lumma | ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c

Analysis

max time kernel
117s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2023 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c.exe
Size

207KB
MD5

c8bc01211ac0a9e1ef771a215f2c0174
SHA1

6e473114e786e396012a03518c5bb4acb275a6e8
SHA256

ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c
SHA512

bc6029c6e5fbc5e44b4f97968a729eb99a1dc3e57051b7b4419470783ea2f002adfcd7ade74d4fb5409c9403fedf1d90f98699c3efeb0053ac22adabe6e0b419
SSDEEP

3072:kXNogTCS3EuOTF+Jsp5F5/7MP6bsEg+ohwg8U7yxwgO8uapb:gJCS3EuO0Jsr/m6wEg+Lg8U7rgOEp

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2124-133-0x0000000002D10000-0x0000000002D19000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

40 2708 rundll32.exe
43 2708 rundll32.exe
57 2708 rundll32.exe
62 2708 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

2A5C.exe828F.exe

pid process

5076 2A5C.exe
1656 828F.exe

flow	pid	process
40	2708	rundll32.exe
43	2708	rundll32.exe
57	2708	rundll32.exe
62	2708	rundll32.exe

pid	process
5076	2A5C.exe
1656	828F.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScCore\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\ScCore.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScCore\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2708 rundll32.exe
4200 svchost.exe
3404 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2708	rundll32.exe
4200	svchost.exe
3404	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2708 set thread context of 2272	2708	rundll32.exe	rundll32.exe
PID 2708 set thread context of 1332	2708	rundll32.exe	rundll32.exe
PID 2708 set thread context of 1620	2708	rundll32.exe	rundll32.exe
PID 2708 set thread context of 3956	2708	rundll32.exe	rundll32.exe
PID 2708 set thread context of 3976	2708	rundll32.exe	rundll32.exe
PID 2708 set thread context of 2252	2708	rundll32.exe	schtasks.exe

Drops file in Program Files directory 27 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\LogTransport2.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook2x.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win8.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\RTC.der	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOnNotificationInTray.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-disabled.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ScCore.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroSup64.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Certificates_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_psd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3544 5076 WerFault.exe 2A5C.exe
3020 1656 WerFault.exe 828F.exe

pid	pid_target	process	target process
3544	5076	WerFault.exe	2A5C.exe
3020	1656	WerFault.exe	828F.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exeschtasks.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	schtasks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	schtasks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	schtasks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 64 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f568301100054656d7000003a0009000400efbe6b558a6c2f5683012e0000000000000000000000000000000000000000000000000032480400540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

668

pid	process
668

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c.exe

pid	process
2124	ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c.exe
2124	ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c.exe
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

668
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c.exe

pid process

2124 ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c.exe

pid	process
668

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeDebugPrivilege	2708	rundll32.exe
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668

Suspicious use of FindShellTrayWindow 17 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
2272	rundll32.exe
668
668
668
668
2708	rundll32.exe
668
668
668
668
1332	rundll32.exe
2708	rundll32.exe
1620	rundll32.exe
2708	rundll32.exe
3956	rundll32.exe
2708	rundll32.exe
3976	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

2A5C.exesvchost.exerundll32.exe

description	pid	process	target process
PID 668 wrote to memory of 5076	668		2A5C.exe
PID 668 wrote to memory of 5076	668		2A5C.exe
PID 668 wrote to memory of 5076	668		2A5C.exe
PID 5076 wrote to memory of 2708	5076	2A5C.exe	rundll32.exe
PID 5076 wrote to memory of 2708	5076	2A5C.exe	rundll32.exe
PID 5076 wrote to memory of 2708	5076	2A5C.exe	rundll32.exe
PID 668 wrote to memory of 1656	668		828F.exe
PID 668 wrote to memory of 1656	668		828F.exe
PID 668 wrote to memory of 1656	668		828F.exe
PID 4200 wrote to memory of 3404	4200	svchost.exe	rundll32.exe
PID 4200 wrote to memory of 3404	4200	svchost.exe	rundll32.exe
PID 4200 wrote to memory of 3404	4200	svchost.exe	rundll32.exe
PID 2708 wrote to memory of 2272	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 2272	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 2272	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 4308	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 4308	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 4308	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 1844	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 1844	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 1844	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 1332	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 1332	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 1332	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 1684	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 1684	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 1684	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 1620	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 1620	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 1620	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 1112	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 1112	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 1112	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 4128	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 4128	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 4128	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 3956	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 3956	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 3956	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 952	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 952	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 952	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 3976	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 3976	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 3976	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 2252	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 2252	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 2252	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 2252	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 4576	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 4576	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 4576	2708	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c.exe
"C:\Users\Admin\AppData\Local\Temp\ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2124

