lumma | 377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a

Analysis

max time kernel
94s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a.exe
Size

257KB
MD5

83598d9bfef81ec9a4d014069b6a8942
SHA1

b5ac63f10f787de1624b9c13c85427cd3be834af
SHA256

377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a
SHA512

a7b32a1c431f1f8ed1ef16af1ad2cee66f34ffc884baf3d8b580e34053d2bdc7a1405727b8403b208fda1a033438c29edf87e78b88df793b91ab0ceac678e552
SSDEEP

6144:WTtWE1LA5ajdX0oCelQKzHDU69dmk2U4zqQna:WTA2E5wdRHDV9kfFP

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4788-133-0x00000000004D0000-0x00000000004D9000-memory.dmp	family_smokeloader
behavioral1/memory/4788-136-0x00000000004D0000-0x00000000004D9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

38 2056 rundll32.exe
43 2056 rundll32.exe
56 2056 rundll32.exe
65 2056 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

2C40.exe5B31.exe

pid process

5048 2C40.exe
1664 5B31.exe

flow	pid	process
38	2056	rundll32.exe
43	2056	rundll32.exe
56	2056	rundll32.exe
65	2056	rundll32.exe

pid	process
5048	2C40.exe
1664	5B31.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\main-cef-mac\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\main-cef-mac.dll㜀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\main-cef-mac\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\main-cef-mac.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\main-cef-mac\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2056 rundll32.exe
4416 svchost.exe
3380 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2056	rundll32.exe
4416	svchost.exe
3380	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2056 set thread context of 2060	2056	rundll32.exe	rundll32.exe
PID 2056 set thread context of 3756	2056	rundll32.exe	rundll32.exe
PID 2056 set thread context of 2468	2056	rundll32.exe	rundll32.exe
PID 2056 set thread context of 5060	2056	rundll32.exe	rundll32.exe
PID 2056 set thread context of 3644	2056	rundll32.exe	rundll32.exe

Drops file in Program Files directory 40 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\create_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Dynamic.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_ecc.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\JP2KLib.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\eBook.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\LICENSE.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\MoreTools.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\selection-actions2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cloud_icon.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DropboxStorage.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-mac.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\delete.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ViewerPS.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.manifest	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\trash.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\rename.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOffNotificationInTray.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\RTC.der	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ViewerPS.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4340 5048 WerFault.exe 2C40.exe
4200 1664 WerFault.exe 5B31.exe

pid	pid_target	process	target process
4340	5048	WerFault.exe	2C40.exe
4200	1664	WerFault.exe	5B31.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 57 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000030565340100054656d7000003a0009000400efbe21550a58305656402e00000000000000000000000000000000000000000000000000d801c300540065006d007000000014000000
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3036

pid	process
3036

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a.exe

pid	process
4788	377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a.exe
4788	377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a.exe

pid process

4788 377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a.exe

pid	process
3036

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeDebugPrivilege	2056	rundll32.exe
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
2060	rundll32.exe
3036
3036
3036
3036
2056	rundll32.exe
3036
3036
3036
3036
3756	rundll32.exe
2056	rundll32.exe
2468	rundll32.exe
2056	rundll32.exe
5060	rundll32.exe
3644	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3036
3036

pid	process
3036
3036

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

2C40.exerundll32.exesvchost.exe

description	pid	process	target process
PID 3036 wrote to memory of 5048	3036		2C40.exe
PID 3036 wrote to memory of 5048	3036		2C40.exe
PID 3036 wrote to memory of 5048	3036		2C40.exe
PID 5048 wrote to memory of 2056	5048	2C40.exe	rundll32.exe
PID 5048 wrote to memory of 2056	5048	2C40.exe	rundll32.exe
PID 5048 wrote to memory of 2056	5048	2C40.exe	rundll32.exe
PID 3036 wrote to memory of 1664	3036		5B31.exe
PID 3036 wrote to memory of 1664	3036		5B31.exe
PID 3036 wrote to memory of 1664	3036		5B31.exe
PID 2056 wrote to memory of 2060	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 2060	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 2060	2056	rundll32.exe	rundll32.exe
PID 4416 wrote to memory of 3380	4416	svchost.exe	rundll32.exe
PID 4416 wrote to memory of 3380	4416	svchost.exe	rundll32.exe
PID 4416 wrote to memory of 3380	4416	svchost.exe	rundll32.exe
PID 2056 wrote to memory of 2824	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 2824	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 2824	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 3756	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 3756	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 3756	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 4092	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 4092	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 4092	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 2468	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 2468	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 2468	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 4424	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 4424	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 4424	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 4568	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 4568	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 4568	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 5060	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 5060	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 5060	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 4940	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 4940	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 4940	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 4972	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 4972	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 4972	2056	rundll32.exe	schtasks.exe
PID 2056 wrote to memory of 3644	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 3644	2056	rundll32.exe	rundll32.exe
PID 2056 wrote to memory of 3644	2056	rundll32.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a.exe
"C:\Users\Admin\AppData\Local\Temp\377ffb7a599571bb7846f83c57e55ca676f056bce2f3199e65f232b9a962ed9a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4788

