lumma | 46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c

Analysis

max time kernel
101s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c.exe
Size

210KB
MD5

41e38c3978f599bf1fc60b6bb5862b0a
SHA1

440b7da66c9a3ba22fb3bcf2eb80253c2d73b3f5
SHA256

46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c
SHA512

148918a9d608efa0ad229c97449c100a60e3f4f2e3b971a30f149f35328895b1d4d4e76900da4ee655abdff14b471b864113aea1d59c28a270ef03528c487e37
SSDEEP

3072:xMXjiiy0W5hed5mr/SZ7fC8TOl+VPRwDoTQqaq6hKi:xIxWX3+Z7BO+VPGDo6

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4876-133-0x0000000002E30000-0x0000000002E39000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

39 460 rundll32.exe
43 460 rundll32.exe
63 460 rundll32.exe
73 460 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

FBE9.exe686F.exe

pid process

4844 FBE9.exe
1716 686F.exe

flow	pid	process
39	460	rundll32.exe
43	460	rundll32.exe
63	460	rundll32.exe
73	460	rundll32.exe

pid	process
4844	FBE9.exe
1716	686F.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\A12_Spinner\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\A12_Spinner.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\A12_Spinner\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

460 rundll32.exe
5004 svchost.exe
4932 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
460	rundll32.exe
5004	svchost.exe
4932	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 460 set thread context of 1560	460	rundll32.exe	rundll32.exe
PID 460 set thread context of 4244	460	rundll32.exe	rundll32.exe
PID 460 set thread context of 3396	460	rundll32.exe	rundll32.exe
PID 460 set thread context of 2708	460	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\remove.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\remove.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\tl.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\stopwords.ENU	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroLayoutRecognizer.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4984 4844 WerFault.exe FBE9.exe
3792 1716 WerFault.exe 686F.exe

pid	pid_target	process	target process
4984	4844	WerFault.exe	FBE9.exe
3792	1716	WerFault.exe	686F.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 57 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003056c92e100054656d7000003a0009000400efbe0c55ec983056c92e2e0000000000000000000000000000000000000000000000000055f32300540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2432

pid	process
2432

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c.exe

pid	process
4876	46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c.exe
4876	46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c.exe
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2432
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c.exe

pid process

4876 46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c.exe

pid	process
2432

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeDebugPrivilege	460	rundll32.exe
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
1560	rundll32.exe
2432
2432
2432
2432
460	rundll32.exe
2432
2432
2432
2432
4244	rundll32.exe
460	rundll32.exe
3396	rundll32.exe
460	rundll32.exe
2708	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2432
2432

pid	process
2432
2432

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

FBE9.exesvchost.exerundll32.exe

description	pid	process	target process
PID 2432 wrote to memory of 4844	2432		FBE9.exe
PID 2432 wrote to memory of 4844	2432		FBE9.exe
PID 2432 wrote to memory of 4844	2432		FBE9.exe
PID 4844 wrote to memory of 460	4844	FBE9.exe	rundll32.exe
PID 4844 wrote to memory of 460	4844	FBE9.exe	rundll32.exe
PID 4844 wrote to memory of 460	4844	FBE9.exe	rundll32.exe
PID 2432 wrote to memory of 1716	2432		686F.exe
PID 2432 wrote to memory of 1716	2432		686F.exe
PID 2432 wrote to memory of 1716	2432		686F.exe
PID 5004 wrote to memory of 4932	5004	svchost.exe	rundll32.exe
PID 5004 wrote to memory of 4932	5004	svchost.exe	rundll32.exe
PID 5004 wrote to memory of 4932	5004	svchost.exe	rundll32.exe
PID 460 wrote to memory of 1560	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 1560	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 1560	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 4948	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 4948	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 4948	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 2440	460	rundll32.exe	schtasks.exe
PID 460 wrote to memory of 2440	460	rundll32.exe	schtasks.exe
PID 460 wrote to memory of 2440	460	rundll32.exe	schtasks.exe
PID 460 wrote to memory of 4244	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 4244	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 4244	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 632	460	rundll32.exe	schtasks.exe
PID 460 wrote to memory of 632	460	rundll32.exe	schtasks.exe
PID 460 wrote to memory of 632	460	rundll32.exe	schtasks.exe
PID 460 wrote to memory of 3396	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 3396	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 3396	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 1924	460	rundll32.exe	schtasks.exe
PID 460 wrote to memory of 1924	460	rundll32.exe	schtasks.exe
PID 460 wrote to memory of 1924	460	rundll32.exe	schtasks.exe
PID 460 wrote to memory of 2708	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 2708	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 2708	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 1892	460	rundll32.exe	Conhost.exe
PID 460 wrote to memory of 1892	460	rundll32.exe	Conhost.exe
PID 460 wrote to memory of 1892	460	rundll32.exe	Conhost.exe
PID 460 wrote to memory of 1420	460	rundll32.exe	schtasks.exe
PID 460 wrote to memory of 1420	460	rundll32.exe	schtasks.exe
PID 460 wrote to memory of 1420	460	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c.exe
"C:\Users\Admin\AppData\Local\Temp\46e55e6ff8f39a1f6aeb07b038e14f7a794c017ddd6e5a51e5fdaca33ccd077c.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4876

