redline | ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730

Analysis

max time kernel
151s
max time network
139s
platform
windows10_x64
resource
win10-en-20211104
submitted
01-12-2021 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730.exe
Size

332KB
MD5

3c6942db69d119bbdd79e9dd7a05480b
SHA1

18c3b1114b40c71ae818547779e86af07f7723dc
SHA256

ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730
SHA512

aa7c5c94daf39cfb2c8a35570de5554a2095a1da9ee56640db682d922cda671a748da53d1f0d25b3274efae97376d6c9f49518a564e538ec9817fca4c0c56c51

Score

10^/10

redline smokeloader 1 backdoor collection discovery evasion infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Extracted

Family

redline

Botnet

45.9.20.59:46287

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1884-148-0x0000000002680000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/1884-153-0x0000000004B90000-0x0000000004BBC000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

273B.exeSmartClock.exe3C89.exe6AFD.exe80F7.exe

pid process

3880 273B.exe
3712 SmartClock.exe
3556 3C89.exe
432 6AFD.exe
1884 80F7.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

3016
Drops startup file 1 IoCs

Processes:

273B.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 273B.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3880	273B.exe
3712	SmartClock.exe
3556	3C89.exe
432	6AFD.exe
1884	80F7.exe

pid	process
3016

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	273B.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1396 432 WerFault.exe 6AFD.exe
668 3752 WerFault.exe DllHost.exe

pid	pid_target	process	target process
1396	432	WerFault.exe	6AFD.exe
668	3752	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730.exe3C89.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3C89.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3C89.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3C89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1840 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXEipconfig.exeipconfig.exe

pid process

2428 NETSTAT.EXE
3892 NETSTAT.EXE
4092 ipconfig.exe
1224 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1504 systeminfo.exe

pid	process
1840	tasklist.exe

pid	process
2428	NETSTAT.EXE
3892	NETSTAT.EXE
4092	ipconfig.exe
1224	ipconfig.exe

pid	process
1504	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{30DD34FE-52EA-11EC-B34F-5AE1374FA507} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3712 SmartClock.exe

pid	process
3712	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730.exe

pid	process
2628	ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730.exe
2628	ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3016

pid	process
3016

Suspicious behavior: MapViewOfSection 58 IoCs

Processes:

ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730.exe3C89.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2628	ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730.exe
3556	3C89.exe
3016
3016
3016
3016
3016
3016
2788	explorer.exe
2788	explorer.exe
3016
3016
1816	explorer.exe
1816	explorer.exe
3016
3016
1036	explorer.exe
1036	explorer.exe
3016
3016
1224	explorer.exe
1224	explorer.exe
3016
3016
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
3016
3016
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe
3104	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exe80F7.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	1396	WerFault.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	1884	80F7.exe
Token: SeIncreaseQuotaPrivilege	4032	WMIC.exe
Token: SeSecurityPrivilege	4032	WMIC.exe
Token: SeTakeOwnershipPrivilege	4032	WMIC.exe
Token: SeLoadDriverPrivilege	4032	WMIC.exe
Token: SeSystemProfilePrivilege	4032	WMIC.exe
Token: SeSystemtimePrivilege	4032	WMIC.exe
Token: SeProfSingleProcessPrivilege	4032	WMIC.exe
Token: SeIncBasePriorityPrivilege	4032	WMIC.exe
Token: SeCreatePagefilePrivilege	4032	WMIC.exe
Token: SeBackupPrivilege	4032	WMIC.exe
Token: SeRestorePrivilege	4032	WMIC.exe
Token: SeShutdownPrivilege	4032	WMIC.exe
Token: SeDebugPrivilege	4032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4032	WMIC.exe
Token: SeRemoteShutdownPrivilege	4032	WMIC.exe
Token: SeUndockPrivilege	4032	WMIC.exe
Token: SeManageVolumePrivilege	4032	WMIC.exe
Token: 33	4032	WMIC.exe
Token: 34	4032	WMIC.exe
Token: 35	4032	WMIC.exe
Token: 36	4032	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4032	WMIC.exe
Token: SeSecurityPrivilege	4032	WMIC.exe
Token: SeTakeOwnershipPrivilege	4032	WMIC.exe
Token: SeLoadDriverPrivilege	4032	WMIC.exe
Token: SeSystemProfilePrivilege	4032	WMIC.exe
Token: SeSystemtimePrivilege	4032	WMIC.exe
Token: SeProfSingleProcessPrivilege	4032	WMIC.exe
Token: SeIncBasePriorityPrivilege	4032	WMIC.exe
Token: SeCreatePagefilePrivilege	4032	WMIC.exe
Token: SeBackupPrivilege	4032	WMIC.exe
Token: SeRestorePrivilege	4032	WMIC.exe
Token: SeShutdownPrivilege	4032	WMIC.exe
Token: SeDebugPrivilege	4032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4032	WMIC.exe
Token: SeRemoteShutdownPrivilege	4032	WMIC.exe
Token: SeUndockPrivilege	4032	WMIC.exe
Token: SeManageVolumePrivilege	4032	WMIC.exe
Token: 33	4032	WMIC.exe
Token: 34	4032	WMIC.exe
Token: 35	4032	WMIC.exe
Token: 36	4032	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3180	WMIC.exe
Token: SeSecurityPrivilege	3180	WMIC.exe
Token: SeTakeOwnershipPrivilege	3180	WMIC.exe
Token: SeLoadDriverPrivilege	3180	WMIC.exe
Token: SeSystemProfilePrivilege	3180	WMIC.exe
Token: SeSystemtimePrivilege	3180	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2336 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2336 iexplore.exe
2336 iexplore.exe
4056 IEXPLORE.EXE
4056 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3448 RuntimeBroker.exe