C:\Users\Admin\AppData\Local\Temp\2C40.exe
C:\Users\Admin\AppData\Local\Temp\2C40.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2056

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2060

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2824

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3756

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4092

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2468

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4424

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4568

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5060

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4940

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4972

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Suspicious use of FindShellTrayWindow
PID:3644

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4556

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4048

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2404

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2100

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4188

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4988

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4180

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:3620

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3180

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:2684

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2268

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3344

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:3920

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5032

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4256

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2184

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:476

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:1556

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4620

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3980

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:2404

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3928

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:840

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:728

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3472

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 532
2⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5048 -ip 5048
1⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\5B31.exe
C:\Users\Admin\AppData\Local\Temp\5B31.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1356
2⤵
- Program crash
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1664 -ip 1664
1⤵
PID:4420

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\main-cef-mac.dll",SRwtZFd1MzlF
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-mac.dll
Filesize
774KB

MD5
35021475b2339c7430afc9c5233fa4a4

SHA1
9d8c6c991036b0b729ba39d707c5db36a13d3f39

SHA256
08a5eb431f7f927e51a28f1af6a5a98a3d4614fdcb78789cf51f5210840f0246

SHA512
b355f0bdab5146ac130c1efd33883e73585d8a749bd3fb4298e2edd83fbe6301df74b850136a9c51bd1918b44ef44c9c48fbb82f9ac40b5fab4b5018ccf94144

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-mac.dll
Filesize
774KB

MD5
35021475b2339c7430afc9c5233fa4a4

SHA1
9d8c6c991036b0b729ba39d707c5db36a13d3f39

SHA256
08a5eb431f7f927e51a28f1af6a5a98a3d4614fdcb78789cf51f5210840f0246

SHA512
b355f0bdab5146ac130c1efd33883e73585d8a749bd3fb4298e2edd83fbe6301df74b850136a9c51bd1918b44ef44c9c48fbb82f9ac40b5fab4b5018ccf94144

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch
Filesize
110B

MD5
37a1115747e63e1c0ead2c66301f22d3

SHA1
44339aa5b475ecc2669a69fa1850ffcbf6fc666e

SHA256
9496889b2cbda0bcb85b8ef91dc323107702c214ee37a7c1057b8fc9c8874589

SHA512
6ecc4b9f1d08bccc3f1ae111391e83b8a1ae3788f532ae3afac5ed91823891aaf6a56385e3856910730d312d5374c779bdab7760d82a685ee99c077a3180357d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Diagtrack-Listener.etl
Filesize
192KB

MD5
8b307dfe467c82538d8a1a27cac4e4c0

SHA1
fefdee33de626f7f198bb885c2c4b03c5b366d8a

SHA256
889436941087acd408bf480bcb01dfce62cc25c0ad694f25c6104a7894f9cd81

SHA512
9ec22cc02e2e126b78493e7b1e1f52e1151c72210697eb3635f93077fa0a22f576e304020cc560a003c620d9c1a3fc94f5abbbaa471e2cb24746ff8a59b57268

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
28KB

MD5
b8c1eec848c415eea04839ad0af75950

SHA1
652ccb0f39fcb73b3fe31a231e490bbdb2a1d0bc

SHA256
694699e06fa830a2fb3b79d472b9d2560686e5ebd752022fd902ff2d1e82c162

SHA512
24f5629b1947690ee9fa911f1620a311db6f9433e77f8db67b468fb8624c3adcbfb21138c591a51d4e2e5f595ce9a5684203543890165fd2e88092cf303fe563

