process	target process
3640	3696	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172.exe1097.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1097.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1097.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1097.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3600 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

4000 ipconfig.exe
1412 NETSTAT.EXE
1176 NETSTAT.EXE
964 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3220 systeminfo.exe

pid	process
3600	tasklist.exe

pid	process
4000	ipconfig.exe
1412	NETSTAT.EXE
1176	NETSTAT.EXE
964	ipconfig.exe

pid	process
3220	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4253DB5-52D0-11EC-B34F-5ACFE0EDF3EA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

2868 SmartClock.exe

pid	process
2868	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172.exe

pid	process
2604	e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172.exe
2604	e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3040

pid	process
3040

Suspicious behavior: MapViewOfSection 52 IoCs

Processes:

e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172.exe1097.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2604	e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172.exe
3808	1097.exe
3040
3040
3040
3040
3040
3040
1480	explorer.exe
1480	explorer.exe
3040
3040
992	explorer.exe
992	explorer.exe
3040
3040
700	explorer.exe
700	explorer.exe
3040
3040
628	explorer.exe
628	explorer.exe
3040
3040
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
3040
3040
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3B13.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3624	3B13.exe
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeIncreaseQuotaPrivilege	2980	WMIC.exe
Token: SeSecurityPrivilege	2980	WMIC.exe
Token: SeTakeOwnershipPrivilege	2980	WMIC.exe
Token: SeLoadDriverPrivilege	2980	WMIC.exe
Token: SeSystemProfilePrivilege	2980	WMIC.exe
Token: SeSystemtimePrivilege	2980	WMIC.exe
Token: SeProfSingleProcessPrivilege	2980	WMIC.exe
Token: SeIncBasePriorityPrivilege	2980	WMIC.exe
Token: SeCreatePagefilePrivilege	2980	WMIC.exe
Token: SeBackupPrivilege	2980	WMIC.exe
Token: SeRestorePrivilege	2980	WMIC.exe
Token: SeShutdownPrivilege	2980	WMIC.exe
Token: SeDebugPrivilege	2980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2980	WMIC.exe
Token: SeRemoteShutdownPrivilege	2980	WMIC.exe
Token: SeUndockPrivilege	2980	WMIC.exe
Token: SeManageVolumePrivilege	2980	WMIC.exe
Token: 33	2980	WMIC.exe
Token: 34	2980	WMIC.exe
Token: 35	2980	WMIC.exe
Token: 36	2980	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2980	WMIC.exe
Token: SeSecurityPrivilege	2980	WMIC.exe
Token: SeTakeOwnershipPrivilege	2980	WMIC.exe
Token: SeLoadDriverPrivilege	2980	WMIC.exe
Token: SeSystemProfilePrivilege	2980	WMIC.exe
Token: SeSystemtimePrivilege	2980	WMIC.exe
Token: SeProfSingleProcessPrivilege	2980	WMIC.exe
Token: SeIncBasePriorityPrivilege	2980	WMIC.exe
Token: SeCreatePagefilePrivilege	2980	WMIC.exe
Token: SeBackupPrivilege	2980	WMIC.exe
Token: SeRestorePrivilege	2980	WMIC.exe
Token: SeShutdownPrivilege	2980	WMIC.exe
Token: SeDebugPrivilege	2980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2980	WMIC.exe
Token: SeRemoteShutdownPrivilege	2980	WMIC.exe
Token: SeUndockPrivilege	2980	WMIC.exe
Token: SeManageVolumePrivilege	2980	WMIC.exe
Token: 33	2980	WMIC.exe
Token: 34	2980	WMIC.exe
Token: 35	2980	WMIC.exe
Token: 36	2980	WMIC.exe
Token: SeIncreaseQuotaPrivilege	360	WMIC.exe
Token: SeSecurityPrivilege	360	WMIC.exe
Token: SeTakeOwnershipPrivilege	360	WMIC.exe
Token: SeLoadDriverPrivilege	360	WMIC.exe
Token: SeSystemProfilePrivilege	360	WMIC.exe
Token: SeSystemtimePrivilege	360	WMIC.exe
Token: SeProfSingleProcessPrivilege	360	WMIC.exe
Token: SeIncBasePriorityPrivilege	360	WMIC.exe
Token: SeCreatePagefilePrivilege	360	WMIC.exe
Token: SeBackupPrivilege	360	WMIC.exe
Token: SeRestorePrivilege	360	WMIC.exe
Token: SeShutdownPrivilege	360	WMIC.exe
Token: SeDebugPrivilege	360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	360	WMIC.exe
Token: SeRemoteShutdownPrivilege	360	WMIC.exe
Token: SeUndockPrivilege	360	WMIC.exe
Token: SeManageVolumePrivilege	360	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1388 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1388 iexplore.exe
1388 iexplore.exe
1352 IEXPLORE.EXE
1352 IEXPLORE.EXE