C:\Users\Admin\AppData\Local\Temp\2A5C.exe
C:\Users\Admin\AppData\Local\Temp\2A5C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2708

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2272

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4308

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1844

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1332

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1684

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1620

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1112

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4128

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3956

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:952

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3976

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
- Checks processor information in registry
PID:2252

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4576

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3464

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4656

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:2268

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4360

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2296

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:1712

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1356

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5084

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:1516

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3928

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3736

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:4280

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1048

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4252

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:2820

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 532
2⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5076 -ip 5076
1⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\828F.exe
C:\Users\Admin\AppData\Local\Temp\828F.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1336
2⤵
- Program crash
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1656 -ip 1656
1⤵
PID:4936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\sccore.dll",dksrb0hURA==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\ScCore.dll

Filesize
774KB

MD5
73002192ab487ffba814157894fb64dd

SHA1
f672fe0c9fc75eab7a4c35cdcffd7f30f575b755

SHA256
9c8f85674f32525a344741504f8c1987adec77b32e4f69c10f24267c10742cfb

SHA512
8a054196bb63f2f0705dc512174ed42ce1e8b07979a2f257a4c5e47de735c887458802e2e30de7f9af34457733a7c139609ddf4deeadc216f2e1e4be24a6870f

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\ScCore.dll

Filesize
774KB

MD5
73002192ab487ffba814157894fb64dd

SHA1
f672fe0c9fc75eab7a4c35cdcffd7f30f575b755

SHA256
9c8f85674f32525a344741504f8c1987adec77b32e4f69c10f24267c10742cfb

SHA512
8a054196bb63f2f0705dc512174ed42ce1e8b07979a2f257a4c5e47de735c887458802e2e30de7f9af34457733a7c139609ddf4deeadc216f2e1e4be24a6870f

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.ECApp_10.0.19041.1023_neutral__8wekyb3d8bbwe.xml

Filesize
2KB

MD5
13eb9cfbca43ebcd240e1fcff5acab4d

SHA1
5a0da86ab3f30905433677284eb843742f05afe5

SHA256
616d6a37866683e848fac3a17cecdea05e51da55420adcf947e40d062f587bb8

SHA512
256879b3d2c86ed4c3e8fccc8ffa09d11ae6eb6a2c9da4afa834f36b399752d7c46ceb638497cb28c48d874db0ccde15b73a22f1aa894b376aafd00f20b23352

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOutlook2013CAWin32.xml

Filesize
1KB

MD5
42acdf1f7faad8e138134083a57424bd

SHA1
f6b05b2eba7723ed2b61c698377053b05ee8eeb5

SHA256
91bcc8d78d76422bf8a162c10d96ce91435470d8601290ddcbe3216c3bb7009c

SHA512
ca976b96bb036d2a72a61f5d0da83de6e4deb694353ca57e3016124db4a041c3ba7391bb1f508e3fa010b0f412df2b71b3acbaa5ad99c189beace9fcc5193abb

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
3b63c6a6563868ed17524e4147b3eee3

SHA1
020ccd3ccd8e494f457202c82e0d3bb7d9852d23

SHA256
4a5c86ba3e921eb45d2372d6b7536bc32022028c3a023274a724765ddf58da12

SHA512
206d22086b81b76d0659fda1971716f54299c630276b98984344cf37a7e5c6c05567e4a41b720259f512bc779706b2dd9d25b6a8cf7ed8fb9972896c304c3783

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\edb.log

Filesize
64KB

MD5
950a765b75342020ecbff26deb862205

SHA1
33ac73e52fc7cc4f2f9b4606682371e23605c4a2

SHA256
d1b17e354889dc00d1ac3eb275b27d1fc8cadec10e5a2bc231cf01f07d703b6f

SHA512
369d758a487fb682563beda27e7ec964c8cda924a2f32dbec0c591dc7f637b19c7141d0f7579dc585db0fcc7fe80b601b64dc66d7c39e764f966dbde051c0765

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\resource.xml

Filesize
1KB

MD5
0e190f6bbc7898c31d4eae77c6abebfe

SHA1
fb6673c8116b650f0536d56be09eb188d7bdc930

SHA256
f7f461d92f4a45d1232e7e5ad76cffbbb7b83abd69df864387c757051494d118

SHA512
faaf0699ddb7e4e152afaf54bed0794c9e816cb762454c277f5d52acf88a44535cc3a44797c73393fc50db8afe2566bcaf9a4f93d945c6b0b3d8458d16ae5312

