lumma | 3cf53784f9b2e28697c85914904080fb6f815bd1e45e62c164878777cd0494ba

Analysis

max time kernel
91s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe
Size

225KB
MD5

37c3ae28ca121fcfab6d67fbaded71bd
SHA1

cf239854e511823772c378f53ba5b0aeec8f55b8
SHA256

db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd
SHA512

7ff4c72d865ba0220d4788d59e33c8bc977bdc1f714e7ae81bfdd648a4bf8d4043a217ca7efd8aaf14a3343151a638c11561cfc66d261cf6c66e33bfa4a7b06d
SSDEEP

3072:D58L2AmKZNw1YF4qU67HPB/tHGWzlXPH8oSuBy79Y3Ox6qQo3:d8L201F4169/tHFN8o7BW9Hk5o

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4872-133-0x00000000006B0000-0x00000000006B9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

39 3640 rundll32.exe
42 3640 rundll32.exe
60 3640 rundll32.exe
72 3640 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

1378.exe48E1.exe

pid process

2248 1378.exe
2540 48E1.exe

flow	pid	process
39	3640	rundll32.exe
42	3640	rundll32.exe
60	3640	rundll32.exe
72	3640	rundll32.exe

pid	process
2248	1378.exe
2540	48E1.exe

Sets DLL path for service in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nppdf32\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\nppdf32.dll䌀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nppdf32\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\nppdf32.dllက"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nppdf32\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\nppdf32.dll琀"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nppdf32\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

3640 rundll32.exe
1144 svchost.exe
3676 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3640	rundll32.exe
1144	svchost.exe
3676	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3640 set thread context of 2988	3640	rundll32.exe	rundll32.exe
PID 3640 set thread context of 656	3640	rundll32.exe	rundll32.exe
PID 3640 set thread context of 4716	3640	rundll32.exe	rundll32.exe
PID 3640 set thread context of 1900	3640	rundll32.exe	rundll32.exe
PID 3640 set thread context of 4196	3640	rundll32.exe	rundll32.exe

Drops file in Program Files directory 14 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroTextExtractor.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_email.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\LogTransport2.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Dynamic.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4084 2248 WerFault.exe 1378.exe
2756 2540 WerFault.exe 48E1.exe

pid	pid_target	process	target process
4084	2248	WerFault.exe	1378.exe
2756	2540	WerFault.exe	48E1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 64 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003056243d100054656d7000003a0009000400efbe21550a583056283d2e00000000000000000000000000000000000000000000000000680a7d00540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3040

pid	process
3040

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe

pid	process
4872	db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe
4872	db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3040
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe

pid process

4872 db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe

pid	process
3040

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeDebugPrivilege	3640	rundll32.exe
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
2988	rundll32.exe
3040
3040
3040
3040
3640	rundll32.exe
3040
3040
3040
3040
656	rundll32.exe
4716	rundll32.exe
3640	rundll32.exe
1900	rundll32.exe
3640	rundll32.exe
4196	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3040
3040

pid	process
3040
3040

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

1378.exesvchost.exerundll32.exe

description	pid	process	target process
PID 3040 wrote to memory of 2248	3040		1378.exe
PID 3040 wrote to memory of 2248	3040		1378.exe
PID 3040 wrote to memory of 2248	3040		1378.exe
PID 2248 wrote to memory of 3640	2248	1378.exe	rundll32.exe
PID 2248 wrote to memory of 3640	2248	1378.exe	rundll32.exe
PID 2248 wrote to memory of 3640	2248	1378.exe	rundll32.exe
PID 3040 wrote to memory of 2540	3040		48E1.exe
PID 3040 wrote to memory of 2540	3040		48E1.exe
PID 3040 wrote to memory of 2540	3040		48E1.exe
PID 1144 wrote to memory of 3676	1144	svchost.exe	rundll32.exe
PID 1144 wrote to memory of 3676	1144	svchost.exe	rundll32.exe
PID 1144 wrote to memory of 3676	1144	svchost.exe	rundll32.exe
PID 3640 wrote to memory of 2988	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 2988	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 2988	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 780	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 780	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 780	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 656	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 656	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 656	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 5016	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 5016	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 5016	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 4716	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 4716	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 4716	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 4124	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 4124	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 4124	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 3968	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 3968	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 3968	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 1900	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 1900	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 1900	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 116	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 116	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 116	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 4196	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 4196	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 4196	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 2164	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 2164	3640	rundll32.exe	schtasks.exe
PID 3640 wrote to memory of 2164	3640	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe
"C:\Users\Admin\AppData\Local\Temp\db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4872

