lumma | 170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0

Analysis

max time kernel
113s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15-01-2023 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0.exe
Size

207KB
MD5

2629d882824682177464316e08824077
SHA1

da1863d4aff251dba95f4946b415a9121d6e2293
SHA256

170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0
SHA512

7af0d515f89ace2b0daa15c3a7e7d0aeedf4d54f060a844cdd7b166dcc00ad86e759576e95db825f66ecbcba769f165b6ba45f37ad886296ffa2932a82a9a9ab
SSDEEP

3072:vXq0Xp3Xj7I5DJQm5CaEdM2Eqdmr/asXxSynRYei:fBjieachdo/DXxdRY

Score

10^/10

lumma collection discovery persistence spyware stealer

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

25 2708 rundll32.exe
26 2708 rundll32.exe
28 2708 rundll32.exe
30 2708 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

2D69.exe5B21.exe

pid process

2416 2D69.exe
1152 5B21.exe

flow	pid	process
25	2708	rundll32.exe
26	2708	rundll32.exe
28	2708	rundll32.exe
30	2708	rundll32.exe

pid	process
2416	2D69.exe
1152	5B21.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_highContrast_wob\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\aic_file_icons_retina_thumb_highContrast_wob.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_highContrast_wob\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Deletes itself 1 IoCs

Processes:

pid process

3056
Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2708 rundll32.exe
4960 svchost.exe
3864 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3056

pid	process
2708	rundll32.exe
4960	svchost.exe
3864	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2708 set thread context of 4976	2708	rundll32.exe	rundll32.exe
PID 2708 set thread context of 2288	2708	rundll32.exe	rundll32.exe
PID 2708 set thread context of 3776	2708	rundll32.exe	rundll32.exe
PID 2708 set thread context of 4524	2708	rundll32.exe	rundll32.exe

Drops file in Program Files directory 37 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\favicon.ico	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-ui-theme.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DirectInk.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ACE.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\favicon.ico	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\editpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_super.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DarkTheme.acrotheme	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\QuickTime.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win8.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\stopwords.ENU	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\forms_distributed.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner_mini.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DirectInk.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-disabled.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\export.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_wob.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 63 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f562d80100054656d7000003a0009000400efbe0c55a7892f562d802e00000000000000000000000000000000000000000000000000be4b0600540065006d007000000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3056

pid	process
3056

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0.exe

pid	process
2664	170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0.exe
2664	170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0.exe

pid process

2664 170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0.exe

pid	process
3056

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2708	rundll32.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
4976	rundll32.exe
2288	rundll32.exe
3056
3056
3056
3056
2708	rundll32.exe
3056
3056
3056
3056
3776	rundll32.exe
4524	rundll32.exe
2708	rundll32.exe
2708	rundll32.exe
2708	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3056
3056

pid	process
3056
3056

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

2D69.exerundll32.exesvchost.exe

description	pid	process	target process
PID 3056 wrote to memory of 2416	3056		2D69.exe
PID 3056 wrote to memory of 2416	3056		2D69.exe
PID 3056 wrote to memory of 2416	3056		2D69.exe
PID 2416 wrote to memory of 2708	2416	2D69.exe	rundll32.exe
PID 2416 wrote to memory of 2708	2416	2D69.exe	rundll32.exe
PID 2416 wrote to memory of 2708	2416	2D69.exe	rundll32.exe
PID 3056 wrote to memory of 1152	3056		5B21.exe
PID 3056 wrote to memory of 1152	3056		5B21.exe
PID 3056 wrote to memory of 1152	3056		5B21.exe
PID 2708 wrote to memory of 4976	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 4976	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 4976	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 2288	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 2288	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 2288	2708	rundll32.exe	rundll32.exe
PID 4960 wrote to memory of 3864	4960	svchost.exe	rundll32.exe
PID 4960 wrote to memory of 3864	4960	svchost.exe	rundll32.exe
PID 4960 wrote to memory of 3864	4960	svchost.exe	rundll32.exe
PID 2708 wrote to memory of 3776	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 3776	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 3776	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 2272	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 2272	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 2272	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 3724	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 3724	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 3724	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 4524	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 4524	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 4524	2708	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 5052	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 5052	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 5052	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 4724	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 4724	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 4724	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 856	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 856	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 856	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 5104	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 5104	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 5104	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 328	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 328	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 328	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 5036	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 5036	2708	rundll32.exe	schtasks.exe
PID 2708 wrote to memory of 5036	2708	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0.exe
"C:\Users\Admin\AppData\Local\Temp\170e174a0818f7dc9a2827203fa9984fb5cbf40fe89075209ef603921e422ac0.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2664

C:\Users\Admin\AppData\Local\Temp\2D69.exe
C:\Users\Admin\AppData\Local\Temp\2D69.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2708