pid	process
2336	iexplore.exe

pid	process
2336	iexplore.exe
2336	iexplore.exe
4056	IEXPLORE.EXE
4056	IEXPLORE.EXE

pid	process
3448	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

273B.execmd.exenet.exenet.exe

description	pid	process	target process
PID 3016 wrote to memory of 3880	3016		273B.exe
PID 3016 wrote to memory of 3880	3016		273B.exe
PID 3016 wrote to memory of 3880	3016		273B.exe
PID 3880 wrote to memory of 3712	3880	273B.exe	SmartClock.exe
PID 3880 wrote to memory of 3712	3880	273B.exe	SmartClock.exe
PID 3880 wrote to memory of 3712	3880	273B.exe	SmartClock.exe
PID 3016 wrote to memory of 3556	3016		3C89.exe
PID 3016 wrote to memory of 3556	3016		3C89.exe
PID 3016 wrote to memory of 3556	3016		3C89.exe
PID 3016 wrote to memory of 432	3016		6AFD.exe
PID 3016 wrote to memory of 432	3016		6AFD.exe
PID 3016 wrote to memory of 1884	3016		80F7.exe
PID 3016 wrote to memory of 1884	3016		80F7.exe
PID 3016 wrote to memory of 1884	3016		80F7.exe
PID 3016 wrote to memory of 828	3016		cmd.exe
PID 3016 wrote to memory of 828	3016		cmd.exe
PID 828 wrote to memory of 4032	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 4032	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3180	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3180	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 1348	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 1348	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3888	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3888	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3492	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3492	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 2060	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 2060	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3228	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3228	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 4060	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 4060	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 2116	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 2116	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3768	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3768	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 2176	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 2176	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3812	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3812	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 2788	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 2788	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 1836	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 1836	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 1224	828	cmd.exe	ipconfig.exe
PID 828 wrote to memory of 1224	828	cmd.exe	ipconfig.exe
PID 828 wrote to memory of 912	828	cmd.exe	ROUTE.EXE
PID 828 wrote to memory of 912	828	cmd.exe	ROUTE.EXE
PID 828 wrote to memory of 856	828	cmd.exe	netsh.exe
PID 828 wrote to memory of 856	828	cmd.exe	netsh.exe
PID 828 wrote to memory of 1504	828	cmd.exe	systeminfo.exe
PID 828 wrote to memory of 1504	828	cmd.exe	systeminfo.exe
PID 828 wrote to memory of 1840	828	cmd.exe	tasklist.exe
PID 828 wrote to memory of 1840	828	cmd.exe	tasklist.exe
PID 828 wrote to memory of 3216	828	cmd.exe	net.exe
PID 828 wrote to memory of 3216	828	cmd.exe	net.exe
PID 3216 wrote to memory of 3392	3216	net.exe	net1.exe
PID 3216 wrote to memory of 3392	3216	net.exe	net1.exe
PID 828 wrote to memory of 1692	828	cmd.exe	net.exe
PID 828 wrote to memory of 1692	828	cmd.exe	net.exe
PID 1692 wrote to memory of 2136	1692	net.exe	net1.exe
PID 1692 wrote to memory of 2136	1692	net.exe	net1.exe
PID 828 wrote to memory of 3608	828	cmd.exe	net.exe
PID 828 wrote to memory of 3608	828	cmd.exe	net.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3236