pid	process
1388	iexplore.exe

pid	process
1388	iexplore.exe
1388	iexplore.exe
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

309.execmd.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3040 wrote to memory of 4004	3040		309.exe
PID 3040 wrote to memory of 4004	3040		309.exe
PID 3040 wrote to memory of 4004	3040		309.exe
PID 3040 wrote to memory of 3808	3040		1097.exe
PID 3040 wrote to memory of 3808	3040		1097.exe
PID 3040 wrote to memory of 3808	3040		1097.exe
PID 4004 wrote to memory of 2868	4004	309.exe	SmartClock.exe
PID 4004 wrote to memory of 2868	4004	309.exe	SmartClock.exe
PID 4004 wrote to memory of 2868	4004	309.exe	SmartClock.exe
PID 3040 wrote to memory of 3624	3040		3B13.exe
PID 3040 wrote to memory of 3624	3040		3B13.exe
PID 3040 wrote to memory of 3624	3040		3B13.exe
PID 3040 wrote to memory of 3060	3040		cmd.exe
PID 3040 wrote to memory of 3060	3040		cmd.exe
PID 3060 wrote to memory of 2980	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 2980	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 360	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 360	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 1724	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 1724	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 2324	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 2324	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 2612	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 2612	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 3592	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 3592	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 1412	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 1412	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 2380	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 2380	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 3300	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 3300	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 868	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 868	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 1388	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 1388	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 2688	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 2688	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 2064	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 2064	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 988	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 988	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 4000	3060	cmd.exe	ipconfig.exe
PID 3060 wrote to memory of 4000	3060	cmd.exe	ipconfig.exe
PID 3060 wrote to memory of 1180	3060	cmd.exe	ROUTE.EXE
PID 3060 wrote to memory of 1180	3060	cmd.exe	ROUTE.EXE
PID 3060 wrote to memory of 1108	3060	cmd.exe	netsh.exe
PID 3060 wrote to memory of 1108	3060	cmd.exe	netsh.exe
PID 3060 wrote to memory of 3220	3060	cmd.exe	systeminfo.exe
PID 3060 wrote to memory of 3220	3060	cmd.exe	systeminfo.exe
PID 3060 wrote to memory of 3600	3060	cmd.exe	tasklist.exe
PID 3060 wrote to memory of 3600	3060	cmd.exe	tasklist.exe
PID 3060 wrote to memory of 3820	3060	cmd.exe	net.exe
PID 3060 wrote to memory of 3820	3060	cmd.exe	net.exe
PID 3820 wrote to memory of 3460	3820	net.exe	net1.exe
PID 3820 wrote to memory of 3460	3820	net.exe	net1.exe
PID 3060 wrote to memory of 3504	3060	cmd.exe	net.exe
PID 3060 wrote to memory of 3504	3060	cmd.exe	net.exe
PID 3504 wrote to memory of 2604	3504	net.exe	net1.exe
PID 3504 wrote to memory of 2604	3504	net.exe	net1.exe
PID 3060 wrote to memory of 3404	3060	cmd.exe	net.exe
PID 3060 wrote to memory of 3404	3060	cmd.exe	net.exe
PID 3404 wrote to memory of 3816	3404	net.exe	net1.exe
PID 3404 wrote to memory of 3816	3404	net.exe	net1.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3224

