lumma | f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf

Analysis

max time kernel
114s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf.exe
Size

206KB
MD5

92d0a6826636d3f7d4f3b0372c9c4023
SHA1

6c8231914edf2d55403ccdb1b9047d43f838324d
SHA256

f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf
SHA512

ff7dd3ac82211f26eeb625f37f8f4c58f358800487d1803faa5bdf6c6aaa5a2ae3863e69b0204181a386bfc4f1775457eef1a7cad74787918e3b9b50382087d5
SSDEEP

3072:NX99be2Gn+SfafXyYT5syFlzrk2GCLtNqOcxtpeWapb:J+2Gn+Sf7rSlXvoMp

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3452-133-0x00000000048D0000-0x00000000048D9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exeschtasks.exe

flow	pid	process
32	5056	rundll32.exe
36	5056	rundll32.exe
53	5056	rundll32.exe
58	5056	rundll32.exe
62	5056	rundll32.exe
72	5056	rundll32.exe
73	5056	rundll32.exe
88	5096	schtasks.exe

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

D93E.exe2404.exe

pid process

4928 D93E.exe
4236 2404.exe

pid	process
4928	D93E.exe
4236	2404.exe

Sets DLL path for service in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\s_agreement_filetype\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\s_agreement_filetype.dll\uf400"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\s_agreement_filetype\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\s_agreement_filetype.dll᠀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\s_agreement_filetype\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\s_agreement_filetype.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\s_agreement_filetype\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\s_agreement_filetype.dllἀ"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\s_agreement_filetype\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

5056 rundll32.exe
1872 svchost.exe
3368 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5056	rundll32.exe
1872	svchost.exe
3368	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 5056 set thread context of 4500	5056	rundll32.exe	rundll32.exe
PID 5056 set thread context of 796	5056	rundll32.exe	rundll32.exe
PID 5056 set thread context of 3976	5056	rundll32.exe	rundll32.exe
PID 5056 set thread context of 4532	5056	rundll32.exe	rundll32.exe

Drops file in Program Files directory 45 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\forms_distributed.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DirectInk.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_shared.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner_mini.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\eBook.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroSup64.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\EPDF_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Redact_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_ecc.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\JP2KLib.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Protect_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\selection-actions.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cloud_icon.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\EPDF_Full.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DirectInk.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.manifest	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_same_reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-144x144-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\eula.ini	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\icudt40.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1968 4928 WerFault.exe D93E.exe
5076 4236 WerFault.exe 2404.exe

pid	pid_target	process	target process
1968	4928	WerFault.exe	D93E.exe
5076	4236	WerFault.exe	2404.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 48 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f562812100054656d7000003a0009000400efbe0c5519992f5628122e00000000000000000000000000000000000000000000000000c81f2800540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

780

pid	process
780

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf.exe

pid	process
3452	f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf.exe
3452	f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf.exe
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

780
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf.exe

pid process

3452 f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf.exe

pid	process
780

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeDebugPrivilege	5056	rundll32.exe
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4500 rundll32.exe
780
780
780
780
780
780
780
780
5056 rundll32.exe
796 rundll32.exe
5056 rundll32.exe
3976 rundll32.exe
5056 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

780
780

pid	process
4500	rundll32.exe
780
780
780
780
780
780
780
780
5056	rundll32.exe
796	rundll32.exe
5056	rundll32.exe
3976	rundll32.exe
5056	rundll32.exe