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3752 -s 900
2⤵
- Program crash
PID:668

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3448

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3248

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2360

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730.exe
"C:\Users\Admin\AppData\Local\Temp\ec2f5b41e8cb119e2ab926e7a0ac42c89182eccc033bcca5b311e555f79c4730.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2628

C:\Users\Admin\AppData\Local\Temp\273B.exe
C:\Users\Admin\AppData\Local\Temp\273B.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3712

C:\Users\Admin\AppData\Local\Temp\3C89.exe
C:\Users\Admin\AppData\Local\Temp\3C89.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3556

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\6AFD.exe
C:\Users\Admin\AppData\Local\Temp\6AFD.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 432 -s 420
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Users\Admin\AppData\Local\Temp\80F7.exe
C:\Users\Admin\AppData\Local\Temp\80F7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:1348

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:3888

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:3492

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:2060

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:3228

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:4060

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:2116

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:3768

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:2176

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:3812

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:2788

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:1836

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:1224

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:912

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:856

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:1504

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:1840

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:3392

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:2136

C:\Windows\system32\net.exe
net user
2⤵
PID:3608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:4052

C:\Windows\system32\net.exe
net user /domain
2⤵
PID:3948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:3772

C:\Windows\system32\net.exe
net use
2⤵
PID:3620

C:\Windows\system32\net.exe
net group
2⤵
PID:2116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:3168

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:1384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:2200

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:1344

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:3812

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:3892

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:3332

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:4092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2336

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1400

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2788

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1816

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1036

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1224

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:856

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\273B.exe
MD5
2798167a94de0c0d428a73c4a86d141b

SHA1
659aa0c21e56dd33bec2b1bcd8d41bd9bf4ee23c

SHA256
542081c4248a87e13ff769b356660794c56b0cd6829236fb50ea724d08cfd354

SHA512
689a529b19cc01d772d94833427288efd7872ff377742e6518f6fd0daf6b5a161fe3c12ea450e1833dfb3f89e57146742fd6db8bd4512155948944a423ad3199

Download Submit
C:\Users\Admin\AppData\Local\Temp\273B.exe
MD5
2798167a94de0c0d428a73c4a86d141b

SHA1
659aa0c21e56dd33bec2b1bcd8d41bd9bf4ee23c

SHA256
542081c4248a87e13ff769b356660794c56b0cd6829236fb50ea724d08cfd354

SHA512
689a529b19cc01d772d94833427288efd7872ff377742e6518f6fd0daf6b5a161fe3c12ea450e1833dfb3f89e57146742fd6db8bd4512155948944a423ad3199

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C89.exe
MD5
05db051d56a60badfecd383277573408

SHA1
2acb74daebd96c79e8e412468fd8b2c22d20861a

SHA256
41f90072241c6875fbd2cf1125881345e08c95d38de2b01c6815d164c6846f28

SHA512
87572dad23c1058c7414e838d9febf7130b14595d97ecfe7aa91b21cdf895db800023e9d0704d79b4922ff5f3e109279409b5d26e1175959d545eeb9fe69c59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C89.exe
MD5
05db051d56a60badfecd383277573408

SHA1
2acb74daebd96c79e8e412468fd8b2c22d20861a

SHA256
41f90072241c6875fbd2cf1125881345e08c95d38de2b01c6815d164c6846f28

SHA512
87572dad23c1058c7414e838d9febf7130b14595d97ecfe7aa91b21cdf895db800023e9d0704d79b4922ff5f3e109279409b5d26e1175959d545eeb9fe69c59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AFD.exe
MD5
89f72549d10ca37bda16dfb88b06163c

