lumma | 94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8

Analysis

max time kernel
101s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8.exe
Size

210KB
MD5

63f1cf4d473f59b211da781139c2602e
SHA1

c584e03ce15d4505fd32acb742c2a380a87cbbd4
SHA256

94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8
SHA512

4dc999e5dde7d23531ed3e172c9a623da5d1e437587c6456ea5240099fbf23c4ee43b9af7e0f30cd39199984417853cc08e9ca9d655c48578edbe4dbd5497e69
SSDEEP

3072:/XWPEBQS7Ha5yvF7+jn5/0rIApqj4/pdlFk1i:vp7YjN0rIApN

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4156-133-0x0000000002CE0000-0x0000000002CE9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

33 4628 rundll32.exe
35 4628 rundll32.exe
37 4628 rundll32.exe
56 4628 rundll32.exe
57 4628 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

E842.exeA5D6.exe

pid process

4968 E842.exe
2440 A5D6.exe

flow	pid	process
33	4628	rundll32.exe
35	4628	rundll32.exe
37	4628	rundll32.exe
56	4628	rundll32.exe
57	4628	rundll32.exe

pid	process
4968	E842.exe
2440	A5D6.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Certificates_R.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Certificates_R..dll耀"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Certificates_R.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

4628 rundll32.exe
2476 svchost.exe
440 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4628	rundll32.exe
2476	svchost.exe
440	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4628 set thread context of 3636	4628	rundll32.exe	rundll32.exe
PID 4628 set thread context of 4332	4628	rundll32.exe	rundll32.exe
PID 4628 set thread context of 4188	4628	rundll32.exe	rundll32.exe
PID 4628 set thread context of 4972	4628	rundll32.exe	rundll32.exe
PID 4628 set thread context of 1372	4628	rundll32.exe	rundll32.exe
PID 4628 set thread context of 1408	4628	rundll32.exe	rundll32.exe

Drops file in Program Files directory 11 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\LogTransport2.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Certificates_R..dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeLinguistic.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4468 4968 WerFault.exe E842.exe
4820 2440 WerFault.exe A5D6.exe

pid	pid_target	process	target process
4468	4968	WerFault.exe	E842.exe
4820	2440	WerFault.exe	A5D6.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 64 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f56a984100054656d7000003a0009000400efbe0c55ec982f56a9842e00000000000000000000000000000000000000000000000000f5ac2b01540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2592

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8.exe

pid	process
4156	94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8.exe
4156	94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8.exe
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2592
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8.exe

pid process

4156 94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeDebugPrivilege	4628	rundll32.exe
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
2592
2592
2592
2592
2592
2592
2592
2592
4628	rundll32.exe
3636	rundll32.exe
4332	rundll32.exe
4628	rundll32.exe
4188	rundll32.exe
4972	rundll32.exe
4628	rundll32.exe
1372	rundll32.exe
4628	rundll32.exe
1408	rundll32.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

2592
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2592
2592

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

E842.exesvchost.exerundll32.exe

description	pid	process	target process
PID 2592 wrote to memory of 4968	2592		E842.exe
PID 2592 wrote to memory of 4968	2592		E842.exe
PID 2592 wrote to memory of 4968	2592		E842.exe
PID 4968 wrote to memory of 4628	4968	E842.exe	rundll32.exe
PID 4968 wrote to memory of 4628	4968	E842.exe	rundll32.exe
PID 4968 wrote to memory of 4628	4968	E842.exe	rundll32.exe
PID 2476 wrote to memory of 440	2476	svchost.exe	rundll32.exe
PID 2476 wrote to memory of 440	2476	svchost.exe	rundll32.exe
PID 2476 wrote to memory of 440	2476	svchost.exe	rundll32.exe
PID 4628 wrote to memory of 3636	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 3636	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 3636	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 1408	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 1408	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 1408	4628	rundll32.exe	rundll32.exe
PID 2592 wrote to memory of 2440	2592		A5D6.exe
PID 2592 wrote to memory of 2440	2592		A5D6.exe
PID 2592 wrote to memory of 2440	2592		A5D6.exe
PID 4628 wrote to memory of 4116	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4116	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4116	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4332	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 4332	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 4332	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 4928	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4928	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4928	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4188	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 4188	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 4188	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 1880	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 1880	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 1880	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4972	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 4972	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 4972	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 4032	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4032	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4032	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4816	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4816	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4816	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 1372	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 1372	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 1372	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 2304	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 2304	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 2304	4628	rundll32.exe	schtasks.exe
PID 4628 wrote to memory of 4540	4628	rundll32.exe	Conhost.exe
PID 4628 wrote to memory of 4540	4628	rundll32.exe	Conhost.exe
PID 4628 wrote to memory of 4540	4628	rundll32.exe	Conhost.exe
PID 4628 wrote to memory of 1408	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 1408	4628	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 1408	4628	rundll32.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8.exe
"C:\Users\Admin\AppData\Local\Temp\94cd01440758f627a06265285a8b50f0484d869d9ce4f6b904c0b9d37910b3a8.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4156