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2716

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3696 -s 908
2⤵
- Program crash
PID:3640

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3452

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172.exe
"C:\Users\Admin\AppData\Local\Temp\e71329fb184ef0f0eca172e5a18c5aba23f1c4c7967816784d53dfdaf1707172.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2604

C:\Users\Admin\AppData\Local\Temp\309.exe
C:\Users\Admin\AppData\Local\Temp\309.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:2868

C:\Users\Admin\AppData\Local\Temp\1097.exe
C:\Users\Admin\AppData\Local\Temp\1097.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3808

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\3B13.exe
C:\Users\Admin\AppData\Local\Temp\3B13.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:1724

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:2324

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:2612

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:3592

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:1412

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:2380

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:3300

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:868

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:1388

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:2688

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:2064

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:988

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:4000

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:1180

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:1108

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:3220

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:3600

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:3460

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:2604

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:3816

C:\Windows\system32\net.exe
net user /domain
2⤵
PID:2552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:1076

C:\Windows\system32\net.exe
net use
2⤵
PID:3652

C:\Windows\system32\net.exe
net group
2⤵
PID:3872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:2872

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:1736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:1512

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:1300

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:2380

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:1176

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:344

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:964

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3144

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3660

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1480

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:992

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:700

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:628

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:388

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1097.exe
MD5
1df18eee77b7bdb425fa8079112ac215

SHA1
22e2b8857247c1d90c8b2d8c4abe45f17b552270

SHA256
c970962d9f99a8b0c7bb542d77fa7353379a0c576a4948f46c16039731944896

SHA512
a1e81b2acb729ba53007c65bf6949453034d44a573be7d18c6371886cb8c8626b2ef75f6ac401b0cf2b816d211f87d16440fe6d1e6873c344ddf6ca1e8089dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1097.exe
MD5
1df18eee77b7bdb425fa8079112ac215

SHA1
22e2b8857247c1d90c8b2d8c4abe45f17b552270

SHA256
c970962d9f99a8b0c7bb542d77fa7353379a0c576a4948f46c16039731944896

SHA512
a1e81b2acb729ba53007c65bf6949453034d44a573be7d18c6371886cb8c8626b2ef75f6ac401b0cf2b816d211f87d16440fe6d1e6873c344ddf6ca1e8089dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\309.exe
MD5
bbf1ebd689055ef70297076f88b4bf3c

SHA1
472aa819e9abb9b7a91862c53f0ad4fd35489bb9

SHA256
c7adbb1b4d84b9f7187c937ff8d092ffa1929abb45f1b8adae6e8589d842cac2

SHA512
a8965e1732ee18a49a97d3172c601f600a2f99ead5dbc74bf6ca3a25f5191e5f534dddef4511bfb40f6b228eba506002d321a0f8675df00ed890f762f6114915

Download Submit
C:\Users\Admin\AppData\Local\Temp\309.exe
MD5
bbf1ebd689055ef70297076f88b4bf3c

SHA1
472aa819e9abb9b7a91862c53f0ad4fd35489bb9

SHA256
c7adbb1b4d84b9f7187c937ff8d092ffa1929abb45f1b8adae6e8589d842cac2

SHA512
a8965e1732ee18a49a97d3172c601f600a2f99ead5dbc74bf6ca3a25f5191e5f534dddef4511bfb40f6b228eba506002d321a0f8675df00ed890f762f6114915

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B13.exe
MD5
0a786b9a7c5f1c87e19cfd4f7d03ce31