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe.xml
Filesize
17KB

MD5
88edd5a41ab82f584c96038657f61fa0

SHA1
7196dd2233a620172932cbe75afc1eae004de540

SHA256
fc79e5ee3a80f00498b8be20796daacc279aee43b522cf3a968266c629e27ff5

SHA512
d75a11ab48d11114c753a1cb7c1cb3ef19e5b5e90818d6842278d28d72d85582aabfbcf324af94abc1fe47ed7b1d7cfd9660852dc59f9026f812a662adfbee4d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
27KB

MD5
539930de67b99bab23fe2c67000eeddb

SHA1
6b0e5ece46ecb0b019ec71caa44facf122647059

SHA256
2f578443ca2045e8432f4a39bcd367ae343405e8daf368dff91e9198fa1a658c

SHA512
ddddcd7011ad0fb53fc816056a6df2045a7956158c009d8a708eafd0b2eaeccc55a847c96894ee04542315cec373165efc0e331da6316ceb9e5768f8861946ce

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2013Win64.xml
Filesize
66KB

MD5
c08e2d9084398ad29bb453183bb2155d

SHA1
285b0d897ff73444a74bf9e253d30f7cb1f4f2be

SHA256
9ddc306cee7a71d98fe59c39ce5fb74cc7e36c54a55cc46f2e8136c12e890418

SHA512
d032acce3071bb26d688aa4a816d09b6852c3ccb179f66a0001038b94f556a4b04401e02a4dc3b8eb7f4c4aa0fb74aa009a5db786972c56cb08d5dbeeaefad83

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
c557d27d2b7d12a24b39acc36779f8f7

SHA1
08cfba260f84f926dc66b6b1192d1e474bc98d9a

SHA256
49f44a9db4dde0fc2b7fc4e78581de0f0a77b3c21bd2550c243dcb99f58db3d2

SHA512
d9a3d4cd3a65521d1188563df8b9db1b47962f3e216557ed1df861ae5c33edcff6e4c38b80b3c4d40e652ff78842210a9b0919fe29ff92cf52d876f9f606e2cb

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\edbres00001.jrs
Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C40.exe
Filesize
1.1MB

MD5
17f4caa00baa4a343b7037f575363737

SHA1
af29ee05e88a3967d639b4c0e5e1ddabf32d555a

SHA256
6bdc0c711117eb2484229026a82977f4a3d48e7a5ec167f3486aea5f50512462

SHA512
11b0f2d11bc1f65071f0f5e2a61c01cbea448d7077764ea10ce320be98652428f1418bc3a427897dfb80e82596077cee7fa561d59a4736a1d15b0978ef9087ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C40.exe
Filesize
1.1MB

MD5
17f4caa00baa4a343b7037f575363737

SHA1
af29ee05e88a3967d639b4c0e5e1ddabf32d555a

SHA256
6bdc0c711117eb2484229026a82977f4a3d48e7a5ec167f3486aea5f50512462

SHA512
11b0f2d11bc1f65071f0f5e2a61c01cbea448d7077764ea10ce320be98652428f1418bc3a427897dfb80e82596077cee7fa561d59a4736a1d15b0978ef9087ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B31.exe
Filesize
276KB

MD5
c16ba0f2004c45a448d524867b6dfac5

SHA1
4511810aaa7ce1542ee94adf00e4f510025a189d

SHA256
6b8838ea9bff0a51596fe3c2b77b3b0a5402c23cc87692d3648d8f4a28ce705d

SHA512
460237872e9bcf0e70f3d719b7321171f6969bbb3dac1d1d744b8be590a59f9fcba3cb1331e7c19448f4c4f45a340dd704209154e87f20fcdc80d0b8489a50cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B31.exe
Filesize
276KB

MD5
c16ba0f2004c45a448d524867b6dfac5

SHA1
4511810aaa7ce1542ee94adf00e4f510025a189d

SHA256
6b8838ea9bff0a51596fe3c2b77b3b0a5402c23cc87692d3648d8f4a28ce705d

SHA512
460237872e9bcf0e70f3d719b7321171f6969bbb3dac1d1d744b8be590a59f9fcba3cb1331e7c19448f4c4f45a340dd704209154e87f20fcdc80d0b8489a50cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\main-cef-mac.dll
Filesize
774KB