pid	process
780
780

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

D93E.exesvchost.exerundll32.exe

description	pid	process	target process
PID 780 wrote to memory of 4928	780		D93E.exe
PID 780 wrote to memory of 4928	780		D93E.exe
PID 780 wrote to memory of 4928	780		D93E.exe
PID 4928 wrote to memory of 5056	4928	D93E.exe	rundll32.exe
PID 4928 wrote to memory of 5056	4928	D93E.exe	rundll32.exe
PID 4928 wrote to memory of 5056	4928	D93E.exe	rundll32.exe
PID 780 wrote to memory of 4236	780		2404.exe
PID 780 wrote to memory of 4236	780		2404.exe
PID 780 wrote to memory of 4236	780		2404.exe
PID 1872 wrote to memory of 3368	1872	svchost.exe	rundll32.exe
PID 1872 wrote to memory of 3368	1872	svchost.exe	rundll32.exe
PID 1872 wrote to memory of 3368	1872	svchost.exe	rundll32.exe
PID 5056 wrote to memory of 4500	5056	rundll32.exe	rundll32.exe
PID 5056 wrote to memory of 4500	5056	rundll32.exe	rundll32.exe
PID 5056 wrote to memory of 4500	5056	rundll32.exe	rundll32.exe
PID 5056 wrote to memory of 3736	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 3736	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 3736	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 1652	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 1652	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 1652	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 796	5056	rundll32.exe	rundll32.exe
PID 5056 wrote to memory of 796	5056	rundll32.exe	rundll32.exe
PID 5056 wrote to memory of 796	5056	rundll32.exe	rundll32.exe
PID 5056 wrote to memory of 764	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 764	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 764	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 212	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 212	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 212	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 3976	5056	rundll32.exe	rundll32.exe
PID 5056 wrote to memory of 3976	5056	rundll32.exe	rundll32.exe
PID 5056 wrote to memory of 3976	5056	rundll32.exe	rundll32.exe
PID 5056 wrote to memory of 4496	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 4496	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 4496	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 4232	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 4232	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 4232	5056	rundll32.exe	schtasks.exe
PID 5056 wrote to memory of 4532	5056	rundll32.exe	rundll32.exe
PID 5056 wrote to memory of 4532	5056	rundll32.exe	rundll32.exe
PID 5056 wrote to memory of 4532	5056	rundll32.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf.exe
"C:\Users\Admin\AppData\Local\Temp\f3b02bdb014a254fab986b14c350479004027e03127e8ce1ed72f94674d957cf.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3452

C:\Users\Admin\AppData\Local\Temp\D93E.exe
C:\Users\Admin\AppData\Local\Temp\D93E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5056

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4500

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3736

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1652

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:796

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:764

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:212

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3976

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4496

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4232

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
PID:4532

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4516

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
- Blocklisted process makes network request
PID:5096

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
PID:4068

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1992

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
PID:1368

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1604

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2532

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
PID:2288

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3624

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3484

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
PID:2420

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 520
2⤵
- Program crash
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4928 -ip 4928
1⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\2404.exe
C:\Users\Admin\AppData\Local\Temp\2404.exe
1⤵
- Executes dropped EXE
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1328
2⤵
- Program crash
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4236 -ip 4236
1⤵
PID:3652

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\s_agreement_filetype.dll",bw5hVFE=
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.dll

Filesize
774KB

MD5
6d6f852dfe746cb21a84e83b013131f8

SHA1
b26f88c4877a064f57d70b2d8a9ee279ba289d8d

SHA256
4f53898f6b5081426576fc806c3b57850df2f161d369881188b561eab9fdd45e

SHA512
70272cbd706a915a7a9809af2213d8580d556135f1338b994c9706028e371e638d36a4fe2dc84d3775e7251363d71c26389adc7eaa118c16edadf16103a6ad57

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.dll

Filesize
774KB

MD5
6d6f852dfe746cb21a84e83b013131f8

SHA1
b26f88c4877a064f57d70b2d8a9ee279ba289d8d

SHA256
4f53898f6b5081426576fc806c3b57850df2f161d369881188b561eab9fdd45e

SHA512
70272cbd706a915a7a9809af2213d8580d556135f1338b994c9706028e371e638d36a4fe2dc84d3775e7251363d71c26389adc7eaa118c16edadf16103a6ad57

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.dcfmui.msi.16.en-us.xml

Filesize
9KB

MD5
2693cb4d0d47298d60c5b4210d567e56

SHA1
20b67bce8310a93c5756d83d13febdcaff5f3b39

SHA256
d98dec16b13c3e4a23823be0bcd45f685c6dc690ae28954c0c18075e77898f20

SHA512
034cb9620ea7f9aa793ad8e0c8e30b11244e7952d871d1f8cbb1ff6daa765fd9afc2a54f221f0a323511f4aa7b985ff61c2f0b983668c7e390f3f99699dc89c9