SHA1
018dedb0d480ca0eb1fbea465e194caa5f8e51b6

SHA256
484b81dc6bdac19c32d1ad42845fb70c10bb52b6ccdb02c12156cbcba0317155

SHA512
6dbc6eab531b4bc08fc9bffcc0929eeaab4ca2c741f83b6e88ff26a9ba4555639ddba965cf90ffa87f69e8e1e2e7af46d59dc0e5b866d655511223e660a462b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B13.exe
MD5
0a786b9a7c5f1c87e19cfd4f7d03ce31

SHA1
018dedb0d480ca0eb1fbea465e194caa5f8e51b6

SHA256
484b81dc6bdac19c32d1ad42845fb70c10bb52b6ccdb02c12156cbcba0317155

SHA512
6dbc6eab531b4bc08fc9bffcc0929eeaab4ca2c741f83b6e88ff26a9ba4555639ddba965cf90ffa87f69e8e1e2e7af46d59dc0e5b866d655511223e660a462b2

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
bbf1ebd689055ef70297076f88b4bf3c

SHA1
472aa819e9abb9b7a91862c53f0ad4fd35489bb9

SHA256
c7adbb1b4d84b9f7187c937ff8d092ffa1929abb45f1b8adae6e8589d842cac2

SHA512
a8965e1732ee18a49a97d3172c601f600a2f99ead5dbc74bf6ca3a25f5191e5f534dddef4511bfb40f6b228eba506002d321a0f8675df00ed890f762f6114915

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
bbf1ebd689055ef70297076f88b4bf3c

SHA1
472aa819e9abb9b7a91862c53f0ad4fd35489bb9

SHA256
c7adbb1b4d84b9f7187c937ff8d092ffa1929abb45f1b8adae6e8589d842cac2

SHA512
a8965e1732ee18a49a97d3172c601f600a2f99ead5dbc74bf6ca3a25f5191e5f534dddef4511bfb40f6b228eba506002d321a0f8675df00ed890f762f6114915

Download Submit
memory/344-207-0x0000000000000000-mapping.dmp

Download
memory/360-170-0x0000000000000000-mapping.dmp

Download
memory/388-287-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/388-288-0x0000000000410000-0x000000000041B000-memory.dmp

Filesize
44KB

Download
memory/388-286-0x0000000000000000-mapping.dmp

Download
memory/628-284-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/628-283-0x0000000000770000-0x0000000000776000-memory.dmp

Filesize
24KB

Download
memory/628-282-0x0000000000000000-mapping.dmp

Download
memory/700-281-0x00000000032F0000-0x00000000032F9000-memory.dmp

Filesize
36KB

Download
memory/700-280-0x0000000003300000-0x0000000003305000-memory.dmp

Filesize
20KB

Download
memory/700-279-0x0000000000000000-mapping.dmp

Download
memory/868-180-0x0000000000000000-mapping.dmp

Download
memory/964-208-0x0000000000000000-mapping.dmp

Download
memory/988-184-0x0000000000000000-mapping.dmp

Download
memory/992-277-0x0000000000FF0000-0x0000000000FFE000-memory.dmp

Filesize
56KB

Download
memory/992-275-0x0000000000000000-mapping.dmp

Download
memory/992-276-0x0000000001200000-0x0000000001209000-memory.dmp

Filesize
36KB

Download
memory/1076-197-0x0000000000000000-mapping.dmp

Download
memory/1108-187-0x0000000000000000-mapping.dmp

Download
memory/1176-206-0x0000000000000000-mapping.dmp

Download
memory/1180-186-0x0000000000000000-mapping.dmp

Download
memory/1300-204-0x0000000000000000-mapping.dmp

Download
memory/1352-238-0x0000000000000000-mapping.dmp

Download
memory/1388-226-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-220-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-230-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-229-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-298-0x000001F861D10000-0x000001F861D11000-memory.dmp