C:\Users\Admin\AppData\Local\Temp\1378.exe
C:\Users\Admin\AppData\Local\Temp\1378.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3640

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2988

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:780

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:656

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5016

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4716

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4124

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3968

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1900

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:116

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4196

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2164

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4592

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5028

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2156

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:3784

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4144

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4212

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:1924

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2576

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4704

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1960

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:472

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4124

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2096

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:3312

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3164

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1216

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:3464

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1340

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5028

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:5068

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3064

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4144

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4700

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1128

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:2400

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 576
2⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2248 -ip 2248
1⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\48E1.exe
C:\Users\Admin\AppData\Local\Temp\48E1.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1344
2⤵
- Program crash
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2540 -ip 2540
1⤵
PID:2256

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\nppdf32.dll",NisL
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll

Filesize
774KB

MD5
900146be318bbebb371276ad5fcde983

SHA1
686b2a18d022dc8ee958bd189ee7e3cc528cf75a

SHA256
8b09217eaa834449dffd1e16d06c1dcec54af21f940d7acf9e69e58b935eb119

SHA512
991c2c47789e331975e40a7bf1a2bd78dfe8dfe6b556d6ab138276805adca48ed2d117885b492c9025ffd8de2aaa53c1ce564f5df62ed97b628632f6acf252ea

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll

Filesize
774KB

MD5
900146be318bbebb371276ad5fcde983

SHA1
686b2a18d022dc8ee958bd189ee7e3cc528cf75a

SHA256
8b09217eaa834449dffd1e16d06c1dcec54af21f940d7acf9e69e58b935eb119

SHA512
991c2c47789e331975e40a7bf1a2bd78dfe8dfe6b556d6ab138276805adca48ed2d117885b492c9025ffd8de2aaa53c1ce564f5df62ed97b628632f6acf252ea

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\CiPT0000.002

Filesize
64KB

MD5
9fb48482cf535e1ce23cbfa8d0c6c078

SHA1
942e26a921b9bc03c8f78574b72a7a684bb268f9

SHA256
eb0d8cfa71bf388bf4a5c0e6df5e8054b578cbc9548c07235238188786635dff

SHA512
bdf522140adae8a297c4c17c84e20860d54ed0899b7d34497c5c06afaa335ff4f382f75f6e265b0e8fdce4a4646056e77fe47dc710c0ef74d5831012997a13b7

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe.xml

Filesize
24KB

MD5
56cc188f572451b90ca1f71b44ac4e64

SHA1
790a449a478a6fbfd0fa2cc38d541ee62098746b

SHA256
df14300ee7cae37c4264ca6b10a60e30f8f94cba7b0e6430576decbf031c4eaa

SHA512
1b42c9e22cf3b8cb0433716364f8f775368c175ddce94026ae30743c352b73a1c4574603967120d28fdcad1f8cf977104f907c7f8140c41b2064d6658945fd83

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c.xml

Filesize
35KB

MD5
d838647709cc692e5baa42ed5e612a15

SHA1
28403026cfc539e10cec2de39cc4273dfffa506e

SHA256
54e71797852c8b4dfe12af952c305db2d2416ded7e2cae5c1ea766070be981da

SHA512
1b3eac54dad342ba0bff5fdb66b569ae14cff892bae71dd3f9a5e0e1ff2f8f03656649c68a3f7ba9d106eec57ea56e0cb039747e435339ffe9a46dc96f58575c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
2777fb4bc019ff8e60d247f6cce6b754