C:\Users\Admin\AppData\Local\Temp\FBE9.exe
C:\Users\Admin\AppData\Local\Temp\FBE9.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:460

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1560

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4948

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2440

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4244

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:632

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3396

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1924

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2708

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1892

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1420

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:1684

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:408

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:932

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:4948

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4076

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:956

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:4772

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4192

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3452

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:4320

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:792

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1464

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:2740

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1892

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:3792

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3528

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3064

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:2444

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2100

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4400

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
PID:4564

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 468
2⤵
- Program crash
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4844 -ip 4844
1⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\686F.exe
C:\Users\Admin\AppData\Local\Temp\686F.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1272
2⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1716 -ip 1716
1⤵
PID:1468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\a12_spinner.dll",okZc
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner.dll

Filesize
774KB

MD5
eba771f8edb6b8241af04fec480fdab9

SHA1
a70f1193a87b7a8a81441395b80f75c20e421e9d

SHA256
a367c49e9abc949549202c9980d1c82c3676b3f215c16944261b8a1797d0ff09

SHA512
42dbd233b3813fc454abc4c1d07bd4a86ea439c0d1346670510f356bdec006d3e0846d7fc526a123149fb440496d2322c816600c4441bba8b8ccd09c5016e7fa

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner.dll

Filesize
774KB

MD5
eba771f8edb6b8241af04fec480fdab9

SHA1
a70f1193a87b7a8a81441395b80f75c20e421e9d

SHA256
a367c49e9abc949549202c9980d1c82c3676b3f215c16944261b8a1797d0ff09

SHA512
42dbd233b3813fc454abc4c1d07bd4a86ea439c0d1346670510f356bdec006d3e0846d7fc526a123149fb440496d2322c816600c4441bba8b8ccd09c5016e7fa

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.powerpointmui.msi.16.en-us.xml

Filesize
27KB

MD5
e9ed7134ebf28fea3f7aa5691a28438a

SHA1
ea1e55c279ed9f8dae333ae436204d8d67d46adf

SHA256
8fe0a353ce49d8bf91b019174a72f92c70870d8215b3afa565a01eb041569e28

SHA512
535d34d3e428d421793e147e8bf1e344e9a2da449ce25103bf4d72c7b421db429304d5eaebbe305ac566b4b172984677885dcab2aa118441a3df38c57fd04dd9

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
68148203b5246d5fa69afa01b07dc6cf

SHA1
cad75838ec17863afa0d60f944e298f4ab8cbc6e

SHA256
1c6f92bcd9018b6b79565fab20772aa109a0c20518cff4dd017a40711c7202cf

SHA512
2b115593127be8d86511b4ad57f6827ca7c7f208465d35b6e555d51113f3b31f8aa4133926f5de53f8c5cf8368e2fb6a7e34b8e89d8bb32a713d7b5f055d1c7d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
68148203b5246d5fa69afa01b07dc6cf

SHA1
cad75838ec17863afa0d60f944e298f4ab8cbc6e

SHA256
1c6f92bcd9018b6b79565fab20772aa109a0c20518cff4dd017a40711c7202cf

SHA512
2b115593127be8d86511b4ad57f6827ca7c7f208465d35b6e555d51113f3b31f8aa4133926f5de53f8c5cf8368e2fb6a7e34b8e89d8bb32a713d7b5f055d1c7d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\pictures.ico

