lumma | 6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7

Analysis

max time kernel
85s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7.exe
Size

210KB
MD5

9ab2e2eb1ac2586e07d6104d01cd1b90
SHA1

b6f267f80605be7aa59691f4ce0779572a59abb7
SHA256

6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7
SHA512

c7863e97837427614eac42e64c89b5e0cb943ee4978c3267146cd977055a57476ca4cdf80a033120584ad5f66cbbd427496bceeebc6dc8103f76d577ca3dac45
SSDEEP

3072:HX1QDSkCkos5p4msqoovTbx/np2u7LBwcri:343EmNDPmuv

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2392-134-0x0000000004790000-0x0000000004799000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 1160 created 1868 1160 svchost.exe rundll32.exe
PID 1160 created 2460 1160 svchost.exe svchost.exe
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

47 1868 rundll32.exe
51 1868 rundll32.exe
62 1868 rundll32.exe
64 1868 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

3B34.exe5322.exe5e7a7179.exe5e7a7179.exe

pid process

1996 3B34.exe
2304 5322.exe
1936 5e7a7179.exe
4864 5e7a7179.exe

description	pid	process	target process
PID 1160 created 1868	1160	svchost.exe	rundll32.exe
PID 1160 created 2460	1160	svchost.exe	svchost.exe

flow	pid	process
47	1868	rundll32.exe
51	1868	rundll32.exe
62	1868	rundll32.exe
64	1868	rundll32.exe

pid	process
1996	3B34.exe
2304	5322.exe
1936	5e7a7179.exe
4864	5e7a7179.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_shared\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\review_shared.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_shared\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\review_shared.dll㸀"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_shared\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

1868 rundll32.exe
2460 svchost.exe
2404 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1868	rundll32.exe
2460	svchost.exe
2404	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1868 set thread context of 1620	1868	rundll32.exe	rundll32.exe
PID 1868 set thread context of 4304	1868	rundll32.exe	rundll32.exe

Drops file in Program Files directory 33 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\QuickTime.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\EPDF_Full.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\LightTheme.acrotheme	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\email_initiator.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_shared.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_super.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AppCenter_R.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\InAppSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_shared_multi_filetype.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_hiContrast_bow.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\tesselate.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Eula.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\EPDF_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\rename.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_multi_filetype.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DarkTheme.acrotheme	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3120 1996 WerFault.exe 3B34.exe
4148 2304 WerFault.exe 5322.exe
836 1936 WerFault.exe 5e7a7179.exe

pid	pid_target	process	target process
3120	1996	WerFault.exe	3B34.exe
4148	2304	WerFault.exe	5322.exe
836	1936	WerFault.exe	5e7a7179.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 39 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f5612a2100054656d7000003a0009000400efbe21550a582f5613a22e0000000000000000000000000000000000000000000000000015fef500540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2416

pid	process
2416

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7.exe

pid	process
2392	6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7.exe
2392	6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7.exe
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2416
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7.exe

pid process

2392 6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7.exe

pid	process
2416

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

rundll32.exesvchost.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeDebugPrivilege	1868	rundll32.exe
Token: SeAssignPrimaryTokenPrivilege	1868	rundll32.exe
Token: SeTcbPrivilege	1160	svchost.exe
Token: SeTcbPrivilege	1160	svchost.exe
Token: SeBackupPrivilege	1160	svchost.exe
Token: SeRestorePrivilege	1160	svchost.exe
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeAssignPrimaryTokenPrivilege	2460	svchost.exe
Token: SeBackupPrivilege	1160	svchost.exe
Token: SeRestorePrivilege	1160	svchost.exe
Token: SeBackupPrivilege	1160	svchost.exe
Token: SeRestorePrivilege	1160	svchost.exe
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