C:\Users\Admin\AppData\Local\Temp\E842.exe
C:\Users\Admin\AppData\Local\Temp\E842.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4628

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3636

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1408

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4116

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4332

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4928

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4188

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1880

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4972

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4032

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4816

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1372

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2304

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4540

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Suspicious use of FindShellTrayWindow
PID:1408

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4436

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:1488

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3644

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2004

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:4392

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4988

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:452

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1120

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3900

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:2328

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2352

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3560

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:4740

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:692

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:2132

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3128

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4768

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:3588

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4540

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:740

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1256

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:2560

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 556
2⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4968 -ip 4968
1⤵
PID:2328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\certificates_r..dll",JwMkaTE1Qg==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:440

C:\Users\Admin\AppData\Local\Temp\A5D6.exe
C:\Users\Admin\AppData\Local\Temp\A5D6.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1364
2⤵
- Program crash
PID:4820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2440 -ip 2440
1⤵
PID:1828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\Certificates_R..dll
Filesize
774KB

MD5
e3c53ea142905ee780b54a5df5b111a0

SHA1
8dacbe241a8ba3685a81fb424e479546cfcbbd81

SHA256
eea07a9419f76b16594505cb31d1432f876b68daab1d9caab7540b1ee6b187bb

SHA512
5ed2028960780b0471c5e8bf84f860ab1040b5cdfbe6e14cf51b1587b8916725fd19a6ae48f09a6a31c42e7391f263f4b70f2a7ce5ad2a6fb37b008fd1736936

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Certificates_R..dll
Filesize
774KB

MD5
e3c53ea142905ee780b54a5df5b111a0

SHA1
8dacbe241a8ba3685a81fb424e479546cfcbbd81

SHA256
eea07a9419f76b16594505cb31d1432f876b68daab1d9caab7540b1ee6b187bb

SHA512
5ed2028960780b0471c5e8bf84f860ab1040b5cdfbe6e14cf51b1587b8916725fd19a6ae48f09a6a31c42e7391f263f4b70f2a7ce5ad2a6fb37b008fd1736936

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch
Filesize
158B

MD5
dd8778eda0b96d5d71716fbb50300293

SHA1
17b3a49fe039ef5c930801c3a77922b30a61ee69

SHA256
61e06f4deff92e80d1605cb17a0c83604ac6cdb72fb3d4b1e3d0eb7e7bbbf4a0

SHA512
4efee799ddfb3d98a6b402aebed2ec79cfbd1cab200bfad1f95af432b91ce11e0404cd1cdf9f5a46324757c135928cb0ce42197c3021ae506ac6dd047127491b

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\DiagnosticLogCSP_Collector_DeviceProvisioning_2022_8_12_19_5_27.etl
Filesize
256KB

MD5
52b1a27411b92c3122d5d4d7a2a5515f

SHA1
b264f5103d7cc9782096a8f46abdfc7cc69ac4fb

SHA256
eba544562fcf50cec671aca48ca410a6acb95210f3f1ab56fc7f3e75b718d2fb

SHA512
3597b3eefb59d003d89ffaa6a88d66c6d7206a1464a9eae44ff6583b5b9786db815c15764bbef6dfdfcdc73d7c2cb46b29e2624c690432b84bb4a03ed40b94bd