SHA1
6bf7fdcf959387f311a4d519c99addd83fcddbb3

SHA256
a87650819ff9fdaa524de78d2024505b3afba6412084f5a18d001605bad4e52f

SHA512
fb2a292d33a98dd7ff4d35c776ac867a15b34d28238733151c0803595063eb97c52d81012622dd8537716def6011617242e2486eb99bd8acb72918d93ce64fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AFD.exe
MD5
89f72549d10ca37bda16dfb88b06163c

SHA1
6bf7fdcf959387f311a4d519c99addd83fcddbb3

SHA256
a87650819ff9fdaa524de78d2024505b3afba6412084f5a18d001605bad4e52f

SHA512
fb2a292d33a98dd7ff4d35c776ac867a15b34d28238733151c0803595063eb97c52d81012622dd8537716def6011617242e2486eb99bd8acb72918d93ce64fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\80F7.exe
MD5
110ac582e3ade63b881ef982b16c6ee2

SHA1
82f88384291abd7d12e6ae445e08acf4080946e4

SHA256
834063cee53254694a3592e23c659252df8381c2842c5aea5a1fbdbfde17cdbf

SHA512
54f3e0c2e494be0e18d8a24057391f7ed2e3cb070ecf748bde199b3aa0225c1aca8d87e1ae31273b67d354d43c321afc1cbed773ce0d01d512cda1706dac0d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\80F7.exe
MD5
110ac582e3ade63b881ef982b16c6ee2

SHA1
82f88384291abd7d12e6ae445e08acf4080946e4

SHA256
834063cee53254694a3592e23c659252df8381c2842c5aea5a1fbdbfde17cdbf

SHA512
54f3e0c2e494be0e18d8a24057391f7ed2e3cb070ecf748bde199b3aa0225c1aca8d87e1ae31273b67d354d43c321afc1cbed773ce0d01d512cda1706dac0d0e

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
2798167a94de0c0d428a73c4a86d141b

SHA1
659aa0c21e56dd33bec2b1bcd8d41bd9bf4ee23c

SHA256
542081c4248a87e13ff769b356660794c56b0cd6829236fb50ea724d08cfd354

SHA512
689a529b19cc01d772d94833427288efd7872ff377742e6518f6fd0daf6b5a161fe3c12ea450e1833dfb3f89e57146742fd6db8bd4512155948944a423ad3199

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
2798167a94de0c0d428a73c4a86d141b

SHA1
659aa0c21e56dd33bec2b1bcd8d41bd9bf4ee23c

SHA256
542081c4248a87e13ff769b356660794c56b0cd6829236fb50ea724d08cfd354

SHA512
689a529b19cc01d772d94833427288efd7872ff377742e6518f6fd0daf6b5a161fe3c12ea450e1833dfb3f89e57146742fd6db8bd4512155948944a423ad3199

Download Submit
memory/432-141-0x0000000000000000-mapping.dmp

Download
memory/432-302-0x00000189B4D10000-0x00000189B4D11000-memory.dmp

Filesize
4KB

Download
memory/668-305-0x000002317A060000-0x000002317A061000-memory.dmp

Filesize
4KB

Download
memory/828-165-0x0000000000000000-mapping.dmp

Download
memory/856-289-0x0000000000000000-mapping.dmp

Download
memory/856-190-0x0000000000000000-mapping.dmp

Download
memory/856-291-0x0000000000750000-0x000000000075B000-memory.dmp

Filesize
44KB

Download
memory/856-290-0x0000000000760000-0x0000000000766000-memory.dmp

Filesize
24KB

Download
memory/912-189-0x0000000000000000-mapping.dmp

Download
memory/1036-283-0x0000000000630000-0x0000000000635000-memory.dmp

Filesize
20KB

Download
memory/1036-284-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/1036-282-0x0000000000000000-mapping.dmp

Download
memory/1224-286-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

Filesize
24KB

Download
memory/1224-285-0x0000000000000000-mapping.dmp

Download
memory/1224-287-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

Filesize
48KB

Download
memory/1224-188-0x0000000000000000-mapping.dmp

Download
memory/1344-207-0x0000000000000000-mapping.dmp

Download
memory/1348-174-0x0000000000000000-mapping.dmp

Download
memory/1384-204-0x0000000000000000-mapping.dmp

Download
memory/1396-303-0x000001F225F00000-0x000001F225F01000-memory.dmp

Filesize
4KB

Download
memory/1400-273-0x00000000005C0000-0x00000000005C7000-memory.dmp

Filesize
28KB

Download
memory/1400-274-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/1400-270-0x0000000000000000-mapping.dmp