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\CiST0000.001

Filesize
64KB

MD5
2a1801484fed207d6469068f57a62214

SHA1
c12999e2fa101c6b6bb3a5f0e66f4e0c5b938d4e

SHA256
30c7988571781563e5e697f564b616750e354bcd69e9bf7a39e3854e4b7bec28

SHA512
a7e12254278e83710077d5cb3b8162cd74c4211147a6823afa8aa3c67cc3041e066b34e63bcf0cae9087177543c52871e67bac373db1b8ab3d5058ba9f3f41b4

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\EventStore.db

Filesize
20KB

MD5
a5d0c68b795da553cf038fa776a4ee86

SHA1
03f4225c4e74d88e0936f31e2c162fda28751899

SHA256
574b8358c4063fb82c207de10b922c87d26e57207f355dc5bf4e8b209f1545e1

SHA512
ae21861d90f47d3ffbc7c8d669f23aabaa460fc8db74df0975c61ed1bb0b369eff94ca86a085b19bcb65eb708311883896c36a5bd692d9c2141e3b83b06384e3

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
26KB

MD5
2bc8ee174a90308d275eda81bf42d95e

SHA1
284647d3ee515e4794d1984d2f01989f33121d2d

SHA256
d8bd4c83debd08b1a21d24b3c4a445512ef1931717c01e113fbfc20f47157ea8

SHA512
fe5d552cbfea372817d64c69f22cbf1a02d1b7ef27ef4a0acf68247a2794f58d09b0147ef110a0267bda87c6712ba18dc261a8c9c7e3ed4c1352bb324ed42327

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe.xml

Filesize
9KB

MD5
993d82e37af681bd65f1d428b6ee281e

SHA1
bb1a8402cfccd1d97ea58d6136847a4dd1ba0f65

SHA256
1bc1d4525a46e58edd165a9d792f50441ea3cbcecd14022dc112e02f3d9b5bf8

SHA512
4eb247e384ffa84460e43abe7563643de30f397b628c02f3e6e51c69669d5d7b8be6ebe51355586e5cd5a252652e0eef7f1bd0219b416b61e1db318db4ac833c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftEdgeDevToolsClient_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe.xml

Filesize
1KB

MD5
cf0330a44354655f192bc5f1976564e5

SHA1
d993f0dbfdb68552bbf3381d07fb2b26b79e16aa

SHA256
9727e4d3cf3fcc5dcc364cd990f41a4be98d227b0ce975fa97cef0ef8eaa5b78

SHA512
36aeacbb9b0d6ed2a51d23376ab6e583c258c128bf3de0069523441dda98a68a65592792ebd883a7ea8f21768da91c9826a4551cf9e02c01480110941b6e401a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftLync2013Win32.xml

Filesize
2KB

MD5
fa5b7d129ddfd18b73d3a4a0b0fb4c87

SHA1
b5e32bd5772cfb50174451d4818670d32088ff85

SHA256
4452719f5b16e474e6ae407fb56f7e68f0308920938d749a4d46cded948c116d

SHA512
99fd882c7f9a333143367e09590b9c71c9aa3957205a2dd26097ae88a54265d7272968ec99c755ef6d7741ff8e690b53492321b42129c990c870beb6322eb034

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2013BackupWin64.xml

Filesize
12KB

MD5
d24bea7d3b999f28e375d1d061a03d97

SHA1
95b207708762aa4752c77728128cbe3033646204

SHA256
57184b71b7d7525fbd75b1dda77bd26a5344b5cbd58ec5070fa5e1b4e073aef2

SHA512
3d3f06cd59a5bf8e9284ed1972a373ac1c63b0cba997d9559834db748ec41a90e42650d0ba05bf351456c2de12970f79d2d34f7a6c6445d2e55812682a5b406e

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
4a33643afe81311ab5c2ec78ad3614cd

SHA1
ff7ec253c0389ab59455ed9624c64f7d2a325fb5

SHA256
826838f6375b910e4cfb15519a99acd45a2eae8715b49ed4d541d3a401986424

SHA512
3925026a553d9e61214d0cb53283186fce1c323222c75c7518b9b7db18027b184fd9c9f6c0d8087b65c2184f2cfe0fb55677cbfc9e477243a9d58bca469dd2f0