Filesize
4KB

Download
memory/1388-299-0x000001F861D10000-0x000001F861D11000-memory.dmp

Filesize
4KB

Download
memory/1388-301-0x000001F85FC20000-0x000001F85FC21000-memory.dmp

Filesize
4KB

Download
memory/1388-278-0x000001F85FC10000-0x000001F85FC11000-memory.dmp

Filesize
4KB

Download
memory/1388-227-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-285-0x000001F861C60000-0x000001F861C61000-memory.dmp

Filesize
4KB

Download
memory/1388-233-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-234-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-235-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-225-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-223-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-222-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-221-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-232-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-219-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-218-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-217-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-215-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-214-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-213-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-245-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-236-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-243-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-239-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-249-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-247-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-181-0x0000000000000000-mapping.dmp

Download
memory/1388-248-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-240-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1388-242-0x00007FFF06010000-0x00007FFF0607B000-memory.dmp

Filesize
428KB

Download
memory/1412-203-0x0000000000000000-mapping.dmp

Download
memory/1412-177-0x0000000000000000-mapping.dmp

Download
memory/1480-273-0x0000000000E60000-0x0000000000E67000-memory.dmp

Filesize
28KB

Download
memory/1480-274-0x0000000000E50000-0x0000000000E5B000-memory.dmp

Filesize
44KB

Download
memory/1480-272-0x0000000000000000-mapping.dmp

Download
memory/1512-202-0x0000000000000000-mapping.dmp

Download
memory/1724-171-0x0000000000000000-mapping.dmp

Download
memory/1736-201-0x0000000000000000-mapping.dmp

Download
memory/2064-183-0x0000000000000000-mapping.dmp

Download
memory/2324-172-0x0000000000000000-mapping.dmp

Download
memory/2372-294-0x0000022F16190000-0x0000022F16191000-memory.dmp

Filesize
4KB

Download
memory/2380-205-0x0000000000000000-mapping.dmp

Download
memory/2380-178-0x0000000000000000-mapping.dmp

Download
memory/2388-295-0x00000147DDAF0000-0x00000147DDAF1000-memory.dmp

Filesize
4KB

Download
memory/2552-196-0x0000000000000000-mapping.dmp

Download
memory/2604-118-0x0000000000761000-0x0000000000772000-memory.dmp

Filesize
68KB

Download
memory/2604-119-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2604-120-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2604-193-0x0000000000000000-mapping.dmp

Download
memory/2612-173-0x0000000000000000-mapping.dmp

Download
memory/2688-182-0x0000000000000000-mapping.dmp

Download
memory/2716-296-0x0000024369040000-0x0000024369041000-memory.dmp

Filesize
4KB

Download
memory/2868-131-0x0000000000000000-mapping.dmp

Download
memory/2868-138-0x0000000000550000-0x00000000005E1000-memory.dmp

Filesize
580KB

Download
memory/2868-139-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2868-290-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/2868-289-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2872-200-0x0000000000000000-mapping.dmp

Download
memory/2888-293-0x00000000003C0000-0x00000000003CD000-memory.dmp

Filesize
52KB

Download
memory/2888-291-0x0000000000000000-mapping.dmp

Download
memory/2888-292-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/2980-169-0x0000000000000000-mapping.dmp

Download
memory/3040-140-0x0000000004610000-0x0000000004626000-memory.dmp

Filesize
88KB

Download
memory/3040-212-0x0000000005370000-0x0000000005372000-memory.dmp

Filesize
8KB

Download
memory/3040-121-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download
memory/3040-168-0x0000000004E50000-0x0000000004E5F000-memory.dmp