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\stream.x64.en-us.hash

Filesize
128B

MD5
73f303800be636585f9ec14701cd8d5e

SHA1
456304dc888d5eaa159fa0fa34fc9bcc3bacb633

SHA256
c8e3762853e17a3bd49882b0d36afa285bed5639f8f9e88f716c3942e28b6ace

SHA512
8a80ee6d1b074d68a55bbb3d5be251cfaae89b0345a6b0e84a6359e8c1453c8bf0969e6d33a7d0523d30d586c46c1eede9e71f7a89f7bc67ea0ad866671b81b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A5C.exe

Filesize
1.0MB

MD5
5430648c55212089956ba095fa661f3f

SHA1
490b04dade98fdf99d2b04e482d4b918bcc971fb

SHA256
55d46aee3fc1c296e0216dcd7cdd796274d15d23c3f66176e21ab9a0f26af5fe

SHA512
e4bbfdae13a8aaafb3d5147b6b0c160ae2f1b78f4df6b28d09482f9b8faebc880a2b163ed4821f4dfaeb2691d2426782cf67e8f3772e19f4e2196997217ebf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A5C.exe

Filesize
1.0MB

MD5
5430648c55212089956ba095fa661f3f

SHA1
490b04dade98fdf99d2b04e482d4b918bcc971fb

SHA256
55d46aee3fc1c296e0216dcd7cdd796274d15d23c3f66176e21ab9a0f26af5fe

SHA512
e4bbfdae13a8aaafb3d5147b6b0c160ae2f1b78f4df6b28d09482f9b8faebc880a2b163ed4821f4dfaeb2691d2426782cf67e8f3772e19f4e2196997217ebf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\828F.exe

Filesize
245KB

MD5
93b7f6cc37423d4985a265ce8ce722d8

SHA1
da838b68078d367e9b1bf2cba163bf52db4c90a0

SHA256
e256b21036684c4bbbe78844f25fa9931aeced4548d9b49d24a356bf6c214c01

SHA512
d761363f2fe2d04a123875d878b3ee1c732365a9ebbcba3818b7afedb07642109adb21504d04344c5e8486489789bbe90acabbe52ccd1e70c3071d6c86cc54e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\828F.exe

Filesize
245KB

MD5
93b7f6cc37423d4985a265ce8ce722d8

SHA1
da838b68078d367e9b1bf2cba163bf52db4c90a0

SHA256
e256b21036684c4bbbe78844f25fa9931aeced4548d9b49d24a356bf6c214c01

SHA512
d761363f2fe2d04a123875d878b3ee1c732365a9ebbcba3818b7afedb07642109adb21504d04344c5e8486489789bbe90acabbe52ccd1e70c3071d6c86cc54e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\sccore.dll

Filesize
774KB

MD5
73002192ab487ffba814157894fb64dd

SHA1
f672fe0c9fc75eab7a4c35cdcffd7f30f575b755

SHA256
9c8f85674f32525a344741504f8c1987adec77b32e4f69c10f24267c10742cfb

SHA512
8a054196bb63f2f0705dc512174ed42ce1e8b07979a2f257a4c5e47de735c887458802e2e30de7f9af34457733a7c139609ddf4deeadc216f2e1e4be24a6870f

Download Submit
memory/668-223-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-212-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-149-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-150-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-151-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-152-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-153-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-154-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-155-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-156-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/668-157-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-158-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/668-159-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/668-160-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/668-161-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/668-210-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-147-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-146-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-208-0x0000000006F00000-0x0000000006F10000-memory.dmp

Filesize
64KB

Download
memory/668-145-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-144-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-221-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-206-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-219-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-211-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-220-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-213-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-143-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/668-142-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-203-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-240-0x0000000006F00000-0x0000000006F10000-memory.dmp

Filesize
64KB

Download
memory/668-148-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-214-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-215-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-216-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-141-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-140-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-139-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-217-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-224-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/668-138-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-137-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-209-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-222-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-136-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/668-218-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/952-262-0x0000000000000000-mapping.dmp