Download
memory/1504-191-0x0000000000000000-mapping.dmp

Download
memory/1692-195-0x0000000000000000-mapping.dmp

Download
memory/1816-280-0x0000000000AB0000-0x0000000000ABE000-memory.dmp

Filesize
56KB

Download
memory/1816-278-0x0000000000000000-mapping.dmp

Download
memory/1816-279-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

Filesize
36KB

Download
memory/1836-187-0x0000000000000000-mapping.dmp

Download
memory/1840-192-0x0000000000000000-mapping.dmp

Download
memory/1884-154-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/1884-155-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/1884-159-0x0000000004C62000-0x0000000004C63000-memory.dmp

Filesize
4KB

Download
memory/1884-160-0x0000000004C63000-0x0000000004C64000-memory.dmp

Filesize
4KB

Download
memory/1884-158-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/1884-157-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/1884-166-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/1884-167-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/1884-168-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/1884-169-0x0000000005EC0000-0x0000000005EC1000-memory.dmp

Filesize
4KB

Download
memory/1884-170-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/1884-171-0x00000000067D0000-0x00000000067D1000-memory.dmp

Filesize
4KB

Download
memory/1884-156-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/1884-161-0x0000000004C64000-0x0000000004C66000-memory.dmp

Filesize
8KB

Download
memory/1884-153-0x0000000004B90000-0x0000000004BBC000-memory.dmp

Filesize
176KB

Download
memory/1884-144-0x0000000000000000-mapping.dmp

Download
memory/1884-152-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/1884-147-0x0000000000841000-0x000000000086D000-memory.dmp

Filesize
176KB

Download
memory/1884-148-0x0000000002680000-0x00000000026AE000-memory.dmp

Filesize
184KB

Download
memory/1884-150-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1884-151-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1884-149-0x00000000001C0000-0x00000000001F9000-memory.dmp

Filesize
228KB

Download
memory/2060-179-0x0000000000000000-mapping.dmp

Download
memory/2116-182-0x0000000000000000-mapping.dmp

Download
memory/2116-202-0x0000000000000000-mapping.dmp

Download
memory/2136-196-0x0000000000000000-mapping.dmp

Download
memory/2176-184-0x0000000000000000-mapping.dmp

Download
memory/2200-205-0x0000000000000000-mapping.dmp

Download
memory/2336-248-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-245-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-306-0x0000015E53060000-0x0000015E53061000-memory.dmp

Filesize
4KB

Download
memory/2336-236-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-304-0x0000015E531E0000-0x0000015E531E1000-memory.dmp

Filesize
4KB

Download
memory/2336-234-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-233-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-232-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-230-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-229-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-288-0x0000015E550A0000-0x0000015E550A1000-memory.dmp

Filesize
4KB

Download
memory/2336-281-0x0000015E53050000-0x0000015E53051000-memory.dmp

Filesize
4KB

Download
memory/2336-228-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-226-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-225-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-252-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-251-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-250-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-224-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-223-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-246-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-237-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-243-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-242-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-239-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-222-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-238-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-216-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-217-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-218-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-220-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2336-221-0x00007FF87C130000-0x00007FF87C19B000-memory.dmp

Filesize
428KB

Download
memory/2352-297-0x000002207B190000-0x000002207B191000-memory.dmp

Filesize
4KB

Download
memory/2360-298-0x000001F56ED20000-0x000001F56ED21000-memory.dmp

Filesize
4KB

Download
memory/2428-206-0x0000000000000000-mapping.dmp

Download
memory/2492-299-0x0000019887BA0000-0x0000019887BA1000-memory.dmp

Filesize
4KB

Download
memory/2492-301-0x0000019887EE0000-0x0000019887EE1000-memory.dmp

Filesize
4KB

Download
memory/2628-118-0x0000000000831000-0x0000000000842000-memory.dmp

Filesize
68KB

Download
memory/2628-119-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2628-120-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2788-186-0x0000000000000000-mapping.dmp