SHA1
eb4e6dc3d9232d2fbf53a489298e33a040dfc714

SHA256
99580f2d34a2ac7eb1ede0c83e0da33f6a8e946a15bf9865252b1bc13bcc92a5

SHA512
373ec6b5f2b46e91e7722ea8c562e0e03ecc7c77d4087b144f89dfa6cad21d015bb07770c16a302da12b5202f7ff38a7df90a7bfd2939f85c1488b5eff41e233

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml

Filesize
2KB

MD5
b92eea712a8a63a66e21156d66a5fcfc

SHA1
86f3274afee32518c49307c92b586ca67fbd98ae

SHA256
d6ca1a7c439c5e1d33f71959740e9991c89152ff6f4c429c146d13f40a4b428e

SHA512
94577d5a1b344af5862e9f0ed430cbae21f4d955604684faf57e236a6aeb03f0340816dc8b4d758f943e24e105d0dce420984b082621f6f57745ba758870464f

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\overlay.png

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\utc.cert.json

Filesize
2KB

MD5
635a39ff9f822dcfd1fb3c22e6ffeb45

SHA1
148a7e0a56504cae9219d0ed0f9aa8fb0ce7f7ca

SHA256
dc9c38e035984439878ac48131835b0ad4d113c9bdfe6ce62f23c069a04edbcd

SHA512
f246594c76d4740fab3552b0c738ea5dea75d6f81a4ca956c524ca0d09a4d1e71060d11447ac8de2810364828660ee328211ba727231172b30e636d84cd3747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1378.exe

Filesize
1.1MB

MD5
17f4caa00baa4a343b7037f575363737

SHA1
af29ee05e88a3967d639b4c0e5e1ddabf32d555a

SHA256
6bdc0c711117eb2484229026a82977f4a3d48e7a5ec167f3486aea5f50512462

SHA512
11b0f2d11bc1f65071f0f5e2a61c01cbea448d7077764ea10ce320be98652428f1418bc3a427897dfb80e82596077cee7fa561d59a4736a1d15b0978ef9087ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1378.exe

Filesize
1.1MB

MD5
17f4caa00baa4a343b7037f575363737

SHA1
af29ee05e88a3967d639b4c0e5e1ddabf32d555a

SHA256
6bdc0c711117eb2484229026a82977f4a3d48e7a5ec167f3486aea5f50512462

SHA512
11b0f2d11bc1f65071f0f5e2a61c01cbea448d7077764ea10ce320be98652428f1418bc3a427897dfb80e82596077cee7fa561d59a4736a1d15b0978ef9087ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\48E1.exe

Filesize
276KB

MD5
ec5a9982316bd834d0b86f26e1c7b8f0

SHA1
3e21f03d7f7b156c637bfa215074938cc5721390

SHA256
74bb3105998c9b5ebced3ff42889fce1c437d37f76da8ba1980762e6d88f0186

SHA512
dd19a7e65888aa58af67300ca52d86d8adfb0876733f222f3b98d20d282225896f0499ea14e2966e08ac9d0963619627dcd3e0872d954c8bb70c3ad3420664ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\48E1.exe

Filesize
276KB

MD5
ec5a9982316bd834d0b86f26e1c7b8f0

SHA1
3e21f03d7f7b156c637bfa215074938cc5721390

SHA256
74bb3105998c9b5ebced3ff42889fce1c437d37f76da8ba1980762e6d88f0186

SHA512
dd19a7e65888aa58af67300ca52d86d8adfb0876733f222f3b98d20d282225896f0499ea14e2966e08ac9d0963619627dcd3e0872d954c8bb70c3ad3420664ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\nppdf32.dll

Filesize
774KB

MD5
900146be318bbebb371276ad5fcde983

SHA1
686b2a18d022dc8ee958bd189ee7e3cc528cf75a

SHA256
8b09217eaa834449dffd1e16d06c1dcec54af21f940d7acf9e69e58b935eb119

SHA512
991c2c47789e331975e40a7bf1a2bd78dfe8dfe6b556d6ab138276805adca48ed2d117885b492c9025ffd8de2aaa53c1ce564f5df62ed97b628632f6acf252ea