Download
memory/1048-344-0x0000000000000000-mapping.dmp

Download
memory/1112-251-0x0000000000000000-mapping.dmp

Download
memory/1332-238-0x00000140A2250000-0x00000140A2505000-memory.dmp

Filesize
2.7MB

Download
memory/1332-232-0x00007FF610BD6890-mapping.dmp

Download
memory/1332-233-0x00000140A3CB0000-0x00000140A3DF0000-memory.dmp

Filesize
1.2MB

Download
memory/1332-234-0x00000140A3CB0000-0x00000140A3DF0000-memory.dmp

Filesize
1.2MB

Download
memory/1332-235-0x00000140A2250000-0x00000140A2505000-memory.dmp

Filesize
2.7MB

Download
memory/1356-319-0x0000000000000000-mapping.dmp

Download
memory/1516-331-0x000001ECEB060000-0x000001ECEB315000-memory.dmp

Filesize
2.7MB

Download
memory/1516-334-0x000001ECEB060000-0x000001ECEB315000-memory.dmp

Filesize
2.7MB

Download
memory/1516-328-0x00007FF610BD6890-mapping.dmp

Download
memory/1620-246-0x00007FF610BD6890-mapping.dmp

Download
memory/1620-249-0x0000018DA6B00000-0x0000018DA6C40000-memory.dmp

Filesize
1.2MB

Download
memory/1620-252-0x0000018DA6C50000-0x0000018DA6F05000-memory.dmp

Filesize
2.7MB

Download
memory/1620-250-0x0000018DA6C50000-0x0000018DA6F05000-memory.dmp

Filesize
2.7MB

Download
memory/1620-248-0x0000018DA6B00000-0x0000018DA6C40000-memory.dmp

Filesize
1.2MB

Download
memory/1656-176-0x0000000002BF9000-0x0000000002C13000-memory.dmp

Filesize
104KB

Download
memory/1656-177-0x0000000002D20000-0x0000000002D4A000-memory.dmp

Filesize
168KB

Download
memory/1656-181-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/1656-173-0x0000000000000000-mapping.dmp

Download
memory/1656-178-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/1684-241-0x0000000000000000-mapping.dmp

Download
memory/1712-321-0x000001C8D82A0000-0x000001C8D8555000-memory.dmp

Filesize
2.7MB

Download
memory/1712-318-0x000001C8D82A0000-0x000001C8D8555000-memory.dmp

Filesize
2.7MB

Download
memory/1712-315-0x00007FF610BD6890-mapping.dmp

Download
memory/1844-227-0x0000000000000000-mapping.dmp

Download
memory/1960-290-0x00007FF610BD6890-mapping.dmp

Download
memory/1960-294-0x0000020367C00000-0x0000020367EB5000-memory.dmp

Filesize
2.7MB

Download
memory/1960-297-0x0000020367C00000-0x0000020367EB5000-memory.dmp

Filesize
2.7MB

Download
memory/2124-134-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/2124-132-0x0000000002BD8000-0x0000000002BE9000-memory.dmp

Filesize
68KB

Download
memory/2124-133-0x0000000002D10000-0x0000000002D19000-memory.dmp

Filesize
36KB

Download
memory/2124-135-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/2252-283-0x0000000001910000-0x0000000002465000-memory.dmp

Filesize
11.3MB

Download
memory/2252-281-0x0000000000AA0000-0x00000000014D6000-memory.dmp

Filesize
10.2MB

Download
memory/2252-271-0x0000000000000000-mapping.dmp

Download
memory/2268-302-0x00007FF610BD6890-mapping.dmp

Download
memory/2268-307-0x0000028E08980000-0x0000028E08C35000-memory.dmp

Filesize
2.7MB

Download
memory/2268-310-0x0000028E08980000-0x0000028E08C35000-memory.dmp

Filesize
2.7MB

Download
memory/2272-226-0x000001E829450000-0x000001E829705000-memory.dmp

Filesize
2.7MB

Download
memory/2272-207-0x000001E829450000-0x000001E829705000-memory.dmp

Filesize
2.7MB

Download
memory/2272-200-0x00007FF610BD6890-mapping.dmp

Download
memory/2272-201-0x000001E82AEB0000-0x000001E82AFF0000-memory.dmp

Filesize
1.2MB

Download
memory/2272-202-0x000001E82AEB0000-0x000001E82AFF0000-memory.dmp

Filesize
1.2MB

Download
memory/2272-205-0x0000000000120000-0x00000000003C4000-memory.dmp

Filesize
2.6MB

Download
memory/2296-309-0x0000000000000000-mapping.dmp

Download
memory/2708-305-0x0000000006203000-0x0000000006205000-memory.dmp

Filesize
8KB

Download
memory/2708-257-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-242-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-243-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-244-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-245-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-186-0x0000000005590000-0x00000000060E5000-memory.dmp

Filesize
11.3MB

Download
memory/2708-228-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-247-0x0000000006203000-0x0000000006205000-memory.dmp