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18680
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4976

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18680
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2288

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18680
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3776

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2272

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3724

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18680
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4524

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5052

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4724

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:856

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5104

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:328

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5036

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3064

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3680

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2212

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3960

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4300

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3720

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1268

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4924

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3988

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4512

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:676

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:332

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\5B21.exe
C:\Users\Admin\AppData\Local\Temp\5B21.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_highcontrast_wob.dll",hVUwQzlMdg==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\115__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml
Filesize
646B

MD5
a3f5a2683540ae3aa0c0da2c023bce1f

SHA1
5f7f3484fdfc18978d167caa7d1a2bd09052a340

SHA256
2ab1f00eaed85c5076cd9dc2cbb3b4bc9b7456b8ab37dd85476f110b94e0dc91

SHA512
3c86579436a5c7c672c5648c7a661d5bdcfe7d3150fbcd9a18165dc0ddb1257c11fd5f4997e7665de8ecd73097d52aa1eb79582c4c0d0bc462a80acfd60fb8ea

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\123__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml
Filesize
480B

MD5
bfbff89c7d2533270a97429879704295

SHA1
61fe4d0adfcbc0400bb7408d053efdd1dac7f207

SHA256
939f86c8e33354025c9231816294414658f82a6f3f1fc4bda17e603aa9f0b584

SHA512
83ee9190296fbdd5ae465e9f35b93f9d7051f94db983e01c413e201f58bf5e99cfac2a9b2236acf0694fa0958df6643df3b0e36981c269e92c839118a4ac7c6a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\147__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml
Filesize
707B

MD5
eff2445f7dc49fb189e46a53f44acf99

SHA1
a29740e70af2d1ed6b8063336f188269cd2ed899

SHA256
9cf573e616856ddbecf708313d49437895d570afe73d35747dcdbdf06e813ee2

SHA512
fcb308f4ee505ae49d0832de754abd85385fb148013819d8b419d1a81c17c7e54ebc06a9d6f325624673f9480b98ca1412fbd3502537a0964eaff4d9d5974769

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.office32mui.msi.16.en-us.xml
Filesize
16KB

MD5
ada34b241139f06addc86a9e8d1108f0

SHA1
909a92a4e970ae4edcfc365a119d4f4410b0bcf6

SHA256
3069814db0a03ed2ce383cb97739d07545d3b67a2b532d9c07d0d5aa3c6a4f3a

SHA512
2797c6087798660773cfa65f002a4232d75c8b8f787deb12364af683653b41de411ca2de54be1aa86356ba3b6203775c9afaedd513ad33c26f273047f87537a0

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MasterDescriptor.en-us.xml
Filesize
28KB

MD5
4bee7862d96900a7b0f20d709ffe5af2

SHA1
59f4073ff756ee74e83e5d9448e7d6da69f3bf08

SHA256
526cb82e083378ccc1a5465f3250f40f9e74bdbc65c58ab9210fc8a88b273e63

SHA512
ee0f19e4aa0006b4da4b16522eea9774c09b07d6fae3529992df7f5f47ee1fa49a6ec5b77370be594762ec63f1f6aee4be139e44f2f369f5590777cf95d9be31

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
df34610bdb011a45f56ebb0eb5a837a3

SHA1
7cd2f1ff5b498bc4e0b36a290d2459531cdc6d8f

SHA256
19fcbc4aef60474fa05945a506ed434d0618f475521f4c2ab5d25ee5ed84f4f6

SHA512
28bd96d78148a3d3f7c2d5e6ecacbbca4489ce4bef29de455f21c087538d8cb1ccf7a0fae89ae6e533b81ddbab09df569cd2a1b14a326fc8f5868fd8f187135c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\behavior.xml
Filesize
1KB

MD5
6c23b0f54e5c427ff8f3db170b62616f

SHA1
44f1d0f71cbab0e05d9a563bf9e92759898ca4e9

SHA256
7cfdc107f1bc076ca39ee36960bbb1d64a6c9faac9ba73a106f6e85224da4a1b

SHA512
f511e1aa2f7dcac52ad5452ef8e9e403a77b55a6e9c7bf8248db00e85cee61f1e28ebe6470084a1f22cf64664b8a9ec84975afda1e26e348b4948de4583313a6

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\resource.xml
Filesize
1KB

MD5
66963736ebb1e54dc596701206eaed3f

SHA1
18bc8dfc779d407398af193f3d265ff93f253bc2

SHA256
fd5f68b59aa2b3e80b1a3d97b1dc5028e0fb512d26003fffce146209fedc814b

SHA512
96aef899ecfb48d1df6e8c7655d59fb80b3c65f18857692894598b78c14b5587433d5f58a2d9bbd74d635956a9e6f1948916bd354e6d438450f37ec11cc3b598