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\device.png

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\edb.jcp

Filesize
8KB

MD5
9272ba2162f3b7c1e450d754270e382d

SHA1
bdf9a027d08a3582c1310b897abe15d91596845e

SHA256
c346a31745a0ecda5daca539cd11073a995d2c3a5e271dd68a5b417ae21c3811

SHA512
ec37907098171dea3dfd3d2ae7c65901f5e78083dd62533cae46209a2bdf759677089a3d9ec3da7b5ebafa74d4e53266e21355031a21715f79247798dd060a74

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\osver.txt

Filesize
10B

MD5
bea59a2f25178d677087edde21c60be7

SHA1
56844a00adee7f8d2c161808de19ce6fd191fb61

SHA256
4906553c99e9225413bacd029603f2549fe8d972bf389770063f3e932b623d80

SHA512
008622e6bf66c3cc4bdfc9cda7dc10376e310b560321ee0d7040f7c6da7673cd04799ee04b9e22bb45de378fa0791dc0b6bbf43efed1366d0520c26d803d7400

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\qmgr.jfm

Filesize
16KB

MD5
843a02b42a43d5682dd7b34e168a35d4

SHA1
b339fffcf7c21e777d64ec78df7dcafa954190a8

SHA256
b9cee463ab07bfa7512e1d6a3fc7498c49f07153301ff177f3a990ef2d6ac70f

SHA512
38d699a757e28c11b667d21e87ebf540efa316df40d9185097b379f89feb455b9d0486efcb9601282033849d338d25d37210c1cf211ef20dab34a5d3d3bfee42

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\resource.xml

Filesize
1KB

MD5
09e877cc25ec3ade6e0d56000025e7ae

SHA1
fef683c766926d84804867a6a711c200e2ceb406

SHA256
995f07448661dec2389b445cbe054e4fce31d07bed2f3f9f4bc94ee9a875fc92

SHA512
02b7ed4cba2f3b153f055c51b24eb4a7ca9cec136274a00fcc2efebd21ad410d826d92b0113229e2817930a6a84dfa27e809290cb0522535202116c24ac8f1a3

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\s640.hash

Filesize
106B

MD5
bef40d5a19278ca19b56fbcdde7e26ef

SHA1
4f01d5b8de038e120c64bd7cc22cf150af1452fb

SHA256
7f9c7cc5b265e312fc587d98c7c31218b7a46f1efb8c397dcc329354b4e5831d

SHA512
5a361b1378c7b9f635e72ffdfba4d59acd17341caba480a5271237a37d40d8eb03a6ca7f3c38e73ce87a15b682d434ffa0a7f96dd6355e286d8213a80518c493

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\user.bmp

Filesize
588KB

MD5
908fa2dfb385771ecf5f8b2b3e7bff16

SHA1
1255fa1edbd2dbbcab6d9eb9f74b7d6783697a58

SHA256
60ff5131dba68a8ffe7ba0475bf3e192b432e1969e5ac52d7f217f6935f4035d

SHA512
573c9fde441fb8debaa44b6fa2d3763c3dc4714497089b82bedc8ef0720eea4a907f75cffb1c0ec4a77ac89cfecbef8e6182a2a8fea5b51a2e91920ceaad5f69

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\utc.tracing.json.bk

Filesize
28B

MD5
6c7e84cb1a40e1e6a5cfe37e2ceaad04

SHA1
a2781444bb3c55196292df729b01be707ec1953a

SHA256
c6bf69533d3fc2c00d2e601726411163cae0e6cb168662eb6a58b492a25b042c

SHA512
97c9bc007beda6e6ea9c9aeea3f4033fe77304d5417a9f9f97ede9ed168f7259053f5861227a3a7eaa4859d1d1a7898705b0f8aae9527b4b607ab205e3b6e9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\2404.exe

Filesize
245KB

MD5
1a4cb36561008522c8b528e1e1ea962a

SHA1
3b9bdcd2cc23dfc50c4ec61a55a6ba81f323fa89

SHA256
247ab0e8ef27732ed2f39829d4229c3a3b6bfe461674818c730dfeecde8eca23

SHA512
586aa9385e3b96589665a91f9228230173b80bc5d5ce0802eea325eb74dc6e6d2bedcdd293e14f8ba4ae4a461da01abfb5c88d9263ee37543531dda8a9a9cb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\2404.exe