Download Submit
memory/116-215-0x0000000000000000-mapping.dmp

Download
memory/472-276-0x00000203DB240000-0x00000203DB4F5000-memory.dmp

Filesize
2.7MB

Download
memory/472-279-0x00000203DB240000-0x00000203DB4F5000-memory.dmp

Filesize
2.7MB

Download
memory/472-272-0x00007FF717F46890-mapping.dmp

Download
memory/472-273-0x00000203DB0C0000-0x00000203DB200000-memory.dmp

Filesize
1.2MB

Download
memory/656-188-0x00007FF717F46890-mapping.dmp

Download
memory/656-193-0x000001333E220000-0x000001333E4D5000-memory.dmp

Filesize
2.7MB

Download
memory/656-189-0x000001333FC80000-0x000001333FDC0000-memory.dmp

Filesize
1.2MB

Download
memory/656-190-0x000001333FC80000-0x000001333FDC0000-memory.dmp

Filesize
1.2MB

Download
memory/656-191-0x000001333E220000-0x000001333E4D5000-memory.dmp

Filesize
2.7MB

Download
memory/780-183-0x0000000000000000-mapping.dmp

Download
memory/1128-323-0x0000000000000000-mapping.dmp

Download
memory/1144-168-0x0000000004020000-0x0000000004B75000-memory.dmp

Filesize
11.3MB

Download
memory/1144-159-0x0000000004020000-0x0000000004B75000-memory.dmp

Filesize
11.3MB

Download
memory/1144-194-0x0000000004020000-0x0000000004B75000-memory.dmp

Filesize
11.3MB

Download
memory/1216-289-0x0000000000000000-mapping.dmp

Download
memory/1340-300-0x0000000000000000-mapping.dmp

Download
memory/1608-332-0x0000000000000000-mapping.dmp

Download
memory/1900-214-0x0000015D071D0000-0x0000015D07485000-memory.dmp

Filesize
2.7MB

Download
memory/1900-213-0x0000015D071D0000-0x0000015D07485000-memory.dmp

Filesize
2.7MB

Download
memory/1900-210-0x00007FF717F46890-mapping.dmp

Download
memory/1900-211-0x0000015D07040000-0x0000015D07180000-memory.dmp

Filesize
1.2MB

Download
memory/1900-212-0x0000015D07040000-0x0000015D07180000-memory.dmp

Filesize
1.2MB

Download
memory/1924-256-0x0000026F05B00000-0x0000026F05DB5000-memory.dmp

Filesize
2.7MB

Download
memory/1924-252-0x00007FF717F46890-mapping.dmp

Download
memory/1924-253-0x0000026F07560000-0x0000026F076A0000-memory.dmp

Filesize
1.2MB

Download
memory/1924-254-0x0000026F07560000-0x0000026F076A0000-memory.dmp

Filesize
1.2MB

Download
memory/1924-255-0x0000026F05B00000-0x0000026F05DB5000-memory.dmp

Filesize
2.7MB

Download
memory/1960-266-0x0000000000000000-mapping.dmp

Download
memory/2096-278-0x0000000000000000-mapping.dmp

Download
memory/2156-236-0x0000000000000000-mapping.dmp

Download
memory/2164-224-0x0000000000000000-mapping.dmp

Download
memory/2248-142-0x000000000224C000-0x0000000002335000-memory.dmp

Filesize
932KB

Download
memory/2248-136-0x0000000000000000-mapping.dmp

Download
memory/2248-144-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2248-143-0x0000000002430000-0x000000000255E000-memory.dmp

Filesize
1.2MB

Download
memory/2400-333-0x000002A405F10000-0x000002A4061C5000-memory.dmp

Filesize
2.7MB

Download
memory/2400-328-0x00007FF717F46890-mapping.dmp

Download
memory/2400-331-0x000002A405F10000-0x000002A4061C5000-memory.dmp

Filesize
2.7MB

Download
memory/2540-148-0x000000000074D000-0x0000000000767000-memory.dmp

Filesize
104KB

Download
memory/2540-145-0x0000000000000000-mapping.dmp

Download
memory/2540-153-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2540-149-0x00000000006C0000-0x00000000006EA000-memory.dmp