Filesize
81KB

MD5
8e3fed079e101c5dcb906371c2b546a3

SHA1
7fbf444c9361684228f643984f1333c271e86bf2

SHA256
b0203f1dc9e443dc5081b0f882934241645a5de4cc4b1e47b3460d17446a87d4

SHA512
898c825d9f20f3d20cb389328561ff70bd0c762dcc1369bd0bb633130aee9dcf60b433da66c3a37dd1d46a70614abd955a323589917ed85e0ec5698cdd0268c2

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\resource.xml

Filesize
1KB

MD5
09e877cc25ec3ade6e0d56000025e7ae

SHA1
fef683c766926d84804867a6a711c200e2ceb406

SHA256
995f07448661dec2389b445cbe054e4fce31d07bed2f3f9f4bc94ee9a875fc92

SHA512
02b7ed4cba2f3b153f055c51b24eb4a7ca9cec136274a00fcc2efebd21ad410d826d92b0113229e2817930a6a84dfa27e809290cb0522535202116c24ac8f1a3

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json

Filesize
121B

MD5
289935a24fcaf93d1d41b4842414bdb0

SHA1
5e83951c0aeaefa25b0f918e9b3ceddb7d23d949

SHA256
12493caa467a364b7cc88d930fb41372ae8960605b12547f0283577b1564c58c

SHA512
e8dfa0c926def3a80aef8ace3edd8da408cf3e286a3bd5769db29c0d99be7febf166131b750898f48aa6932de6b4b8598f076b90aa9666696de9d7cc29063aa8

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\utc.tracing.json.bk

Filesize
28B

MD5
6c7e84cb1a40e1e6a5cfe37e2ceaad04

SHA1
a2781444bb3c55196292df729b01be707ec1953a

SHA256
c6bf69533d3fc2c00d2e601726411163cae0e6cb168662eb6a58b492a25b042c

SHA512
97c9bc007beda6e6ea9c9aeea3f4033fe77304d5417a9f9f97ede9ed168f7259053f5861227a3a7eaa4859d1d1a7898705b0f8aae9527b4b607ab205e3b6e9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\686F.exe

Filesize
248KB

MD5
e2d40676fa2b1dd7966d50ccbf5acbde

SHA1
e54498df173d571cff586b7594762b054ced5ea6

SHA256
7b9e17219d79e0535177f413836088cf5fafb5854f3d2b18856a9834e0ef2084

SHA512
3b70d0ad0b660360381654a63bc4989a982ba505ae2183bc4b31573c083eb703c8c01ae57df7c48a4dde937774067fbd7680054c90b50abcb7e056bc445059df

Download Submit
C:\Users\Admin\AppData\Local\Temp\686F.exe

Filesize
248KB

MD5
e2d40676fa2b1dd7966d50ccbf5acbde

SHA1
e54498df173d571cff586b7594762b054ced5ea6

SHA256
7b9e17219d79e0535177f413836088cf5fafb5854f3d2b18856a9834e0ef2084

SHA512
3b70d0ad0b660360381654a63bc4989a982ba505ae2183bc4b31573c083eb703c8c01ae57df7c48a4dde937774067fbd7680054c90b50abcb7e056bc445059df

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBE9.exe

Filesize
1.1MB

MD5
fd94680e7257e1ab0f52814dd2a9405c

SHA1
f70f02d0c46846492b7488f177e7b98e004f0bcf

SHA256
b7f022a18ffa2c3794fd4d33c1a276bce9dd2f31b7b4c3060fcfaa44a643f556

SHA512
ac238a3f96cb0d27ecb864ea298d62cdded12f626ceca56a323014c04313a3af23aade1ec4b72e81ea109b506647eadde618ce85398e54c924e86d6361081e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBE9.exe

