lumma | e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096

Analysis

max time kernel
90s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096.exe
Size

207KB
MD5

7b1395e32128a0680e1ba94da8e0c8fa
SHA1

df4ec062db84aeb1034ea7a371c26b35d06c473d
SHA256

e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096
SHA512

a901513260a867bf4fdcbc62f9bfb32aeabd50e886d5be839c93c0058a8ff0266ca27dd579a63030a299fe77467549512e6673f25bd62171a9025a3ab1c3ce98
SSDEEP

3072:xXNN7tSt+BVSD5vL4yRvjUzZvAmYAXOhFxv+tiSQRzm0bNHi:VtSyMoh5wQfjM

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5108-133-0x0000000004790000-0x0000000004799000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

46 4028 rundll32.exe
63 4028 rundll32.exe
79 4028 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

FEE7.exe8703.exe

pid process

3408 FEE7.exe
1272 8703.exe

flow	pid	process
46	4028	rundll32.exe
63	4028	rundll32.exe
79	4028	rundll32.exe

pid	process
3408	FEE7.exe
1272	8703.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Edit_R_Exp_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Edit_R_Exp_RHP..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Edit_R_Exp_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

4028 rundll32.exe
1976 svchost.exe
1900 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4028	rundll32.exe
1976	svchost.exe
1900	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4028 set thread context of 4412	4028	rundll32.exe	rundll32.exe
PID 4028 set thread context of 2428	4028	rundll32.exe	rundll32.exe
PID 4028 set thread context of 4732	4028	rundll32.exe	rundll32.exe
PID 4028 set thread context of 3404	4028	rundll32.exe	rundll32.exe
PID 4028 set thread context of 1916	4028	rundll32.exe	schtasks.exe
PID 4028 set thread context of 2100	4028	rundll32.exe	rundll32.exe

Drops file in Program Files directory 28 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Close.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CollectSignatures.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\favicon.ico	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\bl.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook2x.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\2d.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\WCChromeNativeMessagingHost.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\favicon.ico	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\32BitMAPIBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\IA32.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP..dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\icudt40.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_new.png	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4612 3408 WerFault.exe FEE7.exe
3940 1272 WerFault.exe 8703.exe

pid	pid_target	process	target process
4612	3408	WerFault.exe	FEE7.exe
3940	1272	WerFault.exe	8703.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096.exe

Checks processor information in registry 2 TTPs 63 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 57 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f562752100054656d7000003a0009000400efbe0c55ec982f562b522e0000000000000000000000000000000000000000000000000046de8400540065006d007000000014000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2432

pid	process
2432

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096.exe

pid	process
5108	e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096.exe
5108	e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096.exe
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2432
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096.exe

pid process

5108 e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096.exe

pid	process
2432

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeDebugPrivilege	4028	rundll32.exe
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
4412	rundll32.exe
2432
2432
2432
2432
4028	rundll32.exe
2432
2432
2432
2432
2428	rundll32.exe
4732	rundll32.exe
4028	rundll32.exe
3404	rundll32.exe
4028	rundll32.exe
2100	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2432
2432

pid	process
2432
2432

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

FEE7.exesvchost.exerundll32.exe

description	pid	process	target process
PID 2432 wrote to memory of 3408	2432		FEE7.exe
PID 2432 wrote to memory of 3408	2432		FEE7.exe
PID 2432 wrote to memory of 3408	2432		FEE7.exe
PID 3408 wrote to memory of 4028	3408	FEE7.exe	rundll32.exe
PID 3408 wrote to memory of 4028	3408	FEE7.exe	rundll32.exe
PID 3408 wrote to memory of 4028	3408	FEE7.exe	rundll32.exe
PID 1976 wrote to memory of 1900	1976	svchost.exe	rundll32.exe
PID 1976 wrote to memory of 1900	1976	svchost.exe	rundll32.exe
PID 1976 wrote to memory of 1900	1976	svchost.exe	rundll32.exe
PID 2432 wrote to memory of 1272	2432		8703.exe
PID 2432 wrote to memory of 1272	2432		8703.exe
PID 2432 wrote to memory of 1272	2432		8703.exe
PID 4028 wrote to memory of 4412	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 4412	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 4412	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 504	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 504	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 504	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 2428	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 2428	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 2428	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 3512	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 3512	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 3512	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 4732	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 4732	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 4732	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 3836	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 3836	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 3836	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 3404	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 3404	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 1988	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 1988	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 1988	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 3404	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 1916	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 1916	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 1916	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 2100	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 2100	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 1916	4028	rundll32.exe	schtasks.exe
PID 4028 wrote to memory of 2100	4028	rundll32.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096.exe
"C:\Users\Admin\AppData\Local\Temp\e8f1504422844d1c6110aad3c029c3df60bf97df548123b73bfd8fff1cdeb096.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5108