Filesize
245KB

MD5
1a4cb36561008522c8b528e1e1ea962a

SHA1
3b9bdcd2cc23dfc50c4ec61a55a6ba81f323fa89

SHA256
247ab0e8ef27732ed2f39829d4229c3a3b6bfe461674818c730dfeecde8eca23

SHA512
586aa9385e3b96589665a91f9228230173b80bc5d5ce0802eea325eb74dc6e6d2bedcdd293e14f8ba4ae4a461da01abfb5c88d9263ee37543531dda8a9a9cb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\D93E.exe

Filesize
1.0MB

MD5
ee055bcdd3d46fe8bf8c62e12fe6891b

SHA1
be3130de2b153f3666f375cd317fba13d0083a01

SHA256
6db754fef312e7d40ba60209145baac2a8b45684a35fc353c468e405554245af

SHA512
7133e039a0cf8886c89f5f28d3ae06f6098cdd52955b1bc98ecb8e08422d3cacb96d8b3a032c7803a07e8671e5c9fd853e4f11dc5ec52e0f8e1b12824776bed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D93E.exe

Filesize
1.0MB

MD5
ee055bcdd3d46fe8bf8c62e12fe6891b

SHA1
be3130de2b153f3666f375cd317fba13d0083a01

SHA256
6db754fef312e7d40ba60209145baac2a8b45684a35fc353c468e405554245af

SHA512
7133e039a0cf8886c89f5f28d3ae06f6098cdd52955b1bc98ecb8e08422d3cacb96d8b3a032c7803a07e8671e5c9fd853e4f11dc5ec52e0f8e1b12824776bed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\s_agreement_filetype.dll

Filesize
774KB

MD5
6d6f852dfe746cb21a84e83b013131f8

SHA1
b26f88c4877a064f57d70b2d8a9ee279ba289d8d

SHA256
4f53898f6b5081426576fc806c3b57850df2f161d369881188b561eab9fdd45e

SHA512
70272cbd706a915a7a9809af2213d8580d556135f1338b994c9706028e371e638d36a4fe2dc84d3775e7251363d71c26389adc7eaa118c16edadf16103a6ad57