Filesize
1.1MB

MD5
fd94680e7257e1ab0f52814dd2a9405c

SHA1
f70f02d0c46846492b7488f177e7b98e004f0bcf

SHA256
b7f022a18ffa2c3794fd4d33c1a276bce9dd2f31b7b4c3060fcfaa44a643f556

SHA512
ac238a3f96cb0d27ecb864ea298d62cdded12f626ceca56a323014c04313a3af23aade1ec4b72e81ea109b506647eadde618ce85398e54c924e86d6361081e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\a12_spinner.dll

Filesize
774KB

MD5
eba771f8edb6b8241af04fec480fdab9

SHA1
a70f1193a87b7a8a81441395b80f75c20e421e9d

SHA256
a367c49e9abc949549202c9980d1c82c3676b3f215c16944261b8a1797d0ff09

SHA512
42dbd233b3813fc454abc4c1d07bd4a86ea439c0d1346670510f356bdec006d3e0846d7fc526a123149fb440496d2322c816600c4441bba8b8ccd09c5016e7fa

Download Submit
memory/216-270-0x0000000000000000-mapping.dmp

Download
memory/408-224-0x0000000000000000-mapping.dmp

Download
memory/460-208-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-261-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-152-0x0000000005190000-0x0000000005CE5000-memory.dmp

Filesize
11.3MB

Download
memory/460-238-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-154-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-155-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-239-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-230-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-229-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-159-0x0000000005190000-0x0000000005CE5000-memory.dmp

Filesize
11.3MB

Download
memory/460-291-0x00000000048D7000-0x00000000048D9000-memory.dmp

Filesize
8KB

Download
memory/460-228-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-227-0x00000000071B0000-0x00000000072F0000-memory.dmp

Filesize
1.2MB

Download
memory/460-219-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-218-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-139-0x0000000000000000-mapping.dmp

Download
memory/460-295-0x00000000048D7000-0x00000000048D9000-memory.dmp

Filesize
8KB

Download
memory/460-217-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-299-0x00000000048D7000-0x00000000048D9000-memory.dmp

Filesize
8KB

Download
memory/460-279-0x00000000048D7000-0x00000000048D9000-memory.dmp

Filesize
8KB

Download
memory/460-278-0x00000000048D7000-0x00000000048D9000-memory.dmp

Filesize
8KB

Download
memory/460-274-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-172-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-173-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-174-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-175-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-216-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-240-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-241-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-249-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-250-0x00000000071B0000-0x00000000072F0000-memory.dmp

Filesize
1.2MB

Download
memory/460-273-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-251-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-209-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-184-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-185-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-186-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-187-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-272-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-271-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-301-0x00000000048D7000-0x00000000048D9000-memory.dmp

Filesize
8KB

Download
memory/460-207-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-151-0x0000000005190000-0x0000000005CE5000-memory.dmp

Filesize
11.3MB

Download
memory/460-263-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-205-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-195-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-196-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-197-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-198-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-262-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/460-260-0x00000000071B0000-0x00000000072F0000-memory.dmp