MD5
35021475b2339c7430afc9c5233fa4a4

SHA1
9d8c6c991036b0b729ba39d707c5db36a13d3f39

SHA256
08a5eb431f7f927e51a28f1af6a5a98a3d4614fdcb78789cf51f5210840f0246

SHA512
b355f0bdab5146ac130c1efd33883e73585d8a749bd3fb4298e2edd83fbe6301df74b850136a9c51bd1918b44ef44c9c48fbb82f9ac40b5fab4b5018ccf94144

Download Submit
memory/476-294-0x0000000000000000-mapping.dmp

Download
memory/728-326-0x000001E1FCD60000-0x000001E1FD015000-memory.dmp

Filesize
2.7MB

Download
memory/728-321-0x00007FF7F5016890-mapping.dmp

Download
memory/728-324-0x000001E1FCD60000-0x000001E1FD015000-memory.dmp

Filesize
2.7MB

Download
memory/840-316-0x0000000000000000-mapping.dmp

Download
memory/1556-304-0x0000020ACA920000-0x0000020ACABD5000-memory.dmp

Filesize
2.7MB

Download
memory/1556-299-0x00007FF7F5016890-mapping.dmp

Download
memory/1556-302-0x0000020ACA920000-0x0000020ACABD5000-memory.dmp

Filesize
2.7MB

Download
memory/1664-151-0x0000000000590000-0x00000000005BA000-memory.dmp

Filesize
168KB

Download
memory/1664-155-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1664-152-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1664-150-0x000000000076D000-0x0000000000787000-memory.dmp

Filesize
104KB

Download
memory/1664-147-0x0000000000000000-mapping.dmp

Download
memory/2056-213-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-264-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-164-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-158-0x00000000052A0000-0x0000000005DF5000-memory.dmp

Filesize
11.3MB

Download
memory/2056-172-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-157-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-156-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-154-0x00000000052A0000-0x0000000005DF5000-memory.dmp

Filesize
11.3MB

Download
memory/2056-153-0x00000000052A0000-0x0000000005DF5000-memory.dmp

Filesize
11.3MB

Download
memory/2056-173-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-242-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-243-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-244-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-245-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-234-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-141-0x0000000000000000-mapping.dmp

Download
memory/2056-233-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-180-0x0000000005F61000-0x0000000005F63000-memory.dmp

Filesize
8KB

Download
memory/2056-232-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-231-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-253-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-254-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-255-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-256-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-263-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-187-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-188-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-189-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-190-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-224-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-223-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-277-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-276-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-275-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-274-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-197-0x0000000005F61000-0x0000000005F63000-memory.dmp

Filesize
8KB

Download
memory/2056-222-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-199-0x00000000078E0000-0x0000000007A20000-memory.dmp

Filesize
1.2MB

Download
memory/2056-200-0x00000000078E0000-0x0000000007A20000-memory.dmp

Filesize
1.2MB

Download
memory/2056-201-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-202-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-221-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-163-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-265-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-266-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-212-0x0000000005F50000-0x0000000006090000-memory.dmp