C:\Users\Admin\AppData\Local\Temp\FEE7.exe
C:\Users\Admin\AppData\Local\Temp\FEE7.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4028

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4412

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:504

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2428

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3512

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4732

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3836

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3404

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1988

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1916

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Suspicious use of FindShellTrayWindow
PID:2100

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4320

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4648

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1996

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:3460

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3176

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3860

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:1920

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3432

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:3872

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3136

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1608

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:1988

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2656

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1276

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:1508

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4956

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:3924

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5096

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:1816

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5060

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2476

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:4640

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1196

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:5100

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4296

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4612

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:3736

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2464

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 532
2⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3408 -ip 3408
1⤵
PID:1728

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\edit_r_exp_rhp..dll",SRA5bVJE
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1900

C:\Users\Admin\AppData\Local\Temp\8703.exe
C:\Users\Admin\AppData\Local\Temp\8703.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1356
2⤵
- Program crash
PID:3940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1272 -ip 1272
1⤵
PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP..dll

Filesize
774KB

MD5
9b6d7fc768f47c872a2e8f92f289e772

SHA1
6ca96e61607498175731c4a2e3279e7457fc4a37

SHA256
fb1990d435837cda02b10d86fb801d295f0de7836ce1b155908e17d12ea5ba05

SHA512
b17b27dbc45ddde66bbc543d40def3784bcf8d5c504be1e605c359c788bc2d4696971ad7c3043bb9c9712aea8f0dc0d8c085255097aab3da4e25b23dcf38bc89

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP..dll

Filesize
774KB

MD5
9b6d7fc768f47c872a2e8f92f289e772

SHA1
6ca96e61607498175731c4a2e3279e7457fc4a37

SHA256
fb1990d435837cda02b10d86fb801d295f0de7836ce1b155908e17d12ea5ba05

SHA512
b17b27dbc45ddde66bbc543d40def3784bcf8d5c504be1e605c359c788bc2d4696971ad7c3043bb9c9712aea8f0dc0d8c085255097aab3da4e25b23dcf38bc89

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.officemui.msi.16.en-us.xml

Filesize
122KB

MD5
35acff0f35559eac959647a7501385f7

SHA1
28e052e01fe4e0eac3eab461385460eff7efe271

SHA256
2669d714f126be033270a9f2919d6152f45c5bec970dc1ab8da09f41351234c0

SHA512
f3fa4e7499e15a63d2503355705eb08d15be0a3736145c3b46cc79a4fcf7e00df871f62af769090aff7692b34d93365cf413be7b86b27a9df0ecb8f481898ed2

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
26KB

MD5
2bc8ee174a90308d275eda81bf42d95e

SHA1
284647d3ee515e4794d1984d2f01989f33121d2d

SHA256
d8bd4c83debd08b1a21d24b3c4a445512ef1931717c01e113fbfc20f47157ea8

SHA512
fe5d552cbfea372817d64c69f22cbf1a02d1b7ef27ef4a0acf68247a2794f58d09b0147ef110a0267bda87c6712ba18dc261a8c9c7e3ed4c1352bb324ed42327

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.ECApp_10.0.19041.1023_neutral__8wekyb3d8bbwe.xml

Filesize
2KB

MD5
13eb9cfbca43ebcd240e1fcff5acab4d

SHA1
5a0da86ab3f30905433677284eb843742f05afe5

SHA256
616d6a37866683e848fac3a17cecdea05e51da55420adcf947e40d062f587bb8

SHA512
256879b3d2c86ed4c3e8fccc8ffa09d11ae6eb6a2c9da4afa834f36b399752d7c46ceb638497cb28c48d874db0ccde15b73a22f1aa894b376aafd00f20b23352

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

Filesize
913B

MD5
be48ed7a27efec1cfe2fff47cd7487cf

SHA1
ac37f431251640b5dbe93fc68d97265a22cb68ba

SHA256
49300e653a9546101b9d906d9782250976b92aaa7f6d92b561f130d5ac6c856f

SHA512
4e86e8ac7a21465ef728d6f0c4949394d0145e119886b152b27bce6be4108e784e4f6224937f064741f0dfcdc4d9f9bec6933c30e0b5225a7458154316cd14cb