Filesize
8KB

Download
memory/2708-172-0x0000000005590000-0x00000000060E5000-memory.dmp

Filesize
11.3MB

Download
memory/2708-171-0x0000000005590000-0x00000000060E5000-memory.dmp

Filesize
11.3MB

Download
memory/2708-306-0x0000000006207000-0x0000000006209000-memory.dmp

Filesize
8KB

Download
memory/2708-204-0x00000000061BA000-0x00000000061BC000-memory.dmp

Filesize
8KB

Download
memory/2708-342-0x0000000006207000-0x0000000006209000-memory.dmp

Filesize
8KB

Download
memory/2708-254-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-255-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-256-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-231-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-239-0x00000000061BA000-0x00000000061BC000-memory.dmp

Filesize
8KB

Download
memory/2708-197-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-229-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-230-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-198-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-263-0x0000000006203000-0x0000000006205000-memory.dmp

Filesize
8KB

Download
memory/2708-323-0x0000000006207000-0x0000000006209000-memory.dmp

Filesize
8KB

Download
memory/2708-265-0x0000000006203000-0x0000000006205000-memory.dmp

Filesize
8KB

Download
memory/2708-266-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-267-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-268-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-179-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-322-0x0000000006203000-0x0000000006205000-memory.dmp

Filesize
8KB

Download
memory/2708-180-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-199-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-165-0x0000000000000000-mapping.dmp

Download
memory/2708-196-0x00000000061B0000-0x00000000062F0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-293-0x0000000006203000-0x0000000006205000-memory.dmp

Filesize
8KB

Download
memory/2820-351-0x00007FF610BD6890-mapping.dmp

Download
memory/2856-355-0x0000000000000000-mapping.dmp

Download
memory/3404-195-0x0000000005090000-0x0000000005BE5000-memory.dmp

Filesize
11.3MB

Download
memory/3404-193-0x0000000000000000-mapping.dmp

Download
memory/3404-237-0x0000000005090000-0x0000000005BE5000-memory.dmp

Filesize
11.3MB

Download
memory/3464-295-0x0000000000000000-mapping.dmp

Download
memory/3736-333-0x0000000000000000-mapping.dmp

Download
memory/3928-332-0x0000000000000000-mapping.dmp

Download
memory/3956-258-0x00007FF610BD6890-mapping.dmp

Download
memory/3956-261-0x0000029BD7E20000-0x0000029BD80D5000-memory.dmp

Filesize
2.7MB

Download
memory/3956-259-0x0000029BD9880000-0x0000029BD99C0000-memory.dmp

Filesize
1.2MB

Download
memory/3956-264-0x0000029BD7E20000-0x0000029BD80D5000-memory.dmp

Filesize
2.7MB

Download
memory/3956-260-0x0000029BD9880000-0x0000029BD99C0000-memory.dmp

Filesize
1.2MB

Download
memory/3976-284-0x000001F8A17E0000-0x000001F8A1A95000-memory.dmp

Filesize
2.7MB

Download
memory/3976-282-0x000001F8A17E0000-0x000001F8A1A95000-memory.dmp

Filesize
2.7MB

Download
memory/3976-270-0x00007FF610BD6890-mapping.dmp

Download
memory/4128-253-0x0000000000000000-mapping.dmp

Download
memory/4200-236-0x00000000039C0000-0x0000000004515000-memory.dmp

Filesize
11.3MB

Download
memory/4200-192-0x00000000039C0000-0x0000000004515000-memory.dmp

Filesize
11.3MB

Download
memory/4200-185-0x00000000039C0000-0x0000000004515000-memory.dmp

Filesize
11.3MB

Download
memory/4252-345-0x0000000000000000-mapping.dmp

Download
memory/4280-343-0x0000028B8F140000-0x0000028B8F3F5000-memory.dmp

Filesize
2.7MB

Download
memory/4280-339-0x00007FF610BD6890-mapping.dmp

Download
memory/4280-346-0x0000028B8F140000-0x0000028B8F3F5000-memory.dmp

Filesize
2.7MB

Download
memory/4308-225-0x0000000000000000-mapping.dmp

Download
memory/4360-308-0x0000000000000000-mapping.dmp

Download
memory/4576-285-0x0000000000000000-mapping.dmp

Download
memory/4656-296-0x0000000000000000-mapping.dmp

Download
memory/5076-168-0x00000000049B1000-0x0000000004A9A000-memory.dmp

Filesize
932KB

Download
memory/5076-162-0x0000000000000000-mapping.dmp

Download
memory/5076-169-0x0000000004AA0000-0x0000000004BCE000-memory.dmp

Filesize
1.2MB

Download
memory/5076-170-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/5084-320-0x0000000000000000-mapping.dmp

Download