lumma | de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e

Analysis

max time kernel
99s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e.exe
Size

207KB
MD5

fe2648ff5d2ae4f0c9355f261677b258
SHA1

be7f19eb23ca3236921ebaa508887ed89e8e6881
SHA256

de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e
SHA512

f97343f93ed6ae124c6926429d1f1c23d9ef6482b3a62f0e0f88dfefa53122bb0deeefed9ef3cf073f863d70a18899225203cfa254db39aa24a8d99ed82aa416
SSDEEP

1536:y0tQukweXQwYFJUT2Dsnyhf/DUY7P7K5z7L/nD5djJ1gBdAWGOICB1kDzzTZCgAH:fXte80JQRKfD5/IAW+CQb1BYebD4ori

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3416-133-0x00000000048D0000-0x00000000048D9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

37 5048 rundll32.exe
41 5048 rundll32.exe
57 5048 rundll32.exe
61 5048 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

E0EF.exeB5B.exe

pid process

524 E0EF.exe
3476 B5B.exe

flow	pid	process
37	5048	rundll32.exe
41	5048	rundll32.exe
57	5048	rundll32.exe
61	5048	rundll32.exe

pid	process
524	E0EF.exe
3476	B5B.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_new\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\aic_file_icons_retina_thumb_new.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_new\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

5048 rundll32.exe
1940 svchost.exe
4800 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5048	rundll32.exe
1940	svchost.exe
4800	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 5048 set thread context of 1972	5048	rundll32.exe	rundll32.exe
PID 5048 set thread context of 4700	5048	rundll32.exe	rundll32.exe
PID 5048 set thread context of 2704	5048	rundll32.exe	rundll32.exe
PID 5048 set thread context of 4344	5048	rundll32.exe	rundll32.exe
PID 5048 set thread context of 4556	5048	rundll32.exe	rundll32.exe
PID 5048 set thread context of 4404	5048	rundll32.exe	rundll32.exe
PID 5048 set thread context of 1132	5048	rundll32.exe	rundll32.exe

Drops file in Program Files directory 18 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sqlite.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\forms_received.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOnNotificationInAcrobat.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_sent.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\stopwords.ENU	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\distribute_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_new.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Measure.aapp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3812 524 WerFault.exe E0EF.exe
1776 3476 WerFault.exe B5B.exe

pid	pid_target	process	target process
3812	524	WerFault.exe	E0EF.exe
1776	3476	WerFault.exe	B5B.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 64 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f561452100054656d7000003a0009000400efbe6b55586c2f5614522e000000000000000000000000000000000000000000000000005578aa00540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2176

pid	process
2176

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e.exe

pid	process
3416	de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e.exe
3416	de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e.exe
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2176
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e.exe

pid process

3416 de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e.exe

pid	process
2176

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeDebugPrivilege	5048	rundll32.exe
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176

Suspicious use of FindShellTrayWindow 19 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
1972	rundll32.exe
2176
2176
2176
2176
2176
2176
2176
2176
5048	rundll32.exe
4700	rundll32.exe
5048	rundll32.exe
2704	rundll32.exe
5048	rundll32.exe
4344	rundll32.exe
4556	rundll32.exe
5048	rundll32.exe
4404	rundll32.exe
5048	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2176
2176

pid	process
2176
2176

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

E0EF.exesvchost.exerundll32.exe

description	pid	process	target process
PID 2176 wrote to memory of 524	2176		E0EF.exe
PID 2176 wrote to memory of 524	2176		E0EF.exe
PID 2176 wrote to memory of 524	2176		E0EF.exe
PID 524 wrote to memory of 5048	524	E0EF.exe	rundll32.exe
PID 524 wrote to memory of 5048	524	E0EF.exe	rundll32.exe
PID 524 wrote to memory of 5048	524	E0EF.exe	rundll32.exe
PID 2176 wrote to memory of 3476	2176		B5B.exe
PID 2176 wrote to memory of 3476	2176		B5B.exe
PID 2176 wrote to memory of 3476	2176		B5B.exe
PID 1940 wrote to memory of 4800	1940	svchost.exe	rundll32.exe
PID 1940 wrote to memory of 4800	1940	svchost.exe	rundll32.exe
PID 1940 wrote to memory of 4800	1940	svchost.exe	rundll32.exe
PID 5048 wrote to memory of 1972	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 1972	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 1972	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 4748	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4748	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4748	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4268	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4268	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4268	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4700	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 4700	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 4700	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 4564	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4564	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4564	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 2704	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 2704	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 2704	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 1792	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 1792	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 1792	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 800	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 800	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 800	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4344	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 4344	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 4344	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 2472	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 2472	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 2472	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4556	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 4556	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 4556	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 4664	5048	rundll32.exe	Conhost.exe
PID 5048 wrote to memory of 4664	5048	rundll32.exe	Conhost.exe
PID 5048 wrote to memory of 4664	5048	rundll32.exe	Conhost.exe
PID 5048 wrote to memory of 3808	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 3808	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 3808	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4404	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 4404	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 4404	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 3276	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 3276	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 3276	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4640	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4640	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 4640	5048	rundll32.exe	schtasks.exe
PID 5048 wrote to memory of 1132	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 1132	5048	rundll32.exe	rundll32.exe
PID 5048 wrote to memory of 1132	5048	rundll32.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e.exe
"C:\Users\Admin\AppData\Local\Temp\de4cf4266de87614872aab673e8c92d07933ebcd1390a0e85f46a7544ff2b37e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3416