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftWordpad.xml

Filesize
1005B

MD5
576da3ac22d84c085a753ad324e5af0f

SHA1
1ce9245047e7da3eb4e81356434ca190fe4f924f

SHA256
214762acb145e4bbfabd685705707097bd5f5b8dc739c1c18b200d50c5c2f303

SHA512
dde20be02f91f438350752ff98bc6cd21dd9f2cb057fcc3f08d90ea889a69e0bb3e7f7a8fb554a7767d5a3ab74de3e8c090943730e5e197b07304221c2a8b9c0

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
51f50586255b392e66c05ba84c320342

SHA1
ea061728281946d081b196d4b7c568c7196fcceb

SHA256
8286f5907af1dbd64cc8267de92c8ed178eb23ed67b3e0b64cba34db8a14ad33

SHA512
5a1ab301524cda1ef55983774419ac40e41a592ca3427e4516a0c3bf88f63a4bef8195fd63b42687dfa553a000892e86b10df7214a753fd33d4d5f24ab0ecba3

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\osver.txt

Filesize
10B

MD5
bea59a2f25178d677087edde21c60be7

SHA1
56844a00adee7f8d2c161808de19ce6fd191fb61

SHA256
4906553c99e9225413bacd029603f2549fe8d972bf389770063f3e932b623d80

SHA512
008622e6bf66c3cc4bdfc9cda7dc10376e310b560321ee0d7040f7c6da7673cd04799ee04b9e22bb45de378fa0791dc0b6bbf43efed1366d0520c26d803d7400

Download Submit
C:\Users\Admin\AppData\Local\Temp\8703.exe

Filesize
245KB

MD5
4341e22f2a2b9cd03f1f269badc736bc

SHA1
12f2739b29db54de44adfef697b26cc00b3b352d

SHA256
59a17f7f20936d429ceb4729499ffc12fc2b9373a20ec277e396d7699fc6ebe0

SHA512
316803a0adac5d7ec7be0b4523f80f86eced66587ddcf50a4368d1d4b31bdda7e49f482f2dc8e36a3fbe1f6ab79ed20bd5cc18a262854b8e8a257f19a21b33ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\8703.exe

Filesize
245KB

MD5
4341e22f2a2b9cd03f1f269badc736bc

SHA1
12f2739b29db54de44adfef697b26cc00b3b352d

SHA256
59a17f7f20936d429ceb4729499ffc12fc2b9373a20ec277e396d7699fc6ebe0

SHA512
316803a0adac5d7ec7be0b4523f80f86eced66587ddcf50a4368d1d4b31bdda7e49f482f2dc8e36a3fbe1f6ab79ed20bd5cc18a262854b8e8a257f19a21b33ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEE7.exe

Filesize
1.0MB

MD5
b9dcb77b91e5c0eb299376f572928c54

SHA1
418cd0e9586e7886df3e6169dfc100957126f23b

SHA256
49e31562b634542cdec295ea8dbcbd8de9457fd8447c9c3bfffb452dabb3ec56

SHA512
a664932f52e0fabbc22b8ca2d610f6202510fabb7cd808a6841c9d39553643a8d55022074288db4885d2ece095ddf7356951bc44e928b2b4cb44241f81f03a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEE7.exe

Filesize
1.0MB

MD5
b9dcb77b91e5c0eb299376f572928c54

SHA1
418cd0e9586e7886df3e6169dfc100957126f23b

SHA256
49e31562b634542cdec295ea8dbcbd8de9457fd8447c9c3bfffb452dabb3ec56

SHA512
a664932f52e0fabbc22b8ca2d610f6202510fabb7cd808a6841c9d39553643a8d55022074288db4885d2ece095ddf7356951bc44e928b2b4cb44241f81f03a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\edit_r_exp_rhp..dll

Filesize
774KB

MD5
9b6d7fc768f47c872a2e8f92f289e772

SHA1
6ca96e61607498175731c4a2e3279e7457fc4a37

SHA256
fb1990d435837cda02b10d86fb801d295f0de7836ce1b155908e17d12ea5ba05

SHA512
b17b27dbc45ddde66bbc543d40def3784bcf8d5c504be1e605c359c788bc2d4696971ad7c3043bb9c9712aea8f0dc0d8c085255097aab3da4e25b23dcf38bc89