Download
memory/2788-275-0x0000000000000000-mapping.dmp

Download
memory/2788-277-0x0000000000510000-0x000000000051B000-memory.dmp

Filesize
44KB

Download
memory/2788-276-0x0000000000520000-0x0000000000527000-memory.dmp

Filesize
28KB

Download
memory/3016-214-0x0000000005650000-0x0000000005652000-memory.dmp

Filesize
8KB

Download
memory/3016-164-0x0000000005640000-0x000000000564F000-memory.dmp

Filesize
60KB

Download
memory/3016-212-0x0000000005650000-0x0000000005652000-memory.dmp

Filesize
8KB

Download
memory/3016-215-0x0000000005650000-0x0000000005652000-memory.dmp

Filesize
8KB

Download
memory/3016-121-0x00000000013B0000-0x00000000013C6000-memory.dmp

Filesize
88KB

Download
memory/3016-140-0x0000000003450000-0x0000000003466000-memory.dmp

Filesize
88KB

Download
memory/3016-163-0x0000000005650000-0x0000000005652000-memory.dmp

Filesize
8KB

Download
memory/3016-162-0x0000000005650000-0x0000000005652000-memory.dmp

Filesize
8KB

Download
memory/3104-294-0x0000000000000000-mapping.dmp

Download
memory/3104-295-0x00000000009E0000-0x00000000009E7000-memory.dmp

Filesize
28KB

Download
memory/3104-296-0x00000000009D0000-0x00000000009DD000-memory.dmp

Filesize
52KB

Download
memory/3168-203-0x0000000000000000-mapping.dmp

Download
memory/3180-173-0x0000000000000000-mapping.dmp

Download
memory/3216-193-0x0000000000000000-mapping.dmp

Download
memory/3228-180-0x0000000000000000-mapping.dmp

Download
memory/3332-210-0x0000000000000000-mapping.dmp

Download
memory/3392-194-0x0000000000000000-mapping.dmp

Download
memory/3448-300-0x000001D653480000-0x000001D653481000-memory.dmp

Filesize
4KB

Download
memory/3492-176-0x0000000000000000-mapping.dmp

Download
memory/3556-138-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3556-135-0x00000000006F1000-0x0000000000702000-memory.dmp

Filesize
68KB

Download
memory/3556-139-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/3556-131-0x0000000000000000-mapping.dmp

Download
memory/3608-197-0x0000000000000000-mapping.dmp

Download
memory/3620-201-0x0000000000000000-mapping.dmp

Download
memory/3680-178-0x000001E0C0D50000-0x000001E0C0D52000-memory.dmp

Filesize
8KB

Download
memory/3680-177-0x000001E0C0D50000-0x000001E0C0D52000-memory.dmp

Filesize
8KB

Download
memory/3712-137-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/3712-292-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3712-136-0x00000000007B0000-0x0000000000841000-memory.dmp

Filesize
580KB

Download
memory/3712-293-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/3712-126-0x0000000000000000-mapping.dmp

Download
memory/3768-183-0x0000000000000000-mapping.dmp

Download
memory/3772-200-0x0000000000000000-mapping.dmp

Download
memory/3812-208-0x0000000000000000-mapping.dmp

Download
memory/3812-185-0x0000000000000000-mapping.dmp

Download
memory/3840-272-0x00000000036A0000-0x000000000370B000-memory.dmp

Filesize
428KB

Download
memory/3840-269-0x0000000000000000-mapping.dmp

Download
memory/3840-271-0x0000000003710000-0x0000000003785000-memory.dmp

Filesize
468KB

Download
memory/3880-130-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/3880-122-0x0000000000000000-mapping.dmp

Download
memory/3880-129-0x00000000005B0000-0x000000000065E000-memory.dmp

Filesize
696KB

Download
memory/3888-175-0x0000000000000000-mapping.dmp

Download
memory/3892-209-0x0000000000000000-mapping.dmp

Download
memory/3948-199-0x0000000000000000-mapping.dmp

Download
memory/4032-172-0x0000000000000000-mapping.dmp

Download
memory/4052-198-0x0000000000000000-mapping.dmp

Download
memory/4056-241-0x0000000000000000-mapping.dmp

Download
memory/4060-181-0x0000000000000000-mapping.dmp

Download
memory/4092-211-0x0000000000000000-mapping.dmp

Download