Download Submit
memory/212-207-0x0000000000000000-mapping.dmp

Download
memory/764-204-0x0000000000000000-mapping.dmp

Download
memory/796-199-0x00007FF66EEB6890-mapping.dmp

Download
memory/796-200-0x000001C1A4DD0000-0x000001C1A4F10000-memory.dmp

Filesize
1.2MB

Download
memory/796-201-0x000001C1A4DD0000-0x000001C1A4F10000-memory.dmp

Filesize
1.2MB

Download
memory/796-203-0x000001C1A3370000-0x000001C1A3625000-memory.dmp

Filesize
2.7MB

Download
memory/796-206-0x000001C1A3370000-0x000001C1A3625000-memory.dmp

Filesize
2.7MB

Download
memory/1368-252-0x000001F0CD7D0000-0x000001F0CDA85000-memory.dmp

Filesize
2.7MB

Download
memory/1368-249-0x000001F0CF230000-0x000001F0CF370000-memory.dmp

Filesize
1.2MB

Download
memory/1368-250-0x000001F0CD7D0000-0x000001F0CDA85000-memory.dmp

Filesize
2.7MB

Download
memory/1368-248-0x000001F0CF230000-0x000001F0CF370000-memory.dmp

Filesize
1.2MB

Download
memory/1368-247-0x00007FF66EEB6890-mapping.dmp

Download
memory/1604-251-0x0000000000000000-mapping.dmp

Download
memory/1652-194-0x0000000000000000-mapping.dmp

Download
memory/1672-259-0x0000026E13D20000-0x0000026E13E60000-memory.dmp

Filesize
1.2MB

Download
memory/1672-257-0x00007FF66EEB6890-mapping.dmp

Download
memory/1672-258-0x0000026E13D20000-0x0000026E13E60000-memory.dmp

Filesize
1.2MB

Download
memory/1672-260-0x0000026E122C0000-0x0000026E12575000-memory.dmp

Filesize
2.7MB

Download
memory/1672-262-0x0000026E122C0000-0x0000026E12575000-memory.dmp

Filesize
2.7MB

Download
memory/1872-177-0x0000000004640000-0x0000000005195000-memory.dmp

Filesize
11.3MB

Download
memory/1872-160-0x0000000004640000-0x0000000005195000-memory.dmp

Filesize
11.3MB

Download
memory/1872-205-0x0000000004640000-0x0000000005195000-memory.dmp

Filesize
11.3MB

Download
memory/1992-242-0x0000000000000000-mapping.dmp

Download
memory/2288-268-0x00007FF66EEB6890-mapping.dmp

Download
memory/2288-270-0x000001D73FD60000-0x000001D73FEA0000-memory.dmp

Filesize
1.2MB

Download
memory/2288-272-0x000001D73E300000-0x000001D73E5B5000-memory.dmp

Filesize
2.7MB

Download
memory/2288-271-0x000001D73E300000-0x000001D73E5B5000-memory.dmp

Filesize
2.7MB

Download
memory/2288-269-0x000001D73FD60000-0x000001D73FEA0000-memory.dmp

Filesize
1.2MB

Download
memory/2420-279-0x000002DA6C4C0000-0x000002DA6C600000-memory.dmp

Filesize
1.2MB

Download
memory/2420-283-0x000002DA6AA60000-0x000002DA6AD15000-memory.dmp

Filesize
2.7MB

Download
memory/2420-278-0x00007FF66EEB6890-mapping.dmp

Download
memory/2420-280-0x000002DA6C4C0000-0x000002DA6C600000-memory.dmp

Filesize
1.2MB

Download
memory/2420-281-0x000002DA6AA60000-0x000002DA6AD15000-memory.dmp

Filesize
2.7MB

Download
memory/2532-261-0x0000000000000000-mapping.dmp

Download
memory/3132-282-0x0000000000000000-mapping.dmp

Download
memory/3368-186-0x0000000005370000-0x0000000005EC5000-memory.dmp

Filesize
11.3MB

Download
memory/3368-180-0x0000000005370000-0x0000000005EC5000-memory.dmp

Filesize
11.3MB

Download
memory/3368-182-0x0000000005370000-0x0000000005EC5000-memory.dmp

Filesize
11.3MB

Download
memory/3368-178-0x0000000000000000-mapping.dmp

Download
memory/3452-132-0x0000000002BC8000-0x0000000002BD8000-memory.dmp

Filesize
64KB

Download
memory/3452-135-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/3452-134-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/3452-133-0x00000000048D0000-0x00000000048D9000-memory.dmp

Filesize
36KB

Download
memory/3484-273-0x0000000000000000-mapping.dmp

Download
memory/3624-264-0x0000000000000000-mapping.dmp

Download
memory/3736-191-0x0000000000000000-mapping.dmp

Download
memory/3976-216-0x0000023CF9E40000-0x0000023CFA0F5000-memory.dmp

Filesize
2.7MB

Download
memory/3976-212-0x00007FF66EEB6890-mapping.dmp

Download
memory/3976-213-0x0000023CFB8A0000-0x0000023CFB9E0000-memory.dmp

Filesize
1.2MB

Download
memory/3976-214-0x0000023CFB8A0000-0x0000023CFB9E0000-memory.dmp

Filesize
1.2MB

Download
memory/3976-218-0x0000023CF9E40000-0x0000023CFA0F5000-memory.dmp

Filesize
2.7MB

Download
memory/4068-239-0x00000219E10C0000-0x00000219E1200000-memory.dmp

Filesize
1.2MB

Download
memory/4068-238-0x00000219E10C0000-0x00000219E1200000-memory.dmp

Filesize
1.2MB

Download
memory/4068-241-0x00000219DF7F0000-0x00000219DFAA5000-memory.dmp

Filesize
2.7MB

Download
memory/4068-237-0x00007FF66EEB6890-mapping.dmp

Download
memory/4068-240-0x00000219DF7F0000-0x00000219DFAA5000-memory.dmp

Filesize
2.7MB

Download
memory/4232-219-0x0000000000000000-mapping.dmp

Download
memory/4236-152-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/4236-147-0x0000000000000000-mapping.dmp