C:\Users\Admin\AppData\Local\Temp\E0EF.exe
C:\Users\Admin\AppData\Local\Temp\E0EF.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5048

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1972

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4748

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4268

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4700

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4564

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2704

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1792

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:800

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4344

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2472

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4556

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4664

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3808

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4404

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3276

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4640

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
PID:1132

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2516

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1604

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
PID:1916

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4240

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
PID:1204

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4524

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3152

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
PID:4444

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3632

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
PID:4920

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:800

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1296

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
PID:2680

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4000

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4664

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
PID:4868

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4684

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:856

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
PID:4892

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4604

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5052

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
PID:2924

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:796

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4240

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 528
2⤵
- Program crash
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 524 -ip 524
1⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\B5B.exe
C:\Users\Admin\AppData\Local\Temp\B5B.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 1388
2⤵
- Program crash
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3476 -ip 3476
1⤵
PID:3156

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_new.dll",mU5LekY=
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_new.dll

Filesize
774KB

MD5
209396933b0c98c4e529d530e856beac

SHA1
b036753efd003633a78b3ab0c1e492e98f6d0c3d

SHA256
9683ce001f77bc324688be0c254347f4dff760373d9fb02e45c62f1cca7c9b1e

SHA512
6fd62c0c59d3eef81073331d1e2dab7d2b0b5b880782187bc7efc83f294b56e141e9bd0b4b8a245f2ed14c1b1db0bc01694dfce5913749f8cb11a5ae2299975a

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_new.dll

Filesize
774KB

MD5
209396933b0c98c4e529d530e856beac

SHA1
b036753efd003633a78b3ab0c1e492e98f6d0c3d

SHA256
9683ce001f77bc324688be0c254347f4dff760373d9fb02e45c62f1cca7c9b1e

SHA512
6fd62c0c59d3eef81073331d1e2dab7d2b0b5b880782187bc7efc83f294b56e141e9bd0b4b8a245f2ed14c1b1db0bc01694dfce5913749f8cb11a5ae2299975a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Active.GRL

Filesize
14KB

MD5
fffde3df0d91311b7fe3f9bc8642a9ec

SHA1
50987906817aab51e2cc29fbce47ac5f0936a44e

SHA256
bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc

SHA512
5e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.office32mui.msi.16.en-us.xml

Filesize
16KB

MD5
ada34b241139f06addc86a9e8d1108f0

SHA1
909a92a4e970ae4edcfc365a119d4f4410b0bcf6

SHA256
3069814db0a03ed2ce383cb97739d07545d3b67a2b532d9c07d0d5aa3c6a4f3a

SHA512
2797c6087798660773cfa65f002a4232d75c8b8f787deb12364af683653b41de411ca2de54be1aa86356ba3b6203775c9afaedd513ad33c26f273047f87537a0

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\SettingsLocationTemplate2013.xsd

Filesize
11KB

MD5
492e8dea7892f6198ee95b42424eab81

SHA1
246cc91c7d3e5d780e78192ee033f791e516b127

SHA256
e86dc0cf66df362220ae64e89480897d23fc7a54b475be3f7f78fb9cdc9ab3b7

SHA512
577a6b692f0e09e03f294d1aaab112450fcc6abfc6240074997bdeb050f229c4849f76828d815f862b7215ec24cc3aad5aa516da0d0a1ec84b1041fdf2c3a63c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
f2eedd12cef2f9edef20c43d8e93866a