Download Submit
memory/504-180-0x0000000000000000-mapping.dmp

Download
memory/1196-320-0x0000000000000000-mapping.dmp

Download
memory/1272-166-0x0000000000000000-mapping.dmp

Download
memory/1272-204-0x0000000002C20000-0x0000000002C4A000-memory.dmp

Filesize
168KB

Download
memory/1272-205-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/1272-215-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/1272-203-0x0000000002C99000-0x0000000002CB3000-memory.dmp

Filesize
104KB

Download
memory/1276-273-0x0000000000000000-mapping.dmp

Download
memory/1360-283-0x0000000000000000-mapping.dmp

Download
memory/1508-278-0x00007FF7733D6890-mapping.dmp

Download
memory/1508-279-0x00000193C6A60000-0x00000193C6BA0000-memory.dmp

Filesize
1.2MB

Download
memory/1508-282-0x00000193C6BF0000-0x00000193C6EA5000-memory.dmp

Filesize
2.7MB

Download
memory/1508-284-0x00000193C6BF0000-0x00000193C6EA5000-memory.dmp

Filesize
2.7MB

Download
memory/1608-261-0x0000000000000000-mapping.dmp

Download
memory/1816-302-0x00007FF7733D6890-mapping.dmp

Download
memory/1816-307-0x000002A7FF600000-0x000002A7FF8B5000-memory.dmp

Filesize
2.7MB

Download
memory/1816-309-0x000002A7FF600000-0x000002A7FF8B5000-memory.dmp

Filesize
2.7MB

Download
memory/1900-165-0x0000000005030000-0x0000000005B85000-memory.dmp

Filesize
11.3MB

Download
memory/1900-199-0x0000000005030000-0x0000000005B85000-memory.dmp

Filesize
11.3MB

Download
memory/1900-169-0x0000000005030000-0x0000000005B85000-memory.dmp

Filesize
11.3MB

Download
memory/1900-162-0x0000000000000000-mapping.dmp

Download
memory/1916-217-0x0000000000000000-mapping.dmp

Download
memory/1920-250-0x000001BFF4BE0000-0x000001BFF4E95000-memory.dmp

Filesize
2.7MB

Download
memory/1920-248-0x000001BFF4BE0000-0x000001BFF4E95000-memory.dmp

Filesize
2.7MB

Download
memory/1920-247-0x000001BFF6640000-0x000001BFF6780000-memory.dmp

Filesize
1.2MB

Download
memory/1920-246-0x000001BFF6640000-0x000001BFF6780000-memory.dmp

Filesize
1.2MB

Download
memory/1920-245-0x00007FF7733D6890-mapping.dmp

Download
memory/1976-164-0x0000000003B50000-0x00000000046A5000-memory.dmp

Filesize
11.3MB

Download
memory/1976-191-0x0000000003B50000-0x00000000046A5000-memory.dmp

Filesize
11.3MB

Download
memory/1976-155-0x0000000003B50000-0x00000000046A5000-memory.dmp

Filesize
11.3MB

Download
memory/1988-269-0x000001C125960000-0x000001C125AA0000-memory.dmp

Filesize
1.2MB

Download
memory/1988-266-0x00007FF7733D6890-mapping.dmp

Download
memory/1988-272-0x000001C125AC0000-0x000001C125D75000-memory.dmp

Filesize
2.7MB

Download
memory/1988-207-0x0000000000000000-mapping.dmp

Download
memory/1988-270-0x000001C125AC0000-0x000001C125D75000-memory.dmp

Filesize
2.7MB

Download
memory/1988-267-0x000001C125960000-0x000001C125AA0000-memory.dmp

Filesize
1.2MB

Download
memory/1996-229-0x0000000000000000-mapping.dmp

Download
memory/2100-223-0x0000019F38D50000-0x0000019F38E90000-memory.dmp

Filesize
1.2MB

Download
memory/2100-222-0x00007FF7733D6890-mapping.dmp

Download
memory/2100-228-0x0000019F37480000-0x0000019F37735000-memory.dmp

Filesize
2.7MB

Download
memory/2100-224-0x0000019F38D50000-0x0000019F38E90000-memory.dmp

Filesize
1.2MB

Download
memory/2100-225-0x0000019F37480000-0x0000019F37735000-memory.dmp

Filesize
2.7MB

Download
memory/2428-186-0x0000019F7A4D0000-0x0000019F7A610000-memory.dmp

Filesize
1.2MB

Download
memory/2428-187-0x0000019F7A4D0000-0x0000019F7A610000-memory.dmp