Filesize
1.2MB

Download
memory/2056-211-0x00000000078E0000-0x0000000007A20000-memory.dmp

Filesize
1.2MB

Download
memory/2056-210-0x00000000078E0000-0x0000000007A20000-memory.dmp

Filesize
1.2MB

Download
memory/2060-177-0x000002721F730000-0x000002721F870000-memory.dmp

Filesize
1.2MB

Download
memory/2060-185-0x000002721DCD0000-0x000002721DF85000-memory.dmp

Filesize
2.7MB

Download
memory/2060-181-0x000002721DCD0000-0x000002721DF85000-memory.dmp

Filesize
2.7MB

Download
memory/2060-174-0x00007FF7F5016890-mapping.dmp

Download
memory/2060-176-0x000002721F730000-0x000002721F870000-memory.dmp

Filesize
1.2MB

Download
memory/2060-183-0x00000000008D0000-0x0000000000B74000-memory.dmp

Filesize
2.6MB

Download
memory/2100-241-0x0000000000000000-mapping.dmp

Download
memory/2184-292-0x0000000000000000-mapping.dmp

Download
memory/2268-271-0x0000000000000000-mapping.dmp

Download
memory/2404-313-0x00000233B0F40000-0x00000233B11F5000-memory.dmp

Filesize
2.7MB

Download
memory/2404-310-0x00007FF7F5016890-mapping.dmp

Download
memory/2404-315-0x00000233B0F40000-0x00000233B11F5000-memory.dmp

Filesize
2.7MB

Download
memory/2404-239-0x0000000000000000-mapping.dmp

Download
memory/2468-206-0x000001F42F470000-0x000001F42F5B0000-memory.dmp

Filesize
1.2MB

Download
memory/2468-203-0x00007FF7F5016890-mapping.dmp

Download
memory/2468-204-0x000001F42F470000-0x000001F42F5B0000-memory.dmp

Filesize
1.2MB

Download
memory/2468-209-0x000001F42DA10000-0x000001F42DCC5000-memory.dmp

Filesize
2.7MB

Download
memory/2468-207-0x000001F42DA10000-0x000001F42DCC5000-memory.dmp

Filesize
2.7MB

Download
memory/2684-267-0x00007FF7F5016890-mapping.dmp

Download
memory/2684-272-0x000001FEB3290000-0x000001FEB3545000-memory.dmp

Filesize
2.7MB

Download
memory/2684-268-0x000001FEB4CF0000-0x000001FEB4E30000-memory.dmp

Filesize
1.2MB

Download
memory/2684-269-0x000001FEB4CF0000-0x000001FEB4E30000-memory.dmp

Filesize
1.2MB

Download
memory/2684-270-0x000001FEB3290000-0x000001FEB3545000-memory.dmp

Filesize
2.7MB

Download
memory/2824-186-0x0000000000000000-mapping.dmp

Download
memory/3180-261-0x0000000000000000-mapping.dmp

Download
memory/3344-273-0x0000000000000000-mapping.dmp

Download
memory/3380-184-0x0000000005070000-0x0000000005BC5000-memory.dmp

Filesize
11.3MB

Download
memory/3380-182-0x0000000005070000-0x0000000005BC5000-memory.dmp

Filesize
11.3MB

Download
memory/3380-175-0x0000000000000000-mapping.dmp

Download
memory/3472-325-0x0000000000000000-mapping.dmp

Download
memory/3620-258-0x0000019609A40000-0x0000019609B80000-memory.dmp

Filesize
1.2MB

Download
memory/3620-262-0x0000019607FE0000-0x0000019608295000-memory.dmp

Filesize
2.7MB

Download
memory/3620-260-0x0000019607FE0000-0x0000019608295000-memory.dmp

Filesize
2.7MB

Download
memory/3620-259-0x0000019609A40000-0x0000019609B80000-memory.dmp

Filesize
1.2MB

Download
memory/3620-257-0x00007FF7F5016890-mapping.dmp

Download
memory/3644-229-0x000001C04DAA0000-0x000001C04DD55000-memory.dmp

Filesize
2.7MB

Download
memory/3644-225-0x00007FF7F5016890-mapping.dmp

Download
memory/3644-226-0x000001C04D940000-0x000001C04DA80000-memory.dmp

Filesize
1.2MB

Download
memory/3644-227-0x000001C04D940000-0x000001C04DA80000-memory.dmp

Filesize
1.2MB

Download
memory/3644-228-0x000001C04DAA0000-0x000001C04DD55000-memory.dmp

Filesize
2.7MB

Download
memory/3756-191-0x00007FF7F5016890-mapping.dmp

Download
memory/3756-193-0x00000258BBB90000-0x00000258BBCD0000-memory.dmp

Filesize
1.2MB

Download
memory/3756-192-0x00000258BBB90000-0x00000258BBCD0000-memory.dmp

Filesize
1.2MB

Download
memory/3756-198-0x00000258BA130000-0x00000258BA3E5000-memory.dmp

Filesize
2.7MB

Download