SHA1
5af296f9769145e78190f19dfabec145eeeb0058

SHA256
1954f558702a91d10178f8bc244bdb07ecaff21c46a0a8ba96d12d0eb5683453

SHA512
f7cd386248a9ed94248866f9e1733891e04c859b1366fbc01ae37e22d044b1f4e56bd6776240e71c71b1985b5dff3c120980af81a1730ad47ac545df8ae3f09d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\overlay.png

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\resource.xml

Filesize
1KB

MD5
ba3f2a2801ae546e498881e8ec22a17c

SHA1
ab57705933a28c4f9e552f5a435ab8a7709fedc8

SHA256
af7a12135db48bf260cd6d7ce831810ef98ca05847c4b23086bc2e616e8b08f4

SHA512
3ae1c6d4bba1720b080c315e58c8b44685defd65031314a48c1de749e4cd13a42ccf5f0de4202019c94b0ecbd1ab9e6dbdfd39d5b6434909796f490246b6e302

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\settings.ico

Filesize
66KB

MD5
4896c2ad8ca851419425b06ec0fd95f2

SHA1
7d52e9355998f1b4487f8ef2b1b3785dec35d981

SHA256
1160a3a774b52f07453bde44755fbf76a8b1534c5ade19402f05857c249056b3

SHA512
271f40a273bc98738d450a8585cc84d097d88bbb6417fd20b4417d31b4e19b1b8fe860d044f70a3e4096588b9615c8cc588b1cab651ab1b4320d7ce1d74eb8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5B.exe

Filesize
245KB

MD5
4341e22f2a2b9cd03f1f269badc736bc

SHA1
12f2739b29db54de44adfef697b26cc00b3b352d

SHA256
59a17f7f20936d429ceb4729499ffc12fc2b9373a20ec277e396d7699fc6ebe0

SHA512
316803a0adac5d7ec7be0b4523f80f86eced66587ddcf50a4368d1d4b31bdda7e49f482f2dc8e36a3fbe1f6ab79ed20bd5cc18a262854b8e8a257f19a21b33ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5B.exe

Filesize
245KB

MD5
4341e22f2a2b9cd03f1f269badc736bc

SHA1
12f2739b29db54de44adfef697b26cc00b3b352d

SHA256
59a17f7f20936d429ceb4729499ffc12fc2b9373a20ec277e396d7699fc6ebe0

SHA512
316803a0adac5d7ec7be0b4523f80f86eced66587ddcf50a4368d1d4b31bdda7e49f482f2dc8e36a3fbe1f6ab79ed20bd5cc18a262854b8e8a257f19a21b33ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0EF.exe

Filesize
1.0MB

MD5
b9dcb77b91e5c0eb299376f572928c54

SHA1
418cd0e9586e7886df3e6169dfc100957126f23b

SHA256
49e31562b634542cdec295ea8dbcbd8de9457fd8447c9c3bfffb452dabb3ec56

SHA512
a664932f52e0fabbc22b8ca2d610f6202510fabb7cd808a6841c9d39553643a8d55022074288db4885d2ece095ddf7356951bc44e928b2b4cb44241f81f03a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0EF.exe

Filesize
1.0MB

MD5
b9dcb77b91e5c0eb299376f572928c54

SHA1
418cd0e9586e7886df3e6169dfc100957126f23b

SHA256
49e31562b634542cdec295ea8dbcbd8de9457fd8447c9c3bfffb452dabb3ec56

SHA512
a664932f52e0fabbc22b8ca2d610f6202510fabb7cd808a6841c9d39553643a8d55022074288db4885d2ece095ddf7356951bc44e928b2b4cb44241f81f03a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_new.dll

Filesize
774KB

MD5
209396933b0c98c4e529d530e856beac

SHA1
b036753efd003633a78b3ab0c1e492e98f6d0c3d

SHA256
9683ce001f77bc324688be0c254347f4dff760373d9fb02e45c62f1cca7c9b1e

SHA512
6fd62c0c59d3eef81073331d1e2dab7d2b0b5b880782187bc7efc83f294b56e141e9bd0b4b8a245f2ed14c1b1db0bc01694dfce5913749f8cb11a5ae2299975a

Download Submit
memory/524-144-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/524-136-0x0000000000000000-mapping.dmp