1620 rundll32.exe
4304 rundll32.exe
2416
2416
2416
2416
1868 rundll32.exe
2416
2416
2416
2416
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2416
2416

pid	process
1620	rundll32.exe
4304	rundll32.exe
2416
2416
2416
2416
1868	rundll32.exe
2416
2416
2416
2416

pid	process
2416
2416

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

3B34.exesvchost.exerundll32.exesvchost.exe

description	pid	process	target process
PID 2416 wrote to memory of 1996	2416		3B34.exe
PID 2416 wrote to memory of 1996	2416		3B34.exe
PID 2416 wrote to memory of 1996	2416		3B34.exe
PID 2416 wrote to memory of 2304	2416		5322.exe
PID 2416 wrote to memory of 2304	2416		5322.exe
PID 2416 wrote to memory of 2304	2416		5322.exe
PID 1996 wrote to memory of 1868	1996	3B34.exe	rundll32.exe
PID 1996 wrote to memory of 1868	1996	3B34.exe	rundll32.exe
PID 1996 wrote to memory of 1868	1996	3B34.exe	rundll32.exe
PID 1160 wrote to memory of 1936	1160	svchost.exe	5e7a7179.exe
PID 1160 wrote to memory of 1936	1160	svchost.exe	5e7a7179.exe
PID 1160 wrote to memory of 1936	1160	svchost.exe	5e7a7179.exe
PID 1868 wrote to memory of 1620	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1620	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1620	1868	rundll32.exe	rundll32.exe
PID 2460 wrote to memory of 2404	2460	svchost.exe	rundll32.exe
PID 2460 wrote to memory of 2404	2460	svchost.exe	rundll32.exe
PID 2460 wrote to memory of 2404	2460	svchost.exe	rundll32.exe
PID 1868 wrote to memory of 4304	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 4304	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 4304	1868	rundll32.exe	rundll32.exe
PID 1160 wrote to memory of 4864	1160	svchost.exe	5e7a7179.exe
PID 1160 wrote to memory of 4864	1160	svchost.exe	5e7a7179.exe
PID 1160 wrote to memory of 4864	1160	svchost.exe	5e7a7179.exe
PID 1868 wrote to memory of 3572	1868	rundll32.exe	schtasks.exe
PID 1868 wrote to memory of 3572	1868	rundll32.exe	schtasks.exe
PID 1868 wrote to memory of 3572	1868	rundll32.exe	schtasks.exe
PID 1868 wrote to memory of 5092	1868	rundll32.exe	schtasks.exe
PID 1868 wrote to memory of 5092	1868	rundll32.exe	schtasks.exe
PID 1868 wrote to memory of 5092	1868	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7.exe
"C:\Users\Admin\AppData\Local\Temp\6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2392

C:\Users\Admin\AppData\Local\Temp\3B34.exe
C:\Users\Admin\AppData\Local\Temp\3B34.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1868

C:\Users\Admin\AppData\Local\Temp\5e7a7179.exe
C:\Users\Admin\AppData\Local\Temp\5e7a7179.exe
3⤵
- Executes dropped EXE
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 388
4⤵
- Program crash
PID:836

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1620

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4304

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3572

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5092

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:1832

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2272

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3900

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4760

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:2888

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:2992

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:3912

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:3460

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4516

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:3696

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3976

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:1608

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2228

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:1212

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4248

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2828

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2240

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:3948

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3172

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 468
2⤵
- Program crash
PID:3120

C:\Users\Admin\AppData\Local\Temp\5322.exe
C:\Users\Admin\AppData\Local\Temp\5322.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1356
2⤵
- Program crash
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1996 -ip 1996
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2304 -ip 2304
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\review_shared.dll",kjBi
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2404

C:\Windows\TEMP\5e7a7179.exe
C:\Windows\TEMP\5e7a7179.exe
2⤵
- Executes dropped EXE
PID:4864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1936 -ip 1936
1⤵
PID:4288