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D69.exe
Filesize
1.0MB

MD5
454115a86e3db8becb1be08193c5cbff

SHA1
fe63179e1976f11299c7e5d2dffb5ea39011b6ed

SHA256
99f8eba8b301dac98003343c888721fbc1f623bc03a5f3ab8a622147c0979ef8

SHA512
d49dc926124d6edbcb19d15d187a21cfbda9a81cdd62f3962916e8967d4dcf9731a282a980c6e7ad318d059c2c1627f1c08a2855e8a58e06f0cebc5f200509b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D69.exe
Filesize
1.0MB

MD5
454115a86e3db8becb1be08193c5cbff

SHA1
fe63179e1976f11299c7e5d2dffb5ea39011b6ed

SHA256
99f8eba8b301dac98003343c888721fbc1f623bc03a5f3ab8a622147c0979ef8

SHA512
d49dc926124d6edbcb19d15d187a21cfbda9a81cdd62f3962916e8967d4dcf9731a282a980c6e7ad318d059c2c1627f1c08a2855e8a58e06f0cebc5f200509b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B21.exe
Filesize
245KB

MD5
0ccbec377710f5e58b2d01685f1ecb72

SHA1
af747d213c4a3dad010b455f42439bf60b9880a1

SHA256
aa3a7343485d41c250d2ccfe85d8efd16e9e9f1a4c648e67c109998fa6b049b5

SHA512
dabb331a125b87726c387ca24380f8d58074773ebb75dd526cbbe9ef8304efeafb81f0b7dea4dd4546c3ffd7a78fbf2bbe3afdaeb57f98f96ec3ec36902820e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B21.exe
Filesize
245KB

MD5
0ccbec377710f5e58b2d01685f1ecb72

SHA1
af747d213c4a3dad010b455f42439bf60b9880a1

SHA256
aa3a7343485d41c250d2ccfe85d8efd16e9e9f1a4c648e67c109998fa6b049b5

SHA512
dabb331a125b87726c387ca24380f8d58074773ebb75dd526cbbe9ef8304efeafb81f0b7dea4dd4546c3ffd7a78fbf2bbe3afdaeb57f98f96ec3ec36902820e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_highcontrast_wob.dll
Filesize
774KB

MD5
42ad8d2e22941661515b640b2a000bc0

SHA1
980edc1b5e9de5710dcbaf9e3ca7054046fc49bf

SHA256
b307d5b407b58d534236a67b47ed95dc1ff54ec9e5b61089c7cb4eeaa0ccb337

SHA512
a04e1900d3013d4ab6fcad751898e631ef94b38a8c20ce3e8f88ba885173dae01881f31bd59557f05c9608e25395c4d59465e84da4b4a725f22a0190a01ec1eb

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_wob.dll
Filesize
774KB

MD5
42ad8d2e22941661515b640b2a000bc0

SHA1
980edc1b5e9de5710dcbaf9e3ca7054046fc49bf

SHA256
b307d5b407b58d534236a67b47ed95dc1ff54ec9e5b61089c7cb4eeaa0ccb337

SHA512
a04e1900d3013d4ab6fcad751898e631ef94b38a8c20ce3e8f88ba885173dae01881f31bd59557f05c9608e25395c4d59465e84da4b4a725f22a0190a01ec1eb

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_wob.dll
Filesize
774KB

MD5
42ad8d2e22941661515b640b2a000bc0

SHA1
980edc1b5e9de5710dcbaf9e3ca7054046fc49bf

SHA256
b307d5b407b58d534236a67b47ed95dc1ff54ec9e5b61089c7cb4eeaa0ccb337

SHA512
a04e1900d3013d4ab6fcad751898e631ef94b38a8c20ce3e8f88ba885173dae01881f31bd59557f05c9608e25395c4d59465e84da4b4a725f22a0190a01ec1eb

Download Submit
\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
memory/328-707-0x0000000000000000-mapping.dmp

Download
memory/332-941-0x0000000000000000-mapping.dmp

Download
memory/676-923-0x0000000000000000-mapping.dmp

Download
memory/856-671-0x0000000000000000-mapping.dmp

Download
memory/1152-343-0x0000000002E66000-0x0000000002E80000-memory.dmp

Filesize
104KB

Download
memory/1152-344-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/1152-319-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/1152-314-0x0000000002BB0000-0x0000000002C5E000-memory.dmp