Download
memory/524-143-0x0000000004AD0000-0x0000000004BFE000-memory.dmp

Filesize
1.2MB

Download
memory/524-142-0x00000000049D9000-0x0000000004AC2000-memory.dmp

Filesize
932KB

Download
memory/700-353-0x00007FF7D1AC6890-mapping.dmp

Download
memory/796-346-0x0000000000000000-mapping.dmp

Download
memory/800-299-0x0000000000000000-mapping.dmp

Download
memory/800-211-0x0000000000000000-mapping.dmp

Download
memory/856-323-0x0000000000000000-mapping.dmp

Download
memory/1132-252-0x00007FF7D1AC6890-mapping.dmp

Download
memory/1132-255-0x0000020040CD0000-0x0000020040F85000-memory.dmp

Filesize
2.7MB

Download
memory/1132-257-0x0000020040CD0000-0x0000020040F85000-memory.dmp

Filesize
2.7MB

Download
memory/1132-253-0x0000020042730000-0x0000020042870000-memory.dmp

Filesize
1.2MB

Download
memory/1132-254-0x0000020042730000-0x0000020042870000-memory.dmp

Filesize
1.2MB

Download
memory/1204-274-0x00007FF7D1AC6890-mapping.dmp

Download
memory/1204-275-0x0000026B791C0000-0x0000026B79300000-memory.dmp

Filesize
1.2MB

Download
memory/1204-278-0x0000026B79350000-0x0000026B79605000-memory.dmp

Filesize
2.7MB

Download
memory/1204-276-0x0000026B791C0000-0x0000026B79300000-memory.dmp

Filesize
1.2MB

Download
memory/1204-279-0x0000026B79350000-0x0000026B79605000-memory.dmp

Filesize
2.7MB

Download
memory/1296-300-0x0000000000000000-mapping.dmp

Download
memory/1604-258-0x0000000000000000-mapping.dmp

Download
memory/1792-208-0x0000000000000000-mapping.dmp

Download
memory/1916-268-0x0000029140EB0000-0x0000029141165000-memory.dmp

Filesize
2.7MB

Download
memory/1916-267-0x0000029140EB0000-0x0000029141165000-memory.dmp

Filesize
2.7MB

Download
memory/1916-264-0x00007FF7D1AC6890-mapping.dmp

Download
memory/1916-265-0x0000029142910000-0x0000029142A50000-memory.dmp

Filesize
1.2MB

Download
memory/1916-266-0x0000029142910000-0x0000029142A50000-memory.dmp

Filesize
1.2MB

Download
memory/1940-195-0x0000000003F70000-0x0000000004AC5000-memory.dmp

Filesize
11.3MB

Download
memory/1940-169-0x0000000003F70000-0x0000000004AC5000-memory.dmp

Filesize
11.3MB

Download
memory/1940-160-0x0000000003F70000-0x0000000004AC5000-memory.dmp

Filesize
11.3MB

Download
memory/1972-175-0x00007FF7D1AC6890-mapping.dmp

Download
memory/1972-178-0x000001F987430000-0x000001F987570000-memory.dmp

Filesize
1.2MB

Download
memory/1972-176-0x000001F987430000-0x000001F987570000-memory.dmp

Filesize
1.2MB

Download
memory/1972-181-0x0000000000620000-0x00000000008C4000-memory.dmp

Filesize
2.6MB

Download
memory/1972-182-0x000001F9859D0000-0x000001F985C85000-memory.dmp

Filesize
2.7MB

Download
memory/1972-184-0x000001F9859D0000-0x000001F985C85000-memory.dmp

Filesize
2.7MB

Download
memory/2472-221-0x0000000000000000-mapping.dmp

Download
memory/2516-256-0x0000000000000000-mapping.dmp

Download
memory/2680-313-0x0000021201840000-0x0000021201AF5000-memory.dmp

Filesize
2.7MB

Download
memory/2680-310-0x0000021201840000-0x0000021201AF5000-memory.dmp

Filesize
2.7MB

Download
memory/2680-306-0x00007FF7D1AC6890-mapping.dmp

Download
memory/2704-209-0x0000020040FB0000-0x0000020041265000-memory.dmp

Filesize
2.7MB

Download
memory/2704-207-0x0000020040FB0000-0x0000020041265000-memory.dmp

Filesize
2.7MB

Download
memory/2704-206-0x0000020042A10000-0x0000020042B50000-memory.dmp

Filesize
1.2MB

Download
memory/2704-205-0x0000020042A10000-0x0000020042B50000-memory.dmp

Filesize
1.2MB

Download
memory/2704-203-0x00007FF7D1AC6890-mapping.dmp

Download
memory/2924-345-0x00000198281C0000-0x0000019828475000-memory.dmp

Filesize
2.7MB

Download
memory/2924-348-0x00000198281C0000-0x0000019828475000-memory.dmp

Filesize
2.7MB

Download
memory/2924-341-0x00007FF7D1AC6890-mapping.dmp

Download
memory/3152-280-0x0000000000000000-mapping.dmp

Download
memory/3276-245-0x0000000000000000-mapping.dmp

Download
memory/3400-312-0x0000000000000000-mapping.dmp

Download
memory/3416-135-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/3416-134-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/3416-133-0x00000000048D0000-0x00000000048D9000-memory.dmp