Filesize
168KB

Download
memory/2540-150-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2576-257-0x0000000000000000-mapping.dmp

Download
memory/2988-175-0x00000223FAD10000-0x00000223FAE50000-memory.dmp

Filesize
1.2MB

Download
memory/2988-176-0x00000223FAD10000-0x00000223FAE50000-memory.dmp

Filesize
1.2MB

Download
memory/2988-178-0x00000223FAE80000-0x00000223FB135000-memory.dmp

Filesize
2.7MB

Download
memory/2988-174-0x00007FF717F46890-mapping.dmp

Download
memory/2988-182-0x00000223FAE80000-0x00000223FB135000-memory.dmp

Filesize
2.7MB

Download
memory/2988-177-0x0000000000A60000-0x0000000000D04000-memory.dmp

Filesize
2.6MB

Download
memory/3064-311-0x0000000000000000-mapping.dmp

Download
memory/3164-288-0x0000000000000000-mapping.dmp

Download
memory/3312-290-0x00000159BB060000-0x00000159BB315000-memory.dmp

Filesize
2.7MB

Download
memory/3312-284-0x00007FF717F46890-mapping.dmp

Download
memory/3312-287-0x00000159BB060000-0x00000159BB315000-memory.dmp

Filesize
2.7MB

Download
memory/3464-296-0x00007FF717F46890-mapping.dmp

Download
memory/3464-299-0x0000029068260000-0x0000029068515000-memory.dmp

Filesize
2.7MB

Download
memory/3464-301-0x0000029068260000-0x0000029068515000-memory.dmp

Filesize
2.7MB

Download
memory/3640-218-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-173-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-209-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-207-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-206-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-334-0x0000000004880000-0x00000000053D5000-memory.dmp

Filesize
11.3MB

Download
memory/3640-139-0x0000000000000000-mapping.dmp

Download
memory/3640-151-0x0000000004880000-0x00000000053D5000-memory.dmp

Filesize
11.3MB

Download
memory/3640-152-0x0000000004880000-0x00000000053D5000-memory.dmp

Filesize
11.3MB

Download
memory/3640-216-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-217-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-154-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-219-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-155-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-167-0x0000000004880000-0x00000000053D5000-memory.dmp

Filesize
11.3MB

Download
memory/3640-291-0x0000000005696000-0x0000000005698000-memory.dmp

Filesize
8KB

Download
memory/3640-170-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-171-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-208-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-226-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-227-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-228-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-229-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-172-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-184-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-185-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-274-0x0000000005696000-0x0000000005698000-memory.dmp

Filesize
8KB

Download
memory/3640-186-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-271-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-270-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-237-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-238-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-239-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-240-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-269-0x0000000006EC0000-0x0000000007000000-memory.dmp

Filesize
1.2MB

Download
memory/3640-268-0x0000000006EC0000-0x0000000007000000-memory.dmp

Filesize
1.2MB

Download
memory/3640-187-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-261-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-260-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-259-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-258-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-248-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-249-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-250-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-251-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-195-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-197-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-198-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3640-196-0x00000000055F0000-0x0000000005730000-memory.dmp