C:\Program Files\Google\Chrome\Application\chrome.exe
"chrome.exe" --no-first-run --no-default-browser-check --silent-launch --restore-last-session --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --disable-crash-reporter --ran-launcher --profile-directory="Default"
1⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffcb324f50,0x7fffcb324f60,0x7fffcb324f70
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,8545516573625930898,2164416585732219054,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1692 /prefetch:2
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,8545516573625930898,2164416585732219054,131072 --lang=en-US --service-sandbox-type=network --disable-audio-output --mojo-platform-channel-handle=1988 /prefetch:8
2⤵
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,8545516573625930898,2164416585732219054,131072 --lang=en-US --service-sandbox-type=utility --disable-audio-output --mojo-platform-channel-handle=2328 /prefetch:8
2⤵
PID:4768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\review_shared.dll
Filesize
774KB

MD5
f28a71ff9a6935b3e5b51212b17f1d45

SHA1
f140a6340f4786fa879f3f94136b9290bab722d3

SHA256
3756bd3c0ed7c936f3fcf3f37befed97af531cbcb72d3326b27f5e671cd857c0

SHA512
f5a56a9c35bf52666d68fe6d4ff3c7a28d27259a86a1cb5a46b55a94d71760340b1c2e275d0aa8eaa16abdd7575d4f23daca198db8a432d153432907b022406f

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\review_shared.dll
Filesize
774KB

MD5
f28a71ff9a6935b3e5b51212b17f1d45

SHA1
f140a6340f4786fa879f3f94136b9290bab722d3

SHA256
3756bd3c0ed7c936f3fcf3f37befed97af531cbcb72d3326b27f5e671cd857c0

SHA512
f5a56a9c35bf52666d68fe6d4ff3c7a28d27259a86a1cb5a46b55a94d71760340b1c2e275d0aa8eaa16abdd7575d4f23daca198db8a432d153432907b022406f

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.office32mui.msi.16.en-us.xml
Filesize
16KB

MD5
ada34b241139f06addc86a9e8d1108f0

SHA1
909a92a4e970ae4edcfc365a119d4f4410b0bcf6

SHA256
3069814db0a03ed2ce383cb97739d07545d3b67a2b532d9c07d0d5aa3c6a4f3a

SHA512
2797c6087798660773cfa65f002a4232d75c8b8f787deb12364af683653b41de411ca2de54be1aa86356ba3b6203775c9afaedd513ad33c26f273047f87537a0

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.CredDialogHost_10.0.19041.1023_neutral__cw5n1h2txyewy.xml
Filesize
1KB

MD5
8c59faf203fc8a2a460920be06eb2b4e

SHA1
833cf94c8a893ed6199812f4ca6f177af7dc43c1

SHA256
b7e5f69aa3d04494c0a0d3a09b70d48b38b5264f74c04a49e5886bb6cc78889a

SHA512
5fa0271ecb6995cac9c003e6d3313c6fa5f89a360711ff4b80292379f58c33d8802413c8c63d1312913934a7144f0a2cfffddeab05d69afd4a1d810c5003bc5f

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
843B

MD5
72d7dc9f57f3487a99e2f05c06274c28

SHA1
ba789a0e8174327b30443f5b7131228f4ad40cf0

SHA256
dae20c31fd2cd68389b40f99cb7791c8d79d8d8aca2c417d90713ad6c926471f

SHA512
aa15897d32ee44cbb2a8d9dfbdbf32b7a6885150ca8fb5c715020310385e6f889612f80eb452ec73d444fdf03fef7eb920fe586662c2185c93a695e72d56362c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftEdgeUpdate.log
Filesize
111KB

MD5
e39b53bc15d45c7803abce26e18b8bdd

SHA1
6e72fd4d1f58ece0b50e8287a4af70ee2bab2cb0

SHA256
5bd09bea1a88763d840e86958bb740ea93e0ab69355b5c173ededde665268909

SHA512
a33fe209c746c667669ae185acad28fab8e719f578b8ee64ea7fba9d1ed4b4f5e267959db9e7510c8a07e3b98dee32111144d689d2f403f819ec8fc74f5826f5