Filesize
1.2MB

Download
memory/2428-188-0x0000019F78A70000-0x0000019F78D25000-memory.dmp

Filesize
2.7MB

Download
memory/2428-185-0x00007FF7733D6890-mapping.dmp

Download
memory/2428-190-0x0000019F78A70000-0x0000019F78D25000-memory.dmp

Filesize
2.7MB

Download
memory/2464-343-0x0000000000000000-mapping.dmp

Download
memory/2476-310-0x0000000000000000-mapping.dmp

Download
memory/2656-271-0x0000000000000000-mapping.dmp

Download
memory/3136-259-0x0000000000000000-mapping.dmp

Download
memory/3176-238-0x0000000000000000-mapping.dmp

Download
memory/3360-346-0x0000000000000000-mapping.dmp

Download
memory/3404-216-0x0000017BEDF00000-0x0000017BEE1B5000-memory.dmp

Filesize
2.7MB

Download
memory/3404-211-0x00007FF7733D6890-mapping.dmp

Download
memory/3404-214-0x0000017BEDF00000-0x0000017BEE1B5000-memory.dmp

Filesize
2.7MB

Download
memory/3404-213-0x0000017BEF960000-0x0000017BEFAA0000-memory.dmp

Filesize
1.2MB

Download
memory/3404-212-0x0000017BEF960000-0x0000017BEFAA0000-memory.dmp

Filesize
1.2MB

Download
memory/3408-146-0x00000000048E6000-0x00000000049CF000-memory.dmp

Filesize
932KB

Download
memory/3408-145-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/3408-136-0x0000000000000000-mapping.dmp

Download
memory/3408-143-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/3408-139-0x00000000048E6000-0x00000000049CF000-memory.dmp

Filesize
932KB

Download
memory/3408-144-0x00000000049D0000-0x0000000004AFE000-memory.dmp

Filesize
1.2MB

Download
memory/3432-249-0x0000000000000000-mapping.dmp

Download
memory/3460-236-0x00000220034C0000-0x0000022003600000-memory.dmp

Filesize
1.2MB

Download
memory/3460-235-0x00000220034C0000-0x0000022003600000-memory.dmp

Filesize
1.2MB

Download
memory/3460-237-0x0000022001A60000-0x0000022001D15000-memory.dmp

Filesize
2.7MB

Download
memory/3460-239-0x0000022001A60000-0x0000022001D15000-memory.dmp

Filesize
2.7MB

Download
memory/3460-234-0x00007FF7733D6890-mapping.dmp

Download
memory/3512-189-0x0000000000000000-mapping.dmp

Download
memory/3736-340-0x00007FF7733D6890-mapping.dmp

Download
memory/3736-345-0x000001FFE6C20000-0x000001FFE6ED5000-memory.dmp

Filesize
2.7MB

Download
memory/3736-347-0x000001FFE6C20000-0x000001FFE6ED5000-memory.dmp

Filesize
2.7MB

Download
memory/3836-201-0x0000000000000000-mapping.dmp

Download
memory/3860-240-0x0000000000000000-mapping.dmp

Download
memory/3872-257-0x0000020B1C590000-0x0000020B1C6D0000-memory.dmp

Filesize
1.2MB

Download
memory/3872-255-0x00007FF7733D6890-mapping.dmp

Download
memory/3872-256-0x0000020B1C590000-0x0000020B1C6D0000-memory.dmp

Filesize
1.2MB

Download
memory/3872-258-0x0000020B1AB30000-0x0000020B1ADE5000-memory.dmp

Filesize
2.7MB

Download
memory/3872-260-0x0000020B1AB30000-0x0000020B1ADE5000-memory.dmp

Filesize
2.7MB

Download
memory/3924-291-0x00007FF7733D6890-mapping.dmp

Download
memory/3924-295-0x000001C285F90000-0x000001C286245000-memory.dmp

Filesize
2.7MB

Download
memory/3924-296-0x000001C285F90000-0x000001C286245000-memory.dmp

Filesize
2.7MB

Download
memory/4028-286-0x0000000004E96000-0x0000000004E98000-memory.dmp

Filesize
8KB

Download
memory/4028-275-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-232-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-231-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-230-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-344-0x0000000004E96000-0x0000000004E98000-memory.dmp