Filesize
1.2MB

Download
memory/3676-181-0x0000000004910000-0x0000000005465000-memory.dmp

Filesize
11.3MB

Download
memory/3676-180-0x0000000004910000-0x0000000005465000-memory.dmp

Filesize
11.3MB

Download
memory/3676-179-0x0000000004910000-0x0000000005465000-memory.dmp

Filesize
11.3MB

Download
memory/3676-166-0x0000000000000000-mapping.dmp

Download
memory/3784-243-0x000001C2B3670000-0x000001C2B37B0000-memory.dmp

Filesize
1.2MB

Download
memory/3784-246-0x000001C2B1C10000-0x000001C2B1EC5000-memory.dmp

Filesize
2.7MB

Download
memory/3784-244-0x000001C2B1C10000-0x000001C2B1EC5000-memory.dmp

Filesize
2.7MB

Download
memory/3784-241-0x00007FF717F46890-mapping.dmp

Download
memory/3784-242-0x000001C2B3670000-0x000001C2B37B0000-memory.dmp

Filesize
1.2MB

Download
memory/3968-205-0x0000000000000000-mapping.dmp

Download
memory/4124-203-0x0000000000000000-mapping.dmp

Download
memory/4124-277-0x0000000000000000-mapping.dmp

Download
memory/4144-313-0x0000000000000000-mapping.dmp

Download
memory/4144-245-0x0000000000000000-mapping.dmp

Download
memory/4196-221-0x000002545F800000-0x000002545F940000-memory.dmp

Filesize
1.2MB

Download
memory/4196-220-0x00007FF717F46890-mapping.dmp

Download
memory/4196-222-0x000002545F800000-0x000002545F940000-memory.dmp

Filesize
1.2MB

Download
memory/4196-223-0x000002545F960000-0x000002545FC15000-memory.dmp

Filesize
2.7MB

Download
memory/4196-225-0x000002545F960000-0x000002545FC15000-memory.dmp

Filesize
2.7MB

Download
memory/4212-247-0x0000000000000000-mapping.dmp

Download
memory/4592-230-0x00007FF717F46890-mapping.dmp

Download
memory/4592-235-0x0000020288DA0000-0x0000020289055000-memory.dmp

Filesize
2.7MB

Download
memory/4592-233-0x0000020288DA0000-0x0000020289055000-memory.dmp

Filesize
2.7MB

Download
memory/4592-232-0x000002028A800000-0x000002028A940000-memory.dmp

Filesize
1.2MB

Download
memory/4592-231-0x000002028A800000-0x000002028A940000-memory.dmp

Filesize
1.2MB

Download
memory/4700-318-0x00007FF717F46890-mapping.dmp

Download
memory/4700-321-0x000001A942C40000-0x000001A942EF5000-memory.dmp

Filesize
2.7MB

Download
memory/4700-322-0x000001A942C40000-0x000001A942EF5000-memory.dmp

Filesize
2.7MB

Download
memory/4704-264-0x000001D0D3A60000-0x000001D0D3BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4704-263-0x000001D0D3A60000-0x000001D0D3BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4704-265-0x000001D0D2000000-0x000001D0D22B5000-memory.dmp

Filesize
2.7MB

Download
memory/4704-262-0x00007FF717F46890-mapping.dmp

Download
memory/4704-267-0x000001D0D2000000-0x000001D0D22B5000-memory.dmp

Filesize
2.7MB

Download
memory/4716-201-0x00000234B30B0000-0x00000234B31F0000-memory.dmp

Filesize
1.2MB

Download
memory/4716-204-0x00000234B1650000-0x00000234B1905000-memory.dmp

Filesize
2.7MB

Download
memory/4716-200-0x00000234B30B0000-0x00000234B31F0000-memory.dmp

Filesize
1.2MB

Download
memory/4716-202-0x00000234B1650000-0x00000234B1905000-memory.dmp

Filesize
2.7MB

Download
memory/4716-199-0x00007FF717F46890-mapping.dmp

Download
memory/4872-132-0x0000000000767000-0x0000000000778000-memory.dmp

Filesize
68KB

Download
memory/4872-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4872-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4872-133-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/5016-192-0x0000000000000000-mapping.dmp

Download
memory/5028-234-0x0000000000000000-mapping.dmp

Download
memory/5028-302-0x0000000000000000-mapping.dmp

Download
memory/5068-312-0x0000020C65380000-0x0000020C65635000-memory.dmp

Filesize
2.7MB

Download
memory/5068-310-0x0000020C65380000-0x0000020C65635000-memory.dmp

Filesize
2.7MB

Download
memory/5068-307-0x00007FF717F46890-mapping.dmp

Download