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
87075769aaa3b3b734cc178a28c1a5ae

SHA1
d65e270ee3b5f9abb2949e23361f368aadd37693

SHA256
02f8b3959373e542d51342a921c371141839307ecc9bc45889b457dc44e30dd9

SHA512
e0a005e8701e6692b316d192606158d193d38281f6f33ec4f814db09aa171780380337beb2dd3ca960e9a5fb1571c18361b03b620de2a05bbb582f4c314b05f3

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\abcpy.ini
Filesize
608B

MD5
818d3a4899c5596d8d8da00a87e6d8bb

SHA1
4e0e04f5ca5d81661702877852fd9d059722762f

SHA256
9986830f6e44d24b86936851c2c0cd961ecdddbed3b34e8f6a64693f36e9429d

SHA512
1cd1c882adcee3d89bdc2b07ccf8d4913149565085d42e0f67a4c08b4c4d504b51c9ae44a11de906a1aed202391eb2b3461f63268158b6879cae9a18d56da239

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\edb.chk
Filesize
8KB

MD5
53c7b3248464b8fc70393399f35209a5

SHA1
2d4c938da22645705e5010cb51c66a700c0a30cd

SHA256
7699c95a4fbb20915b22754cfca657208714ab186042a9524311cb970020beb4

SHA512
a8d16656119803d895723b3065868d2e8d559e439dab427e1351494de382e4a90891100141e384a98e26ef244e1ecb6092840982cfac71d089328a6c06850e32

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\edbres00002.jrs
Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\resource.xml
Filesize
1KB

MD5
66963736ebb1e54dc596701206eaed3f

SHA1
18bc8dfc779d407398af193f3d265ff93f253bc2

SHA256
fd5f68b59aa2b3e80b1a3d97b1dc5028e0fb512d26003fffce146209fedc814b

SHA512
96aef899ecfb48d1df6e8c7655d59fb80b3c65f18857692894598b78c14b5587433d5f58a2d9bbd74d635956a9e6f1948916bd354e6d438450f37ec11cc3b598

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\utc.cert.json
Filesize
2KB

MD5
635a39ff9f822dcfd1fb3c22e6ffeb45

SHA1
148a7e0a56504cae9219d0ed0f9aa8fb0ce7f7ca

SHA256
dc9c38e035984439878ac48131835b0ad4d113c9bdfe6ce62f23c069a04edbcd

SHA512
f246594c76d4740fab3552b0c738ea5dea75d6f81a4ca956c524ca0d09a4d1e71060d11447ac8de2810364828660ee328211ba727231172b30e636d84cd3747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B34.exe
Filesize
1.1MB

MD5
0222009e709c5801f1ea8edd9a198ec6

SHA1
371268659a9827f02210502b514f33aca62bb2ca

SHA256
3d1e452ce84407cbde17ddd4dfb7d1efd81f5ea3f61690c38a0dc97c4c284eb1

SHA512
69713e1678a01847a20227b43ebf1e97bf16b511dd2f9abf6aba24112e9fd95265a0a15b3d54562e2700edb813a596e99a4ff65d7814876c4a20bbd79e927f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B34.exe
Filesize
1.1MB

MD5
0222009e709c5801f1ea8edd9a198ec6

SHA1
371268659a9827f02210502b514f33aca62bb2ca

SHA256
3d1e452ce84407cbde17ddd4dfb7d1efd81f5ea3f61690c38a0dc97c4c284eb1

SHA512
69713e1678a01847a20227b43ebf1e97bf16b511dd2f9abf6aba24112e9fd95265a0a15b3d54562e2700edb813a596e99a4ff65d7814876c4a20bbd79e927f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\5322.exe
Filesize
248KB