Filesize
696KB

Download
memory/1152-312-0x0000000002E66000-0x0000000002E80000-memory.dmp

Filesize
104KB

Download
memory/1152-235-0x0000000000000000-mapping.dmp

Download
memory/1268-851-0x0000000000000000-mapping.dmp

Download
memory/2156-959-0x0000000000000000-mapping.dmp

Download
memory/2212-779-0x0000000000000000-mapping.dmp

Download
memory/2272-586-0x0000000000000000-mapping.dmp

Download
memory/2288-454-0x00007FF7F99B5FD0-mapping.dmp

Download
memory/2288-483-0x000001F4E55A0000-0x000001F4E5855000-memory.dmp

Filesize
2.7MB

Download
memory/2288-511-0x000001F4E55A0000-0x000001F4E5855000-memory.dmp

Filesize
2.7MB

Download
memory/2416-190-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-193-0x00000000048C0000-0x00000000049AB000-memory.dmp

Filesize
940KB

Download
memory/2416-217-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/2416-158-0x0000000000000000-mapping.dmp

Download
memory/2416-201-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/2416-160-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-161-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-162-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-163-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-164-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-165-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-166-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-168-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-195-0x00000000049B0000-0x0000000004ADE000-memory.dmp

Filesize
1.2MB

Download
memory/2416-169-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-170-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-171-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-172-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-173-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-174-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-175-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-177-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-178-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-179-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-180-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-181-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-182-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-183-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-184-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-185-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-186-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-187-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-188-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-189-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-192-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-191-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-123-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-131-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-153-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-120-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-121-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-157-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/2664-154-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-152-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-151-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-150-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-149-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-148-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-147-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/2664-146-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-142-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-145-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-122-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-156-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-155-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-130-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-126-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-125-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-144-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-143-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

Filesize
1.3MB

Download
memory/2664-127-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-140-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-141-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

Filesize
1.3MB

Download
memory/2664-129-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-139-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-138-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-137-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-136-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-134-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-133-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-132-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-124-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-128-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2708-368-0x00000000078B0000-0x0000000008405000-memory.dmp

Filesize
11.3MB

Download
memory/2708-572-0x0000000006FA2000-0x0000000006FA4000-memory.dmp

Filesize
8KB

Download
memory/2708-377-0x0000000006FA2000-0x0000000006FA4000-memory.dmp

Filesize
8KB

Download
memory/2708-206-0x0000000000000000-mapping.dmp

Download
memory/2708-361-0x00000000078B0000-0x0000000008405000-memory.dmp

Filesize
11.3MB

Download
memory/3064-743-0x0000000000000000-mapping.dmp

Download
memory/3680-761-0x0000000000000000-mapping.dmp

Download
memory/3720-833-0x0000000000000000-mapping.dmp

Download
memory/3724-606-0x0000000000000000-mapping.dmp

Download
memory/3776-587-0x000001D1CF6E0000-0x000001D1CF995000-memory.dmp

Filesize
2.7MB

Download
memory/3776-605-0x000001D1CF6E0000-0x000001D1CF995000-memory.dmp

Filesize
2.7MB

Download
memory/3776-576-0x00007FF7F99B5FD0-mapping.dmp

Download
memory/3864-585-0x0000000006BE0000-0x0000000007735000-memory.dmp

Filesize
11.3MB

Download
memory/3864-579-0x0000000006BE0000-0x0000000007735000-memory.dmp

Filesize
11.3MB

Download
memory/3864-487-0x0000000000000000-mapping.dmp

Download
memory/3960-797-0x0000000000000000-mapping.dmp

Download
memory/3988-887-0x0000000000000000-mapping.dmp

Download
memory/4300-815-0x0000000000000000-mapping.dmp

Download
memory/4512-905-0x0000000000000000-mapping.dmp

Download
memory/4524-634-0x0000021100000000-0x00000211002B5000-memory.dmp

Filesize
2.7MB

Download
memory/4524-629-0x00007FF7F99B5FD0-mapping.dmp

Download
memory/4724-653-0x0000000000000000-mapping.dmp

Download
memory/4924-869-0x0000000000000000-mapping.dmp

Download
memory/4960-620-0x0000000005CD0000-0x0000000006825000-memory.dmp

Filesize
11.3MB

Download
memory/4960-456-0x0000000005CD0000-0x0000000006825000-memory.dmp

Filesize
11.3MB

Download
memory/4976-379-0x0000000000430000-0x00000000006D4000-memory.dmp

Filesize
2.6MB

Download
memory/4976-416-0x000001EC1F750000-0x000001EC1FA05000-memory.dmp

Filesize
2.7MB

Download
memory/4976-380-0x000001EC1F750000-0x000001EC1FA05000-memory.dmp

Filesize
2.7MB

Download
memory/4976-373-0x00007FF7F99B5FD0-mapping.dmp

Download
memory/5036-725-0x0000000000000000-mapping.dmp

Download
memory/5052-635-0x0000000000000000-mapping.dmp

Download
memory/5104-689-0x0000000000000000-mapping.dmp

Download