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
7KB

MD5
e585657cf3525fd22dad5e2409eb9e60

SHA1
1c0b9d97bb93098e1d8a162b9725a0d6134dc913

SHA256
581fd3d9aa551599bd691b5b23cdc51c48f7f3a65955adf1e1d0fef0a8cfb8b8

SHA512
601c03a19bb0d1170db8c3a05ff4a38d209e2ec53426b2048362504b75e3971f40480afd118cd741a52e69ba5a55c61dd4cc488f335be3d67584982009392ced

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2013Win32.xml
Filesize
66KB

MD5
d6269a771887562b5461c9a99bcfeacd

SHA1
d4f5647c655af50453e2097eb3e8552318f139a1

SHA256
58e3a955ba9293be903e880620c559bcd4f5b8069c3c23a3f06a9c549ed621d1

SHA512
18b23fea2436cd1c6ac8dd159660f386694abe0d6c2e5bca15e11bbf9da06a620bc4c759af1b5646bed8086576369b051bec0f41837127738bebce9f13b9dc30

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
dbb0bbe9e707274ec48b391a746c71ea

SHA1
9c8d5739455b02474c56341863b5703b70b84187

SHA256
9f08cf46b12ec9b3addbf34ad5501bdf2d315074ae3702ec5252e5331ebed36d

SHA512
494d97bfc8955b1245b7c458dc5e2f2e9110fea7a41c3c4478b30499a40e2e1e61c9a5fdd2d778e6372370fbf41275753dd36e0b4f8fd2aab16aff17577b5b3b

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\guest.bmp
Filesize
588KB

MD5
908fa2dfb385771ecf5f8b2b3e7bff16

SHA1
1255fa1edbd2dbbcab6d9eb9f74b7d6783697a58

SHA256
60ff5131dba68a8ffe7ba0475bf3e192b432e1969e5ac52d7f217f6935f4035d

SHA512
573c9fde441fb8debaa44b6fa2d3763c3dc4714497089b82bedc8ef0720eea4a907f75cffb1c0ec4a77ac89cfecbef8e6182a2a8fea5b51a2e91920ceaad5f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5D6.exe
Filesize
245KB

MD5
0ccbec377710f5e58b2d01685f1ecb72

SHA1
af747d213c4a3dad010b455f42439bf60b9880a1

SHA256
aa3a7343485d41c250d2ccfe85d8efd16e9e9f1a4c648e67c109998fa6b049b5

SHA512
dabb331a125b87726c387ca24380f8d58074773ebb75dd526cbbe9ef8304efeafb81f0b7dea4dd4546c3ffd7a78fbf2bbe3afdaeb57f98f96ec3ec36902820e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5D6.exe
Filesize
245KB

MD5
0ccbec377710f5e58b2d01685f1ecb72

SHA1
af747d213c4a3dad010b455f42439bf60b9880a1

SHA256
aa3a7343485d41c250d2ccfe85d8efd16e9e9f1a4c648e67c109998fa6b049b5

SHA512
dabb331a125b87726c387ca24380f8d58074773ebb75dd526cbbe9ef8304efeafb81f0b7dea4dd4546c3ffd7a78fbf2bbe3afdaeb57f98f96ec3ec36902820e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E842.exe
Filesize
1.0MB

MD5
454115a86e3db8becb1be08193c5cbff

SHA1
fe63179e1976f11299c7e5d2dffb5ea39011b6ed

SHA256
99f8eba8b301dac98003343c888721fbc1f623bc03a5f3ab8a622147c0979ef8

SHA512
d49dc926124d6edbcb19d15d187a21cfbda9a81cdd62f3962916e8967d4dcf9731a282a980c6e7ad318d059c2c1627f1c08a2855e8a58e06f0cebc5f200509b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\E842.exe
Filesize
1.0MB

MD5
454115a86e3db8becb1be08193c5cbff

SHA1
fe63179e1976f11299c7e5d2dffb5ea39011b6ed

SHA256
99f8eba8b301dac98003343c888721fbc1f623bc03a5f3ab8a622147c0979ef8

SHA512
d49dc926124d6edbcb19d15d187a21cfbda9a81cdd62f3962916e8967d4dcf9731a282a980c6e7ad318d059c2c1627f1c08a2855e8a58e06f0cebc5f200509b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\certificates_r..dll
Filesize
774KB