MD5
3d92131e50a1b8aa8e84e987059bf2d3

SHA1
6e0d66119ac618710e2dd1c81e340d079d053304

SHA256
f8d13608a3238b1909ee373c32ff31930912f69bbad44560a6e10cdd35fe2271

SHA512
1d2fc9c7569e169b0179c36a636923444e0ca45ab4360ee834a921d9a45a2357c2cc0011fd99c73b02bfe67405cebf3dc388b4a1efe80fb3518ec9fa8dc75500

Download Submit
C:\Users\Admin\AppData\Local\Temp\5322.exe
Filesize
248KB

MD5
3d92131e50a1b8aa8e84e987059bf2d3

SHA1
6e0d66119ac618710e2dd1c81e340d079d053304

SHA256
f8d13608a3238b1909ee373c32ff31930912f69bbad44560a6e10cdd35fe2271

SHA512
1d2fc9c7569e169b0179c36a636923444e0ca45ab4360ee834a921d9a45a2357c2cc0011fd99c73b02bfe67405cebf3dc388b4a1efe80fb3518ec9fa8dc75500

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e7a7179.exe
Filesize
2.6MB

MD5
b4985dcbd4cd1e1529a87adbebec34f1

SHA1
0a9d1c53967da5c078e702251a10d4e7a7f3db16

SHA256
5c1b9418f3afac3767d38544a19b3cbcff8ebf91f5bc38273c5b71e040516586

SHA512
4f27d43f280426da183b78e3cd8bf0ac1ac43301cd0af75b5c56adb2ffb213f702e717ddc381ab1122e675e415cd2b7b323ebe7687d7cef9de1c1d753616bdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e7a7179.exe
Filesize
2.6MB

MD5
b4985dcbd4cd1e1529a87adbebec34f1

SHA1
0a9d1c53967da5c078e702251a10d4e7a7f3db16

SHA256
5c1b9418f3afac3767d38544a19b3cbcff8ebf91f5bc38273c5b71e040516586

SHA512
4f27d43f280426da183b78e3cd8bf0ac1ac43301cd0af75b5c56adb2ffb213f702e717ddc381ab1122e675e415cd2b7b323ebe7687d7cef9de1c1d753616bdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Windows\TEMP\5e7a7179.exe
Filesize
2.6MB

MD5
b4985dcbd4cd1e1529a87adbebec34f1

SHA1
0a9d1c53967da5c078e702251a10d4e7a7f3db16

SHA256
5c1b9418f3afac3767d38544a19b3cbcff8ebf91f5bc38273c5b71e040516586

SHA512
4f27d43f280426da183b78e3cd8bf0ac1ac43301cd0af75b5c56adb2ffb213f702e717ddc381ab1122e675e415cd2b7b323ebe7687d7cef9de1c1d753616bdf3

Download Submit
C:\Windows\Temp\5e7a7179.exe
Filesize
2.6MB

MD5
b4985dcbd4cd1e1529a87adbebec34f1

SHA1
0a9d1c53967da5c078e702251a10d4e7a7f3db16

SHA256
5c1b9418f3afac3767d38544a19b3cbcff8ebf91f5bc38273c5b71e040516586

SHA512
4f27d43f280426da183b78e3cd8bf0ac1ac43301cd0af75b5c56adb2ffb213f702e717ddc381ab1122e675e415cd2b7b323ebe7687d7cef9de1c1d753616bdf3

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\review_shared.dll
Filesize
774KB

MD5
f28a71ff9a6935b3e5b51212b17f1d45

SHA1
f140a6340f4786fa879f3f94136b9290bab722d3

SHA256
3756bd3c0ed7c936f3fcf3f37befed97af531cbcb72d3326b27f5e671cd857c0

SHA512
f5a56a9c35bf52666d68fe6d4ff3c7a28d27259a86a1cb5a46b55a94d71760340b1c2e275d0aa8eaa16abdd7575d4f23daca198db8a432d153432907b022406f

Download Submit
\??\pipe\crashpad_5080_OOUAOXYFIJNHXWMZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1212-338-0x00007FF6E1326890-mapping.dmp