Filesize
8KB

Download
memory/4028-335-0x0000000004E96000-0x0000000004E98000-memory.dmp

Filesize
8KB

Download
memory/4028-331-0x0000000004E96000-0x0000000004E98000-memory.dmp

Filesize
8KB

Download
memory/4028-330-0x0000000004E96000-0x0000000004E98000-memory.dmp

Filesize
8KB

Download
memory/4028-241-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-242-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-243-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-244-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-317-0x0000000004E96000-0x0000000004E98000-memory.dmp

Filesize
8KB

Download
memory/4028-195-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-194-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-306-0x0000000004E96000-0x0000000004E98000-memory.dmp

Filesize
8KB

Download
memory/4028-181-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-172-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-251-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-252-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-253-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-254-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-182-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-183-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-184-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-220-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-221-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-219-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-173-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-262-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-263-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-264-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-265-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-170-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-171-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-151-0x0000000005770000-0x00000000062C5000-memory.dmp

Filesize
11.3MB

Download
memory/4028-268-0x0000000004E96000-0x0000000004E98000-memory.dmp

Filesize
8KB

Download
memory/4028-150-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-305-0x0000000004E96000-0x0000000004E98000-memory.dmp

Filesize
8KB

Download
memory/4028-149-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-148-0x0000000005770000-0x00000000062C5000-memory.dmp

Filesize
11.3MB

Download
memory/4028-274-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-233-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-276-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-147-0x0000000005770000-0x00000000062C5000-memory.dmp

Filesize
11.3MB

Download
memory/4028-277-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-218-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-281-0x0000000004E96000-0x0000000004E98000-memory.dmp

Filesize
8KB

Download
memory/4028-192-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-206-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-210-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-140-0x0000000000000000-mapping.dmp

Download
memory/4028-193-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-209-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4028-294-0x0000000004E96000-0x0000000004E98000-memory.dmp

Filesize
8KB

Download
memory/4028-208-0x0000000004DF0000-0x0000000004F30000-memory.dmp

Filesize
1.2MB

Download
memory/4296-329-0x0000000000000000-mapping.dmp

Download
memory/4320-226-0x0000000000000000-mapping.dmp

Download
memory/4412-179-0x000002309D390000-0x000002309D645000-memory.dmp

Filesize
2.7MB

Download
memory/4412-177-0x0000000000100000-0x00000000003A4000-memory.dmp

Filesize
2.6MB

Download
memory/4412-178-0x000002309D390000-0x000002309D645000-memory.dmp

Filesize
2.7MB

Download
memory/4412-176-0x000002309EE10000-0x000002309EF50000-memory.dmp

Filesize
1.2MB

Download
memory/4412-175-0x000002309EE10000-0x000002309EF50000-memory.dmp

Filesize
1.2MB

Download
memory/4412-174-0x00007FF7733D6890-mapping.dmp

Download
memory/4612-333-0x0000000000000000-mapping.dmp

Download
memory/4640-315-0x00007FF7733D6890-mapping.dmp

Download
memory/4640-321-0x0000020766650000-0x0000020766905000-memory.dmp

Filesize
2.7MB

Download
memory/4640-319-0x0000020766650000-0x0000020766905000-memory.dmp

Filesize
2.7MB

Download
memory/4648-227-0x0000000000000000-mapping.dmp

Download
memory/4732-196-0x00007FF7733D6890-mapping.dmp

Download
memory/4732-200-0x00000249287B0000-0x0000024928A65000-memory.dmp

Filesize
2.7MB

Download
memory/4732-198-0x000002492A210000-0x000002492A350000-memory.dmp

Filesize
1.2MB

Download
memory/4732-197-0x000002492A210000-0x000002492A350000-memory.dmp

Filesize
1.2MB

Download
memory/4732-202-0x00000249287B0000-0x0000024928A65000-memory.dmp

Filesize
2.7MB

Download
memory/4956-285-0x0000000000000000-mapping.dmp

Download
memory/5060-308-0x0000000000000000-mapping.dmp

Download
memory/5096-297-0x0000000000000000-mapping.dmp

Download
memory/5100-326-0x00007FF7733D6890-mapping.dmp

Download
memory/5100-332-0x000001F710670000-0x000001F710925000-memory.dmp

Filesize
2.7MB

Download
memory/5100-334-0x000001F710670000-0x000001F710925000-memory.dmp

Filesize
2.7MB

Download
memory/5108-134-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/5108-133-0x0000000004790000-0x0000000004799000-memory.dmp

Filesize
36KB

Download
memory/5108-132-0x0000000002CC8000-0x0000000002CD9000-memory.dmp

Filesize
68KB

Download
memory/5108-135-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download