MD5
e3c53ea142905ee780b54a5df5b111a0

SHA1
8dacbe241a8ba3685a81fb424e479546cfcbbd81

SHA256
eea07a9419f76b16594505cb31d1432f876b68daab1d9caab7540b1ee6b187bb

SHA512
5ed2028960780b0471c5e8bf84f860ab1040b5cdfbe6e14cf51b1587b8916725fd19a6ae48f09a6a31c42e7391f263f4b70f2a7ce5ad2a6fb37b008fd1736936

Download Submit
memory/440-158-0x0000000000000000-mapping.dmp

Download
memory/440-161-0x0000000004980000-0x00000000054D5000-memory.dmp

Filesize
11.3MB

Download
memory/440-162-0x0000000004980000-0x00000000054D5000-memory.dmp

Filesize
11.3MB

Download
memory/452-263-0x00007FF738BE6890-mapping.dmp

Download
memory/452-264-0x0000019F91EE0000-0x0000019F92020000-memory.dmp

Filesize
1.2MB

Download
memory/452-266-0x0000019F91EE0000-0x0000019F92020000-memory.dmp

Filesize
1.2MB

Download
memory/452-267-0x0000019F90480000-0x0000019F90735000-memory.dmp

Filesize
2.7MB

Download
memory/452-269-0x0000019F90480000-0x0000019F90735000-memory.dmp

Filesize
2.7MB

Download
memory/692-290-0x0000000000000000-mapping.dmp

Download
memory/740-312-0x0000000000000000-mapping.dmp

Download
memory/1120-265-0x0000000000000000-mapping.dmp

Download
memory/1256-314-0x0000000000000000-mapping.dmp

Download
memory/1372-222-0x000001C683A70000-0x000001C683BB0000-memory.dmp

Filesize
1.2MB

Download
memory/1372-221-0x00007FF738BE6890-mapping.dmp

Download
memory/1372-223-0x000001C683A70000-0x000001C683BB0000-memory.dmp

Filesize
1.2MB

Download
memory/1372-224-0x000001C6821A0000-0x000001C682455000-memory.dmp

Filesize
2.7MB

Download
memory/1372-226-0x000001C6821A0000-0x000001C682455000-memory.dmp

Filesize
2.7MB

Download
memory/1408-234-0x000001A289CC0000-0x000001A289E00000-memory.dmp

Filesize
1.2MB

Download
memory/1408-233-0x000001A289CC0000-0x000001A289E00000-memory.dmp

Filesize
1.2MB

Download
memory/1408-235-0x000001A288260000-0x000001A288515000-memory.dmp

Filesize
2.7MB

Download
memory/1408-174-0x0000000000000000-mapping.dmp

Download
memory/1408-232-0x00007FF738BE6890-mapping.dmp

Download
memory/1408-237-0x000001A288260000-0x000001A288515000-memory.dmp

Filesize
2.7MB

Download
memory/1488-247-0x0000018BABE20000-0x0000018BAC0D5000-memory.dmp

Filesize
2.7MB

Download
memory/1488-244-0x0000018BAD880000-0x0000018BAD9C0000-memory.dmp

Filesize
1.2MB

Download
memory/1488-243-0x00007FF738BE6890-mapping.dmp

Download
memory/1488-246-0x0000018BABE20000-0x0000018BAC0D5000-memory.dmp

Filesize
2.7MB

Download
memory/1488-245-0x0000018BAD880000-0x0000018BAD9C0000-memory.dmp

Filesize
1.2MB

Download
memory/1880-204-0x0000000000000000-mapping.dmp

Download
memory/2004-248-0x0000000000000000-mapping.dmp

Download
memory/2132-297-0x00007FF738BE6890-mapping.dmp

Download
memory/2132-300-0x0000015CF1B50000-0x0000015CF1E05000-memory.dmp

Filesize
2.7MB

Download
memory/2132-302-0x0000015CF1B50000-0x0000015CF1E05000-memory.dmp