Download
memory/1608-325-0x00007FF6E1326890-mapping.dmp

Download
memory/1608-329-0x000001A38CE00000-0x000001A38D0B5000-memory.dmp

Filesize
2.7MB

Download
memory/1620-195-0x00000188B4220000-0x00000188B4360000-memory.dmp

Filesize
1.2MB

Download
memory/1620-196-0x00000188B4220000-0x00000188B4360000-memory.dmp

Filesize
1.2MB

Download
memory/1620-193-0x00007FF6E1326890-mapping.dmp

Download
memory/1620-199-0x00000188B2950000-0x00000188B2C05000-memory.dmp

Filesize
2.7MB

Download
memory/1620-198-0x0000000000490000-0x0000000000734000-memory.dmp

Filesize
2.6MB

Download
memory/1620-214-0x00000188B2950000-0x00000188B2C05000-memory.dmp

Filesize
2.7MB

Download
memory/1832-240-0x0000020FE9990000-0x0000020FE9C45000-memory.dmp

Filesize
2.7MB

Download
memory/1832-238-0x0000020FE9990000-0x0000020FE9C45000-memory.dmp

Filesize
2.7MB

Download
memory/1832-236-0x0000020FEB270000-0x0000020FEB3B0000-memory.dmp

Filesize
1.2MB

Download
memory/1832-235-0x0000020FEB270000-0x0000020FEB3B0000-memory.dmp

Filesize
1.2MB

Download
memory/1832-234-0x00007FF6E1326890-mapping.dmp

Download
memory/1868-178-0x0000000004FB0000-0x0000000005B05000-memory.dmp

Filesize
11.3MB

Download
memory/1868-217-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-328-0x0000000004676000-0x0000000004678000-memory.dmp

Filesize
8KB

Download
memory/1868-314-0x0000000004676000-0x0000000004678000-memory.dmp

Filesize
8KB

Download
memory/1868-315-0x0000000004676000-0x0000000004678000-memory.dmp

Filesize
8KB

Download
memory/1868-304-0x0000000004676000-0x0000000004678000-memory.dmp

Filesize
8KB

Download
memory/1868-294-0x0000000004676000-0x0000000004678000-memory.dmp

Filesize
8KB

Download
memory/1868-179-0x0000000004FB0000-0x0000000005B05000-memory.dmp

Filesize
11.3MB

Download
memory/1868-284-0x0000000004676000-0x0000000004678000-memory.dmp

Filesize
8KB

Download
memory/1868-180-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-181-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-182-0x0000000004FB0000-0x0000000005B05000-memory.dmp

Filesize
11.3MB

Download
memory/1868-280-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-279-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-168-0x0000000000000000-mapping.dmp

Download
memory/1868-278-0x0000000006E90000-0x0000000006FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1868-277-0x0000000006E90000-0x0000000006FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1868-274-0x0000000004676000-0x0000000004678000-memory.dmp

Filesize
8KB

Download
memory/1868-189-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-191-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-190-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-192-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-270-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-269-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-268-0x0000000006E90000-0x0000000006FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1868-267-0x0000000006E90000-0x0000000006FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1868-266-0x0000000004676000-0x0000000004678000-memory.dmp

Filesize
8KB

Download
memory/1868-263-0x0000000004676000-0x0000000004678000-memory.dmp

Filesize
8KB

Download
memory/1868-259-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-258-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-256-0x0000000006E90000-0x0000000006FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1868-257-0x0000000006E90000-0x0000000006FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1868-254-0x0000000004676000-0x0000000004678000-memory.dmp

Filesize
8KB

Download
memory/1868-245-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-248-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-247-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-243-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-237-0x0000000004676000-0x0000000004678000-memory.dmp

Filesize
8KB

Download
memory/1868-233-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-232-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-231-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-230-0x0000000006E90000-0x0000000006FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1868-218-0x00000000045D0000-0x0000000004710000-memory.dmp