Filesize
36KB

Download
memory/3416-132-0x0000000002E28000-0x0000000002E39000-memory.dmp

Filesize
68KB

Download
memory/3476-148-0x0000000002E49000-0x0000000002E63000-memory.dmp

Filesize
104KB

Download
memory/3476-151-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/3476-145-0x0000000000000000-mapping.dmp

Download
memory/3476-149-0x0000000002E00000-0x0000000002E2A000-memory.dmp

Filesize
168KB

Download
memory/3476-150-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/3632-289-0x0000000000000000-mapping.dmp

Download
memory/3808-233-0x0000000000000000-mapping.dmp

Download
memory/4000-311-0x0000000000000000-mapping.dmp

Download
memory/4240-269-0x0000000000000000-mapping.dmp

Download
memory/4240-347-0x0000000000000000-mapping.dmp

Download
memory/4268-185-0x0000000000000000-mapping.dmp

Download
memory/4344-220-0x000001A4DB420000-0x000001A4DB6D5000-memory.dmp

Filesize
2.7MB

Download
memory/4344-216-0x00007FF7D1AC6890-mapping.dmp

Download
memory/4344-217-0x000001A4DCE80000-0x000001A4DCFC0000-memory.dmp

Filesize
1.2MB

Download
memory/4344-218-0x000001A4DCE80000-0x000001A4DCFC0000-memory.dmp

Filesize
1.2MB

Download
memory/4344-222-0x000001A4DB420000-0x000001A4DB6D5000-memory.dmp

Filesize
2.7MB

Download
memory/4404-241-0x0000027A20E70000-0x0000027A20FB0000-memory.dmp

Filesize
1.2MB

Download
memory/4404-244-0x0000027A1F410000-0x0000027A1F6C5000-memory.dmp

Filesize
2.7MB

Download
memory/4404-240-0x00007FF7D1AC6890-mapping.dmp

Download
memory/4404-242-0x0000027A20E70000-0x0000027A20FB0000-memory.dmp

Filesize
1.2MB

Download
memory/4404-247-0x0000027A1F410000-0x0000027A1F6C5000-memory.dmp

Filesize
2.7MB

Download
memory/4444-285-0x00007FF7D1AC6890-mapping.dmp

Download
memory/4444-290-0x0000021DCCA80000-0x0000021DCCD35000-memory.dmp

Filesize
2.7MB

Download
memory/4444-286-0x0000021DCE500000-0x0000021DCE640000-memory.dmp

Filesize
1.2MB

Download
memory/4444-288-0x0000021DCCA80000-0x0000021DCCD35000-memory.dmp

Filesize
2.7MB

Download
memory/4524-277-0x0000000000000000-mapping.dmp

Download
memory/4556-228-0x00007FF7D1AC6890-mapping.dmp

Download
memory/4556-229-0x000001CC0B1C0000-0x000001CC0B300000-memory.dmp

Filesize
1.2MB

Download
memory/4556-230-0x000001CC0B1C0000-0x000001CC0B300000-memory.dmp

Filesize
1.2MB

Download
memory/4556-231-0x000001CC098F0000-0x000001CC09BA5000-memory.dmp

Filesize
2.7MB

Download
memory/4556-234-0x000001CC098F0000-0x000001CC09BA5000-memory.dmp

Filesize
2.7MB

Download
memory/4564-197-0x0000000000000000-mapping.dmp

Download
memory/4604-334-0x0000000000000000-mapping.dmp

Download
memory/4640-246-0x0000000000000000-mapping.dmp

Download
memory/4664-232-0x0000000000000000-mapping.dmp

Download
memory/4684-322-0x0000000000000000-mapping.dmp

Download
memory/4700-194-0x000001CFB0D60000-0x000001CFB1015000-memory.dmp

Filesize
2.7MB

Download
memory/4700-196-0x000001CFB0D60000-0x000001CFB1015000-memory.dmp

Filesize
2.7MB

Download
memory/4700-192-0x000001CFB27C0000-0x000001CFB2900000-memory.dmp

Filesize
1.2MB

Download
memory/4700-191-0x000001CFB27C0000-0x000001CFB2900000-memory.dmp

Filesize
1.2MB

Download
memory/4700-190-0x00007FF7D1AC6890-mapping.dmp

Download
memory/4748-183-0x0000000000000000-mapping.dmp

Download
memory/4800-174-0x00000000046B0000-0x0000000005205000-memory.dmp

Filesize
11.3MB

Download
memory/4800-179-0x00000000046B0000-0x0000000005205000-memory.dmp

Filesize
11.3MB

Download
memory/4800-177-0x00000000046B0000-0x0000000005205000-memory.dmp

Filesize
11.3MB

Download
memory/4800-167-0x0000000000000000-mapping.dmp

Download
memory/4868-325-0x000001948F610000-0x000001948F8C5000-memory.dmp

Filesize
2.7MB

Download
memory/4868-318-0x00007FF7D1AC6890-mapping.dmp

Download
memory/4868-321-0x000001948F610000-0x000001948F8C5000-memory.dmp

Filesize
2.7MB

Download
memory/4892-330-0x00007FF7D1AC6890-mapping.dmp

Download
memory/4892-336-0x0000017AE51F0000-0x0000017AE54A5000-memory.dmp

Filesize
2.7MB

Download
memory/4892-333-0x0000017AE51F0000-0x0000017AE54A5000-memory.dmp

Filesize
2.7MB

Download
memory/4920-301-0x0000029893990000-0x0000029893C45000-memory.dmp

Filesize
2.7MB

Download