Filesize
2.7MB

Download
memory/2304-225-0x0000000000000000-mapping.dmp

Download
memory/2328-274-0x00007FF738BE6890-mapping.dmp

Download
memory/2328-275-0x0000020B3E520000-0x0000020B3E660000-memory.dmp

Filesize
1.2MB

Download
memory/2328-279-0x0000020B3CAC0000-0x0000020B3CD75000-memory.dmp

Filesize
2.7MB

Download
memory/2328-277-0x0000020B3CAC0000-0x0000020B3CD75000-memory.dmp

Filesize
2.7MB

Download
memory/2352-278-0x0000000000000000-mapping.dmp

Download
memory/2440-188-0x0000000002D09000-0x0000000002D23000-memory.dmp

Filesize
104KB

Download
memory/2440-198-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/2440-189-0x00000000046D0000-0x00000000046FA000-memory.dmp

Filesize
168KB

Download
memory/2440-175-0x0000000000000000-mapping.dmp

Download
memory/2440-190-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/2476-193-0x0000000003860000-0x00000000043B5000-memory.dmp

Filesize
11.3MB

Download
memory/2476-160-0x0000000003860000-0x00000000043B5000-memory.dmp

Filesize
11.3MB

Download
memory/2476-152-0x0000000003860000-0x00000000043B5000-memory.dmp

Filesize
11.3MB

Download
memory/2560-324-0x000001AF4B970000-0x000001AF4BC25000-memory.dmp

Filesize
2.7MB

Download
memory/2560-322-0x000001AF4B970000-0x000001AF4BC25000-memory.dmp

Filesize
2.7MB

Download
memory/2560-319-0x00007FF738BE6890-mapping.dmp

Download
memory/3128-294-0x0000000000000000-mapping.dmp

Download
memory/3560-280-0x0000000000000000-mapping.dmp

Download
memory/3588-307-0x00007FF738BE6890-mapping.dmp

Download
memory/3588-313-0x000001F9BF2C0000-0x000001F9BF575000-memory.dmp

Filesize
2.7MB

Download
memory/3588-311-0x000001F9BF2C0000-0x000001F9BF575000-memory.dmp

Filesize
2.7MB

Download
memory/3636-172-0x0000000000E70000-0x0000000001114000-memory.dmp

Filesize
2.6MB

Download
memory/3636-168-0x00007FF738BE6890-mapping.dmp

Download
memory/3636-173-0x0000022E9D1A0000-0x0000022E9D455000-memory.dmp

Filesize
2.7MB

Download
memory/3636-178-0x0000022E9D1A0000-0x0000022E9D455000-memory.dmp

Filesize
2.7MB

Download
memory/3636-170-0x0000022E9EC00000-0x0000022E9ED40000-memory.dmp

Filesize
1.2MB

Download
memory/3636-169-0x0000022E9EC00000-0x0000022E9ED40000-memory.dmp

Filesize
1.2MB

Download
memory/3644-238-0x0000000000000000-mapping.dmp

Download
memory/3660-323-0x0000000000000000-mapping.dmp

Download
memory/3900-268-0x0000000000000000-mapping.dmp

Download
memory/4032-214-0x0000000000000000-mapping.dmp

Download
memory/4056-308-0x0000000000000000-mapping.dmp

Download
memory/4116-179-0x0000000000000000-mapping.dmp

Download
memory/4156-133-0x0000000002CE0000-0x0000000002CE9000-memory.dmp

Filesize
36KB

Download
memory/4156-135-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4156-134-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4156-132-0x0000000002F48000-0x0000000002F58000-memory.dmp