Filesize
1.2MB

Download
memory/1868-216-0x0000000006E90000-0x0000000006FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1868-215-0x0000000006E90000-0x0000000006FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1936-244-0x0000000004B6A000-0x0000000004DE0000-memory.dmp

Filesize
2.5MB

Download
memory/1936-183-0x0000000000000000-mapping.dmp

Download
memory/1936-246-0x0000000004DF0000-0x0000000005066000-memory.dmp

Filesize
2.5MB

Download
memory/1936-252-0x0000000000400000-0x0000000002E03000-memory.dmp

Filesize
42.0MB

Download
memory/1936-320-0x0000000000400000-0x0000000002E03000-memory.dmp

Filesize
42.0MB

Download
memory/1996-173-0x0000000000400000-0x0000000002C75000-memory.dmp

Filesize
40.5MB

Download
memory/1996-159-0x0000000000000000-mapping.dmp

Download
memory/1996-172-0x0000000004A30000-0x0000000004B5E000-memory.dmp

Filesize
1.2MB

Download
memory/1996-171-0x0000000004946000-0x0000000004A2E000-memory.dmp

Filesize
928KB

Download
memory/2228-330-0x0000000000000000-mapping.dmp

Download
memory/2240-348-0x0000000000000000-mapping.dmp

Download
memory/2272-239-0x0000000000000000-mapping.dmp

Download
memory/2304-165-0x0000000000000000-mapping.dmp

Download
memory/2304-177-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/2304-176-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/2304-175-0x00000000046B0000-0x00000000046DA000-memory.dmp

Filesize
168KB

Download
memory/2304-174-0x0000000002C18000-0x0000000002C32000-memory.dmp

Filesize
104KB

Download
memory/2392-133-0x0000000002BA0000-0x0000000002CA0000-memory.dmp

Filesize
1024KB

Download
memory/2392-136-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2392-135-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2392-134-0x0000000004790000-0x0000000004799000-memory.dmp

Filesize
36KB

Download
memory/2404-213-0x00000000053E0000-0x0000000005F35000-memory.dmp

Filesize
11.3MB

Download
memory/2404-212-0x00000000053E0000-0x0000000005F35000-memory.dmp

Filesize
11.3MB

Download
memory/2404-211-0x00000000053E0000-0x0000000005F35000-memory.dmp

Filesize
11.3MB

Download
memory/2404-209-0x0000000000000000-mapping.dmp

Download
memory/2416-158-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-153-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-164-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-149-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-150-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-241-0x000000000DAC3000-0x000000000DAC6000-memory.dmp

Filesize
12KB

Download
memory/2416-144-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-137-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-143-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-151-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-138-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-319-0x00000000103B0000-0x000000001061B000-memory.dmp

Filesize
2.4MB

Download
memory/2416-152-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-162-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-139-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-163-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-154-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-146-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-155-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-148-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-142-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-156-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-141-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-140-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/2416-157-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-145-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-147-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2460-197-0x0000000003BF0000-0x0000000004745000-memory.dmp