Filesize
60KB

Download
memory/3040-211-0x0000000005370000-0x0000000005372000-memory.dmp

Filesize
8KB

Download
memory/3040-209-0x0000000005370000-0x0000000005372000-memory.dmp

Filesize
8KB

Download
memory/3040-164-0x0000000005370000-0x0000000005372000-memory.dmp

Filesize
8KB

Download
memory/3040-163-0x0000000005370000-0x0000000005372000-memory.dmp

Filesize
8KB

Download
memory/3060-167-0x0000000000000000-mapping.dmp

Download
memory/3144-266-0x0000000000000000-mapping.dmp

Download
memory/3144-268-0x0000000003600000-0x000000000366B000-memory.dmp

Filesize
428KB

Download
memory/3144-267-0x0000000003670000-0x00000000036E5000-memory.dmp

Filesize
468KB

Download
memory/3220-188-0x0000000000000000-mapping.dmp

Download
memory/3300-179-0x0000000000000000-mapping.dmp

Download
memory/3404-194-0x0000000000000000-mapping.dmp

Download
memory/3452-297-0x0000021050BF0000-0x0000021050BF1000-memory.dmp

Filesize
4KB

Download
memory/3460-191-0x0000000000000000-mapping.dmp

Download
memory/3504-192-0x0000000000000000-mapping.dmp

Download
memory/3592-176-0x0000000000000000-mapping.dmp

Download
memory/3600-189-0x0000000000000000-mapping.dmp

Download
memory/3624-159-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/3624-146-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3624-141-0x0000000000000000-mapping.dmp

Download
memory/3624-144-0x0000000000881000-0x00000000008AD000-memory.dmp

Filesize
176KB

Download
memory/3624-145-0x00000000001C0000-0x00000000001F9000-memory.dmp

Filesize
228KB

Download
memory/3624-147-0x0000000002250000-0x000000000227E000-memory.dmp

Filesize
184KB

Download
memory/3624-148-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/3624-149-0x0000000002600000-0x000000000262C000-memory.dmp

Filesize
176KB

Download
memory/3624-150-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3624-152-0x0000000004C73000-0x0000000004C74000-memory.dmp

Filesize
4KB

Download
memory/3624-151-0x0000000004C72000-0x0000000004C73000-memory.dmp

Filesize
4KB

Download
memory/3624-166-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/3624-165-0x0000000006630000-0x0000000006631000-memory.dmp

Filesize
4KB

Download
memory/3624-162-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/3624-161-0x0000000006210000-0x0000000006211000-memory.dmp

Filesize
4KB

Download
memory/3624-160-0x0000000006170000-0x0000000006171000-memory.dmp

Filesize
4KB

Download
memory/3624-158-0x0000000004C74000-0x0000000004C76000-memory.dmp

Filesize
8KB

Download
memory/3624-157-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/3624-156-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/3624-155-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/3624-154-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/3624-153-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/3640-300-0x0000016033AD0000-0x0000016033AD1000-memory.dmp

Filesize
4KB

Download
memory/3648-175-0x00000243F10A0000-0x00000243F10A2000-memory.dmp

Filesize
8KB

Download
memory/3648-174-0x00000243F10A0000-0x00000243F10A2000-memory.dmp

Filesize
8KB

Download
memory/3652-198-0x0000000000000000-mapping.dmp

Download
memory/3660-271-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/3660-270-0x0000000000730000-0x0000000000737000-memory.dmp

Filesize
28KB

Download
memory/3660-269-0x0000000000000000-mapping.dmp

Download
memory/3808-135-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3808-125-0x0000000000000000-mapping.dmp

Download
memory/3808-136-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3816-195-0x0000000000000000-mapping.dmp

Download
memory/3820-190-0x0000000000000000-mapping.dmp

Download
memory/3872-199-0x0000000000000000-mapping.dmp

Download
memory/4000-185-0x0000000000000000-mapping.dmp

Download
memory/4004-130-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/4004-129-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/4004-128-0x00000000007B1000-0x0000000000831000-memory.dmp

Filesize
512KB

Download
memory/4004-122-0x0000000000000000-mapping.dmp

Download