Filesize
64KB

Download
memory/4188-203-0x0000023D30190000-0x0000023D30445000-memory.dmp

Filesize
2.7MB

Download
memory/4188-201-0x0000023D31BF0000-0x0000023D31D30000-memory.dmp

Filesize
1.2MB

Download
memory/4188-205-0x0000023D30190000-0x0000023D30445000-memory.dmp

Filesize
2.7MB

Download
memory/4188-200-0x0000023D31BF0000-0x0000023D31D30000-memory.dmp

Filesize
1.2MB

Download
memory/4188-199-0x00007FF738BE6890-mapping.dmp

Download
memory/4332-187-0x0000022C12EA0000-0x0000022C13155000-memory.dmp

Filesize
2.7MB

Download
memory/4332-184-0x00007FF738BE6890-mapping.dmp

Download
memory/4332-185-0x0000022C12D40000-0x0000022C12E80000-memory.dmp

Filesize
1.2MB

Download
memory/4332-186-0x0000022C12D40000-0x0000022C12E80000-memory.dmp

Filesize
1.2MB

Download
memory/4332-192-0x0000022C12EA0000-0x0000022C13155000-memory.dmp

Filesize
2.7MB

Download
memory/4392-256-0x0000017834CA0000-0x0000017834F55000-memory.dmp

Filesize
2.7MB

Download
memory/4392-253-0x00007FF738BE6890-mapping.dmp

Download
memory/4392-254-0x0000017836700000-0x0000017836840000-memory.dmp

Filesize
1.2MB

Download
memory/4392-255-0x0000017836700000-0x0000017836840000-memory.dmp

Filesize
1.2MB

Download
memory/4392-258-0x0000017834CA0000-0x0000017834F55000-memory.dmp

Filesize
2.7MB

Download
memory/4436-236-0x0000000000000000-mapping.dmp

Download
memory/4540-227-0x0000000000000000-mapping.dmp

Download
memory/4628-259-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-196-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-231-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-229-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-239-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-240-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-241-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-242-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-228-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-220-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-219-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-218-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-217-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-139-0x0000000000000000-mapping.dmp

Download
memory/4628-249-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-250-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-251-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-252-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-145-0x00000000047F0000-0x0000000005345000-memory.dmp

Filesize
11.3MB

Download
memory/4628-146-0x00000000047F0000-0x0000000005345000-memory.dmp

Filesize
11.3MB

Download
memory/4628-147-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-148-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-163-0x0000000006F20000-0x0000000007060000-memory.dmp

Filesize
1.2MB

Download
memory/4628-164-0x0000000006F75000-0x0000000006F77000-memory.dmp

Filesize
8KB

Download
memory/4628-209-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-260-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-261-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-262-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-208-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-207-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-206-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-202-0x0000000006F75000-0x0000000006F77000-memory.dmp

Filesize
8KB

Download
memory/4628-197-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-230-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-195-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-270-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-271-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-272-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-273-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-194-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-165-0x0000000006F20000-0x0000000007060000-memory.dmp

Filesize
1.2MB

Download
memory/4628-183-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-182-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-181-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-180-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-166-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-167-0x0000000005440000-0x0000000005580000-memory.dmp

Filesize
1.2MB

Download
memory/4628-171-0x0000000006F75000-0x0000000006F77000-memory.dmp

Filesize
8KB

Download
memory/4740-289-0x0000019A6BE10000-0x0000019A6C0C5000-memory.dmp

Filesize
2.7MB

Download
memory/4740-291-0x0000019A6BE10000-0x0000019A6C0C5000-memory.dmp

Filesize
2.7MB

Download
memory/4740-287-0x0000000000B40000-0x0000000000DE4000-memory.dmp

Filesize
2.6MB

Download
memory/4740-285-0x00007FF738BE6890-mapping.dmp

Download
memory/4768-301-0x0000000000000000-mapping.dmp

Download
memory/4816-216-0x0000000000000000-mapping.dmp

Download
memory/4928-191-0x0000000000000000-mapping.dmp

Download
memory/4968-144-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/4968-143-0x0000000004A70000-0x0000000004B9E000-memory.dmp

Filesize
1.2MB

Download
memory/4968-142-0x000000000497F000-0x0000000004A68000-memory.dmp

Filesize
932KB

Download
memory/4968-136-0x0000000000000000-mapping.dmp

Download
memory/4972-211-0x000001EB64750000-0x000001EB64890000-memory.dmp

Filesize
1.2MB

Download
memory/4972-212-0x000001EB64750000-0x000001EB64890000-memory.dmp

Filesize
1.2MB

Download
memory/4972-213-0x000001EB62E80000-0x000001EB63135000-memory.dmp

Filesize
2.7MB

Download
memory/4972-215-0x000001EB62E80000-0x000001EB63135000-memory.dmp

Filesize
2.7MB

Download
memory/4972-210-0x00007FF738BE6890-mapping.dmp

Download
memory/4988-257-0x0000000000000000-mapping.dmp

Download