Filesize
11.3MB

Download
memory/2460-227-0x0000000003BF0000-0x0000000004745000-memory.dmp

Filesize
11.3MB

Download
memory/2828-345-0x0000000000000000-mapping.dmp

Download
memory/2888-261-0x0000017BDF4E0000-0x0000017BDF620000-memory.dmp

Filesize
1.2MB

Download
memory/2888-265-0x0000017BDDA80000-0x0000017BDDD35000-memory.dmp

Filesize
2.7MB

Download
memory/2888-260-0x00007FF6E1326890-mapping.dmp

Download
memory/2888-262-0x0000017BDF4E0000-0x0000017BDF620000-memory.dmp

Filesize
1.2MB

Download
memory/2888-264-0x0000017BDDA80000-0x0000017BDDD35000-memory.dmp

Filesize
2.7MB

Download
memory/2992-276-0x00000224E78C0000-0x00000224E7B75000-memory.dmp

Filesize
2.7MB

Download
memory/2992-271-0x00007FF6E1326890-mapping.dmp

Download
memory/2992-275-0x00000224E78C0000-0x00000224E7B75000-memory.dmp

Filesize
2.7MB

Download
memory/2992-273-0x00000224E9320000-0x00000224E9460000-memory.dmp

Filesize
1.2MB

Download
memory/2992-272-0x00000224E9320000-0x00000224E9460000-memory.dmp

Filesize
1.2MB

Download
memory/3148-361-0x0000000000000000-mapping.dmp

Download
memory/3172-358-0x0000000000000000-mapping.dmp

Download
memory/3460-291-0x00007FF6E1326890-mapping.dmp

Download
memory/3460-296-0x000001E6EC800000-0x000001E6ECAB5000-memory.dmp

Filesize
2.7MB

Download
memory/3460-295-0x000001E6EC800000-0x000001E6ECAB5000-memory.dmp

Filesize
2.7MB

Download
memory/3572-226-0x0000000000000000-mapping.dmp

Download
memory/3696-318-0x00000249F3530000-0x00000249F37E5000-memory.dmp

Filesize
2.7MB

Download
memory/3696-311-0x00007FF6E1326890-mapping.dmp

Download
memory/3696-316-0x00000249F3530000-0x00000249F37E5000-memory.dmp

Filesize
2.7MB

Download
memory/3900-242-0x0000000000000000-mapping.dmp

Download
memory/3912-285-0x000002E6D2440000-0x000002E6D26F5000-memory.dmp

Filesize
2.7MB

Download
memory/3912-283-0x000002E6D3EA0000-0x000002E6D3FE0000-memory.dmp

Filesize
1.2MB

Download
memory/3912-282-0x000002E6D3EA0000-0x000002E6D3FE0000-memory.dmp

Filesize
1.2MB

Download
memory/3912-286-0x000002E6D2440000-0x000002E6D26F5000-memory.dmp

Filesize
2.7MB

Download
memory/3912-281-0x00007FF6E1326890-mapping.dmp

Download
memory/3948-353-0x00007FF6E1326890-mapping.dmp

Download
memory/3976-317-0x0000000000000000-mapping.dmp

Download
memory/4248-334-0x0000000000000000-mapping.dmp

Download
memory/4304-228-0x000001FE15E10000-0x000001FE160C5000-memory.dmp

Filesize
2.7MB

Download
memory/4304-222-0x000001FE15E10000-0x000001FE160C5000-memory.dmp

Filesize
2.7MB

Download
memory/4304-220-0x000001FE17870000-0x000001FE179B0000-memory.dmp

Filesize
1.2MB

Download
memory/4304-219-0x00007FF6E1326890-mapping.dmp

Download
memory/4304-221-0x000001FE17870000-0x000001FE179B0000-memory.dmp

Filesize
1.2MB

Download
memory/4516-305-0x0000020DB3CA0000-0x0000020DB3F55000-memory.dmp

Filesize
2.7MB

Download
memory/4516-306-0x0000020DB3CA0000-0x0000020DB3F55000-memory.dmp

Filesize
2.7MB

Download
memory/4516-301-0x00007FF6E1326890-mapping.dmp

Download
memory/4760-249-0x00007FF6E1326890-mapping.dmp

Download
memory/4760-251-0x00000202ACFB0000-0x00000202AD0F0000-memory.dmp

Filesize
1.2MB

Download
memory/4760-250-0x00000202ACFB0000-0x00000202AD0F0000-memory.dmp

Filesize
1.2MB

Download
memory/4760-253-0x00000202AD100000-0x00000202AD3B5000-memory.dmp

Filesize
2.7MB

Download
memory/4760-255-0x00000202AD100000-0x00000202AD3B5000-memory.dmp

Filesize
2.7MB

Download
memory/4864-223-0x0000000000000000-mapping.dmp

Download
memory/5092-229-0x0000000000000000-mapping.dmp

Download