memory/4920-298-0x0000029893990000-0x0000029893C45000-memory.dmp

Filesize
2.7MB

Download
memory/4920-295-0x00007FF7D1AC6890-mapping.dmp

Download
memory/5048-224-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-260-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-261-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-262-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-263-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-259-0x00000000061D6000-0x00000000061D8000-memory.dmp

Filesize
8KB

Download
memory/5048-251-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-250-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-249-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-248-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-243-0x00000000061D6000-0x00000000061D8000-memory.dmp

Filesize
8KB

Download
memory/5048-270-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-271-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-272-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-273-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-239-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-238-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-237-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-236-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-235-0x00000000061D6000-0x00000000061D8000-memory.dmp

Filesize
8KB

Download
memory/5048-226-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-227-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-281-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-282-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-283-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-284-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-225-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-223-0x00000000061D6000-0x00000000061D8000-memory.dmp

Filesize
8KB

Download
memory/5048-219-0x00000000061D6000-0x00000000061D8000-memory.dmp

Filesize
8KB

Download
memory/5048-215-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-214-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-213-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-212-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-210-0x00000000061D6000-0x00000000061D8000-memory.dmp

Filesize
8KB

Download
memory/5048-204-0x00000000061D6000-0x00000000061D8000-memory.dmp

Filesize
8KB

Download
memory/5048-202-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-201-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-309-0x0000000007B7F000-0x0000000007B81000-memory.dmp

Filesize
8KB

Download
memory/5048-200-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-199-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-198-0x00000000061D6000-0x00000000061D8000-memory.dmp

Filesize
8KB

Download
memory/5048-193-0x00000000061D6000-0x00000000061D8000-memory.dmp

Filesize
8KB

Download
memory/5048-189-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-188-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-187-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-186-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-324-0x0000000007B7F000-0x0000000007B81000-memory.dmp

Filesize
8KB

Download
memory/5048-180-0x00000000061D6000-0x00000000061D8000-memory.dmp

Filesize
8KB

Download
memory/5048-173-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-171-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-172-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-170-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-159-0x00000000054E0000-0x0000000006035000-memory.dmp

Filesize
11.3MB

Download
memory/5048-344-0x0000000007B7F000-0x0000000007B81000-memory.dmp

Filesize
8KB

Download
memory/5048-155-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-154-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/5048-153-0x00000000054E0000-0x0000000006035000-memory.dmp

Filesize
11.3MB

Download
memory/5048-152-0x00000000054E0000-0x0000000006035000-memory.dmp

Filesize
11.3MB

Download
memory/5048-139-0x0000000000000000-mapping.dmp

Download
memory/5052-335-0x0000000000000000-mapping.dmp

Download