Filesize
1.2MB

Download
memory/460-252-0x00000000048A0000-0x00000000049E0000-memory.dmp

Filesize
1.2MB

Download
memory/632-194-0x0000000000000000-mapping.dmp

Download
memory/792-257-0x0000000000000000-mapping.dmp

Download
memory/932-225-0x0000000000000000-mapping.dmp

Download
memory/956-237-0x0000000000000000-mapping.dmp

Download
memory/956-307-0x0000000000000000-mapping.dmp

Download
memory/1420-214-0x0000000000000000-mapping.dmp

Download
memory/1464-259-0x0000000000000000-mapping.dmp

Download
memory/1504-268-0x0000000000000000-mapping.dmp

Download
memory/1560-176-0x00007FF7733D6890-mapping.dmp

Download
memory/1560-182-0x000002D2F36B0000-0x000002D2F3965000-memory.dmp

Filesize
2.7MB

Download
memory/1560-180-0x000002D2F36B0000-0x000002D2F3965000-memory.dmp

Filesize
2.7MB

Download
memory/1560-179-0x0000000000390000-0x0000000000634000-memory.dmp

Filesize
2.6MB

Download
memory/1560-178-0x000002D2F5110000-0x000002D2F5250000-memory.dmp

Filesize
1.2MB

Download
memory/1560-177-0x000002D2F5110000-0x000002D2F5250000-memory.dmp

Filesize
1.2MB

Download
memory/1684-223-0x000001F97A1E0000-0x000001F97A495000-memory.dmp

Filesize
2.7MB

Download
memory/1684-221-0x000001F97BC40000-0x000001F97BD80000-memory.dmp

Filesize
1.2MB

Download
memory/1684-226-0x000001F97A1E0000-0x000001F97A495000-memory.dmp

Filesize
2.7MB

Download
memory/1684-222-0x000001F97BC40000-0x000001F97BD80000-memory.dmp

Filesize
1.2MB

Download
memory/1684-220-0x00007FF7733D6890-mapping.dmp

Download
memory/1716-148-0x0000000002E19000-0x0000000002E33000-memory.dmp

Filesize
104KB

Download
memory/1716-145-0x0000000000000000-mapping.dmp

Download
memory/1716-149-0x0000000002D20000-0x0000000002D4A000-memory.dmp

Filesize
168KB

Download
memory/1716-150-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/1716-153-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/1892-206-0x0000000000000000-mapping.dmp