Download
memory/4236-154-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/4236-150-0x0000000002FA9000-0x0000000002FC3000-memory.dmp

Filesize
104KB

Download
memory/4236-151-0x00000000047A0000-0x00000000047CA000-memory.dmp

Filesize
168KB

Download
memory/4496-217-0x0000000000000000-mapping.dmp

Download
memory/4500-188-0x000001F393740000-0x000001F393880000-memory.dmp

Filesize
1.2MB

Download
memory/4500-192-0x000001F391E70000-0x000001F392125000-memory.dmp

Filesize
2.7MB

Download
memory/4500-187-0x00007FF66EEB6890-mapping.dmp

Download
memory/4500-189-0x000001F393740000-0x000001F393880000-memory.dmp

Filesize
1.2MB

Download
memory/4500-190-0x00000000009B0000-0x0000000000C54000-memory.dmp

Filesize
2.6MB

Download
memory/4500-193-0x000001F391E70000-0x000001F392125000-memory.dmp

Filesize
2.7MB

Download
memory/4516-229-0x0000000000000000-mapping.dmp

Download
memory/4532-224-0x00007FF66EEB6890-mapping.dmp

Download
memory/4532-227-0x000001C8094F0000-0x000001C809630000-memory.dmp

Filesize
1.2MB

Download
memory/4532-228-0x000001C809680000-0x000001C809935000-memory.dmp

Filesize
2.7MB

Download
memory/4532-225-0x000001C8094F0000-0x000001C809630000-memory.dmp

Filesize
1.2MB

Download
memory/4532-230-0x000001C809680000-0x000001C809935000-memory.dmp

Filesize
2.7MB

Download
memory/4928-142-0x0000000004943000-0x0000000004A2C000-memory.dmp

Filesize
932KB

Download
memory/4928-144-0x0000000000400000-0x0000000002C75000-memory.dmp

Filesize
40.5MB

Download
memory/4928-136-0x0000000000000000-mapping.dmp

Download
memory/4928-143-0x0000000004A30000-0x0000000004B5E000-memory.dmp

Filesize
1.2MB

Download
memory/5056-208-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-209-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-235-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-234-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-233-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-284-0x00000000054D0000-0x0000000006025000-memory.dmp

Filesize
11.3MB

Download
memory/5056-243-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-245-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-246-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-244-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-231-0x000000000619E000-0x00000000061A0000-memory.dmp

Filesize
8KB

Download
memory/5056-226-0x0000000007D35000-0x0000000007D37000-memory.dmp

Filesize
8KB

Download
memory/5056-223-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-222-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-221-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-220-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-253-0x0000000007C00000-0x0000000007D40000-memory.dmp

Filesize
1.2MB

Download
memory/5056-254-0x0000000007C00000-0x0000000007D40000-memory.dmp

Filesize
1.2MB

Download
memory/5056-255-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-256-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-215-0x000000000619E000-0x00000000061A0000-memory.dmp

Filesize
8KB

Download
memory/5056-211-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-210-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-236-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-202-0x0000000007D35000-0x0000000007D37000-memory.dmp

Filesize
8KB

Download
memory/5056-198-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-263-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-265-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-266-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-267-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-197-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-196-0x0000000007C00000-0x0000000007D40000-memory.dmp

Filesize
1.2MB

Download
memory/5056-195-0x0000000007C00000-0x0000000007D40000-memory.dmp

Filesize
1.2MB

Download
memory/5056-185-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-184-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-183-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-181-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-274-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-275-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-276-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-156-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-277-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-155-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5056-153-0x00000000054D0000-0x0000000006025000-memory.dmp

Filesize
11.3MB

Download
memory/5056-146-0x00000000054D0000-0x0000000006025000-memory.dmp

Filesize
11.3MB

Download
memory/5056-145-0x00000000054D0000-0x0000000006025000-memory.dmp

Filesize
11.3MB

Download
memory/5056-139-0x0000000000000000-mapping.dmp

Download
memory/5096-232-0x0000000000000000-mapping.dmp

Download