memory/3756-194-0x00000258BA130000-0x00000258BA3E5000-memory.dmp

Filesize
2.7MB

Download
memory/3920-279-0x000001CE1B1B0000-0x000001CE1B2F0000-memory.dmp

Filesize
1.2MB

Download
memory/3920-278-0x00007FF7F5016890-mapping.dmp

Download
memory/3920-281-0x000001CE198E0000-0x000001CE19B95000-memory.dmp

Filesize
2.7MB

Download
memory/3920-283-0x000001CE198E0000-0x000001CE19B95000-memory.dmp

Filesize
2.7MB

Download
memory/3928-314-0x0000000000000000-mapping.dmp

Download
memory/3980-305-0x0000000000000000-mapping.dmp

Download
memory/4048-240-0x0000025FF41E0000-0x0000025FF4495000-memory.dmp

Filesize
2.7MB

Download
memory/4048-235-0x00007FF7F5016890-mapping.dmp

Download
memory/4048-236-0x0000025FF5C40000-0x0000025FF5D80000-memory.dmp

Filesize
1.2MB

Download
memory/4048-237-0x0000025FF5C40000-0x0000025FF5D80000-memory.dmp

Filesize
1.2MB

Download
memory/4048-238-0x0000025FF41E0000-0x0000025FF4495000-memory.dmp

Filesize
2.7MB

Download
memory/4092-195-0x0000000000000000-mapping.dmp

Download
memory/4180-252-0x0000000000000000-mapping.dmp

Download
memory/4188-246-0x00007FF7F5016890-mapping.dmp

Download
memory/4188-248-0x000001D21E2A0000-0x000001D21E3E0000-memory.dmp

Filesize
1.2MB

Download
memory/4188-249-0x000001D21C820000-0x000001D21CAD5000-memory.dmp

Filesize
2.7MB

Download
memory/4188-247-0x000001D21E2A0000-0x000001D21E3E0000-memory.dmp

Filesize
1.2MB

Download
memory/4188-251-0x000001D21C820000-0x000001D21CAD5000-memory.dmp

Filesize
2.7MB

Download
memory/4256-288-0x00007FF7F5016890-mapping.dmp

Download
memory/4256-293-0x000002689D950000-0x000002689DC05000-memory.dmp

Filesize
2.7MB

Download
memory/4256-291-0x000002689D950000-0x000002689DC05000-memory.dmp

Filesize
2.7MB

Download
memory/4416-162-0x00000000038F0000-0x0000000004445000-memory.dmp

Filesize
11.3MB

Download
memory/4416-196-0x00000000038F0000-0x0000000004445000-memory.dmp

Filesize
11.3MB

Download
memory/4416-179-0x00000000038F0000-0x0000000004445000-memory.dmp

Filesize
11.3MB

Download
memory/4424-205-0x0000000000000000-mapping.dmp

Download
memory/4440-331-0x00007FF7F5016890-mapping.dmp

Download
memory/4556-230-0x0000000000000000-mapping.dmp

Download
memory/4568-208-0x0000000000000000-mapping.dmp

Download
memory/4620-303-0x0000000000000000-mapping.dmp

Download
memory/4788-132-0x00000000004FD000-0x0000000000513000-memory.dmp

Filesize
88KB

Download
memory/4788-133-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/4788-134-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4788-135-0x00000000004FD000-0x0000000000513000-memory.dmp

Filesize
88KB

Download
memory/4788-136-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/4788-137-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4940-218-0x0000000000000000-mapping.dmp

Download
memory/4972-220-0x0000000000000000-mapping.dmp

Download
memory/4988-250-0x0000000000000000-mapping.dmp

Download
memory/5032-282-0x0000000000000000-mapping.dmp

Download
memory/5048-145-0x0000000002310000-0x000000000243E000-memory.dmp

Filesize
1.2MB

Download
memory/5048-144-0x0000000002163000-0x000000000224C000-memory.dmp

Filesize
932KB

Download
memory/5048-146-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/5048-138-0x0000000000000000-mapping.dmp

Download
memory/5060-219-0x0000020AB07B0000-0x0000020AB0A65000-memory.dmp

Filesize
2.7MB

Download
memory/5060-217-0x0000020AB07B0000-0x0000020AB0A65000-memory.dmp

Filesize
2.7MB

Download
memory/5060-215-0x0000020AB2230000-0x0000020AB2370000-memory.dmp

Filesize
1.2MB

Download
memory/5060-216-0x0000020AB2230000-0x0000020AB2370000-memory.dmp

Filesize
1.2MB

Download
memory/5060-214-0x00007FF7F5016890-mapping.dmp

Download