Download
memory/1924-203-0x0000000000000000-mapping.dmp

Download
memory/2100-293-0x0000000000000000-mapping.dmp

Download
memory/2440-183-0x0000000000000000-mapping.dmp

Download
memory/2444-294-0x0000025563DA0000-0x0000025564055000-memory.dmp

Filesize
2.7MB

Download
memory/2444-292-0x0000025563DA0000-0x0000025564055000-memory.dmp

Filesize
2.7MB

Download
memory/2444-288-0x00007FF7733D6890-mapping.dmp

Download
memory/2708-213-0x0000016E23370000-0x0000016E23625000-memory.dmp

Filesize
2.7MB

Download
memory/2708-215-0x0000016E23370000-0x0000016E23625000-memory.dmp

Filesize
2.7MB

Download
memory/2708-210-0x00007FF7733D6890-mapping.dmp

Download
memory/2708-212-0x0000016E24DD0000-0x0000016E24F10000-memory.dmp

Filesize
1.2MB

Download
memory/2708-211-0x0000016E24DD0000-0x0000016E24F10000-memory.dmp

Filesize
1.2MB

Download
memory/2740-265-0x00000179B8F00000-0x00000179B9040000-memory.dmp

Filesize
1.2MB

Download
memory/2740-266-0x00000179B8F00000-0x00000179B9040000-memory.dmp

Filesize
1.2MB

Download
memory/2740-267-0x00000179B74A0000-0x00000179B7755000-memory.dmp

Filesize
2.7MB

Download
memory/2740-264-0x00007FF7733D6890-mapping.dmp

Download
memory/2740-269-0x00000179B74A0000-0x00000179B7755000-memory.dmp

Filesize
2.7MB

Download
memory/3064-283-0x0000000000000000-mapping.dmp

Download
memory/3396-204-0x0000025FD7AD0000-0x0000025FD7D85000-memory.dmp

Filesize
2.7MB

Download
memory/3396-199-0x00007FF7733D6890-mapping.dmp

Download
memory/3396-200-0x0000025FD7940000-0x0000025FD7A80000-memory.dmp

Filesize
1.2MB

Download
memory/3396-201-0x0000025FD7940000-0x0000025FD7A80000-memory.dmp

Filesize
1.2MB

Download
memory/3396-202-0x0000025FD7AD0000-0x0000025FD7D85000-memory.dmp

Filesize
2.7MB

Download
memory/3452-248-0x0000000000000000-mapping.dmp

Download
memory/3528-281-0x0000000000000000-mapping.dmp

Download
memory/3792-275-0x00007FF7733D6890-mapping.dmp

Download
memory/3792-276-0x0000019030420000-0x0000019030560000-memory.dmp

Filesize
1.2MB

Download
memory/3792-280-0x000001902E9C0000-0x000001902EC75000-memory.dmp

Filesize
2.7MB

Download
memory/3792-282-0x000001902E9C0000-0x000001902EC75000-memory.dmp

Filesize
2.7MB

Download
memory/4076-235-0x0000000000000000-mapping.dmp

Download
memory/4192-246-0x0000000000000000-mapping.dmp

Download
memory/4244-189-0x0000023194430000-0x0000023194570000-memory.dmp

Filesize
1.2MB

Download
memory/4244-190-0x0000023194430000-0x0000023194570000-memory.dmp

Filesize
1.2MB

Download
memory/4244-188-0x00007FF7733D6890-mapping.dmp

Download
memory/4244-193-0x00000231929D0000-0x0000023192C85000-memory.dmp

Filesize
2.7MB

Download
memory/4244-192-0x00000231929D0000-0x0000023192C85000-memory.dmp

Filesize
2.7MB

Download
memory/4320-253-0x00007FF7733D6890-mapping.dmp

Download
memory/4320-254-0x000001AF2E130000-0x000001AF2E270000-memory.dmp

Filesize
1.2MB

Download
memory/4320-258-0x000001AF2C6C0000-0x000001AF2C975000-memory.dmp

Filesize
2.7MB

Download
memory/4320-255-0x000001AF2C6C0000-0x000001AF2C975000-memory.dmp

Filesize
2.7MB

Download
memory/4320-256-0x000001AF2E130000-0x000001AF2E270000-memory.dmp

Filesize
1.2MB

Download
memory/4400-296-0x0000000000000000-mapping.dmp

Download
memory/4564-306-0x00000257C6420000-0x00000257C66D5000-memory.dmp

Filesize
2.7MB

Download
memory/4564-308-0x00000257C6420000-0x00000257C66D5000-memory.dmp

Filesize
2.7MB

Download
memory/4564-303-0x00007FF7733D6890-mapping.dmp

Download
memory/4772-242-0x00007FF7733D6890-mapping.dmp

Download
memory/4772-247-0x00000241BAD20000-0x00000241BAFD5000-memory.dmp

Filesize
2.7MB

Download
memory/4772-243-0x00000241BC780000-0x00000241BC8C0000-memory.dmp

Filesize
1.2MB

Download
memory/4772-244-0x00000241BC780000-0x00000241BC8C0000-memory.dmp

Filesize
1.2MB

Download
memory/4772-245-0x00000241BAD20000-0x00000241BAFD5000-memory.dmp

Filesize
2.7MB

Download
memory/4844-142-0x00000000048F2000-0x00000000049DB000-memory.dmp

Filesize
932KB

Download
memory/4844-136-0x0000000000000000-mapping.dmp

Download
memory/4844-144-0x0000000000400000-0x0000000002C76000-memory.dmp

Filesize
40.5MB

Download
memory/4844-143-0x00000000049E0000-0x0000000004B0E000-memory.dmp

Filesize
1.2MB

Download
memory/4876-133-0x0000000002E30000-0x0000000002E39000-memory.dmp

Filesize
36KB

Download
memory/4876-134-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4876-132-0x0000000002ED8000-0x0000000002EE9000-memory.dmp

Filesize
68KB

Download
memory/4876-135-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4932-171-0x0000000004A70000-0x00000000055C5000-memory.dmp

Filesize
11.3MB

Download
memory/4932-170-0x0000000004A70000-0x00000000055C5000-memory.dmp

Filesize
11.3MB

Download
memory/4932-167-0x0000000000000000-mapping.dmp

Download
memory/4948-181-0x0000000000000000-mapping.dmp

Download
memory/4948-236-0x000002AAC2D20000-0x000002AAC2FD5000-memory.dmp

Filesize
2.7MB

Download
memory/4948-232-0x000002AAC47A0000-0x000002AAC48E0000-memory.dmp

Filesize
1.2MB

Download
memory/4948-231-0x00007FF7733D6890-mapping.dmp

Download
memory/4948-233-0x000002AAC47A0000-0x000002AAC48E0000-memory.dmp

Filesize
1.2MB

Download
memory/4948-234-0x000002AAC2D20000-0x000002AAC2FD5000-memory.dmp

Filesize
2.7MB

Download
memory/5004-191-0x0000000004610000-0x0000000005165000-memory.dmp

Filesize
11.3MB

Download
memory/5004-160-0x0000000004610000-0x0000000005165000-memory.dmp

Filesize
11.3MB

Download
memory/5004-169-0x0000000004610000-0x0000000005165000-memory.dmp

Filesize
11.3MB

Download